In recent months we’ve been working with several corporations to develop compliant solutions to the new EU Privacy Directive ahead of its enforcement in May next year.
Our research suggests that the Directive and associated advice is a blunt instrument, which could make the web less accessible for all, unless the ICO introduce more flexibility.
User behaviour and the Cookie Directive
Through primary research, we’ve identified three types of web users, which companies need to be aware of when developing solutions to this problem.
- Anxious browsers: unaware of the concept of cookies and therefore very worried about the idea of files being put on their computer regardless of what good they do. These users take the opportunity to say no very quickly and are not receptive to learn more.
- Comfortable browsers: aware of cookies and wonder what all the fuss is about. They will do whatever is easiest when asked whether to consent.
- Private controllers: like the idea of the EU Directive because it will let them say no to cookies they see as not beneficial to them. They have a set of preconceptions, are often very sceptical of companies’ motivations and will therefore be very selective about how they give consent.
There’s very little good news in this set of behaviour types for companies providing non-intrusive digital services for their customers, or for companies trying to deliver free digital services which require advertising revenue.
Users are likely to say “no” as they are not receptive to ‘education’, or they will do whatever is easiest. As the new law requires an active form of communication where an individual knowingly indicates their acceptance, this will leave many without cookies.
So, the long and short of it is that many will not accept cookies. So what?
Cookies create the magic
Cookies create the magic – they are the glue that holds your web experiences together.
Cookies are used to build narratives and store useful information to be used later so that the user feels ‘recognised’ and supported. Without cookies or similar technologies every page you visit will have no knowledge of any previous pages you visited. You will always have to be treated as a new visitor and many pieces of multipage functionality will simply not work.
This has a huge impact on the brand experience. Factor into this the implementation costs of deploying a solution which satisfies the currently published advice from the ICO and the EU working parties, and you can see why companies are in denial.
We’ve found that many companies feel as though they are being asked to deliver something unreasonable and that the impact on their businesses and their customers is out of proportion to the original goal. If all websites comply, the internet could become less accessible to everyone.
Clarifying the Cookie Directive
The ICO recently published revised guidelines to try to address some of these concerns. Although we applaud the intent and the indication of a more flexible enforcement than previously implied, the result is contradictory, and creates further confusion. This is particularly true for large corporations averse to knowingly breaking the law because it’s ‘probably not going to be strictly enforced’, at the same time as being concerned that they will lose competitive advantage through taking a more conservative approach.
To remove this confusion and achieve their goals, the ICO need to provide clarity around 2 key areas which impact any UI solutions:
Action for consent
The wording of the law and all guidance states that active, provable, informed consent is required. However, the current guidance then goes on to propose an inferred consent solution which is neither active nor provable because it could easily be ignored (and often not even seen) but still treated as consent. If inferred consent is an option the user experience design challenge changes dramatically. If this is only an option for some cookie purposes this needs to be stated.
Timing for consent
The directive states that a cookie may not be stored or accessed unless the user ‘has given his or her consent’. Although this guidance reiterates again that this means prior consent is required, it goes on to suggest that in some instances cookies could be placed provided consent is sought ASAP. Once again, from a design perspective this is a very different brief.
We’d like the ICO to go a step further than this report, and formally introduce more flexibility to the Directive whilst still achieving their primary goal of protecting web users’ privacy. We’d like them to narrow the scope of the directive based on cookie use. To restrict it to only requiring consent for storing data in cookies to support the profiling of a user over time to targeting marketing at an individual level. Caveat this with ‘except where required to do so by other legislation’ e.g. to avoid financial mis-selling. All other cookies such as those associated with delivering a smooth experience, enabling richer functionality, enhancing security, and delivering management information would just require information to be available.
Until the ICO makes such changes, we believe the majority of companies providing web based services in the UK will not attempt to comply, choosing instead to rely on the implied low enforcement, or they will do nothing and wait to see what others do and how the ICO responds (see what was being said at last year’s JUMP event about Cookies). Only the large corporations will attempt to comply in full. This will create a confusing (and often broken) web experience for end users and commercial risk for providers.