Most people (apart from me) find the EU Privacy Directive a little dull… but there’s no denying it is an important issue for all our clients. We’ve been helping some of our clients walk the fine line between compliance and commercial reality.
In January I wrote a blog post – ‘EU cookie directive could make the web less accessible for all’ – in which I highlighted some challenges and concerns around the guidance issued by the ICO.
I stated that it contradicted itself and that the interpretation of the law was inflexible and unworkable for businesses. At the heart of the law is the need for “informed consent” for the storage and retrieval of information on an end user’s device.
The guidance explained that the need for information to qualify as “informed” recognised the varying intrusiveness of cookies and allowed for a proportional approach, but that the action required to create “consent” didn’t have a similar flexibility. However, the examples presented contradicted this by illustrating inferred consent solutions and suggesting collecting consent after placing cookies without explaining when this might be appropriate or how it could be deemed compliant.
This has driven a lot of debate within organisations and amongst digital professionals, as well as a lot of very different solutions ranging from fully compliant, prior explicit consent in the form of light boxes or avoiding placing cookies until consent is given; through to opt out statements in barely visible banners.
Reading between the lines of the ICO guidance it is clear they will focus enforcement energies on cases where no appropriate effort has been made to make users aware, and even then they will be reasonable in encouraging and allowing time for upscaling the response.
Our advice to clients is to understand the spirit of the law and then interpret it in a way which maps to the level of risk the organisation is prepared to take and the context of the business. Here are three examples:
- For a highly risk averse company in a domain in which building customer trust is paramount, such as financial services, this means a more explicit consent route, e.g. interrupt the user’s experience to inform them using a light box or overlay, and offer a clear choice, making accepting cookies the path of least resistance.
- For a less constrained company dealing with non-intrusive cookies, such as the Foolproof site, it means focusing on informing and using an inferred consent route.
- For any company using cookies to track behaviour and target promotions, it means accepting that this is the area the law is aimed at, and taking extreme care to demonstrate that you are being open and transparent – and that your users are therefore informed. We believe that clearly stating the benefits that cookies provide to users, indicating where content is affected and offering clear instructions on opting out is enough in most cases. The ICO’s response to the Digital Advertising Alliance’s self-regulatory framework, most likely recognised as the Adchoices scheme, illustrates that this is a compromise they accept is more commercially viable than seeking explicit consent for tracking cookies.
To summarise, we recommend focusing on taking reasonable steps to avoid enforcement rather than full compliance – at least in the short term until it’s clear how companies and the ICO will respond.