Cookie Law Update: Regulators Weigh In and Implied Consent Lives

balance by ROSS HONG KONG

New Year, fresh start, and for online marketers in the UK, that includes finalising preparations for a market where the ePrivacy Directive is actually enforced.  The Information Commissioner’s Office (ICO) initially granted a 12-month reprieve from enforcement to give us time to ‘get our houses in order,’ but the reprieve will be a distant memory when it expires on May 25th.  Did I just spoil your day?  The good news is that consensus is beginning to emerge on first steps that you can take, and more importantly, the ICO has not demanded that the market go opt-in.

2011 ended with a flurry of activity aimed at adding clarity to regulator expectations. In London, Evidon and our friends at Field Fisher Waterhouse hosted Evidon Empower Europe, where a cross section of Regulators, European Commission representatives, attorneys and executives from across the online advertising ecosystem met to discuss practical solutions.

The Article 29 Working Party, an advisory body to the commission with regulators from each member state, adopted an opinion on 12.8.11 that was critical of the self-regulatory program for behavioral advertising in Europe.  A week later, the ICO released a ‘Half Term Report on Cookie Compliance,’ combined with a significant update to its guidance to companies seeking to comply with the Directive.

The ICO guidance in particular includes pragmatic recommendations, beginning with an audit of all tracking activity on your websites and continuing with considerations for your approach to acquiring consent.  The most important headline is that the ICO has gone on record acknowledging a role for implied consent.

Commissioner Graham, commented: “We recognised that compliance could not be achieved overnight, that we could not simply switch off the internet and start again.”

And that a company might have confidence that they are compliant if users “know that some things are more likely than not going to happen when they arrive at your site and that if they want to make choices about those things they know where to go and what to do.”

Eduardo Ustaran at Field Fisher Waterhouse has an excellent post expanding on the implications of this point.

For marketers fearing the worst, whose concerns have seemed validated by statements from the Article 29 Working Party and other individual regulators, this is a critical victory.  Regulators in continental Europe will also be influenced by the ICO position and we may very well see a positive cascade effect.

Of course, for implied consent to work, it must be substantially more robust than the status quo. In particular, companies will need to demonstrate that consent is ‘freely given,’ ‘specific,’ and ‘informed.’

  1. ‘Freely given’ can be addressed by ensuring that the user suffers no penalty for opting out.
  2. ‘Specific’ requires that the notice include a complete inventory of the companies behind a particular web page or ad, and that the list be tailored to the event, rather than generic.
  3. ‘Informed’ is perhaps the most challenging.  Notice must be made available in a ubiquitous fashion, wherever non-essential tracking activity is taking place, on every page and every ad.  To qualify as notice, companies may need to be inventive about text labeling.  While we continue to believe that the self-regulatory program can be leveraged as part of a compliance strategy, including the advertising option icon, companies may need to expand on the ‘AdChoices’ text label, especially before users understand its meaning.  For the notice to provide consent, it must also include a switch that allows a user to withdraw consent.

Wrapping these enhancements into a practical, cohesive offering will require companies to approach the consumer in a new manner. Companies that embrace the challenge with creativity will find that this is an exercise in straight-talk with a consumer audience that is vaguely aware of tracking practices, but starved of detail.  Effective and honest communication will serve to build trust and brand loyalty, as any social marketer will tell you.

To those still grumbling about the burdens of a quality implied consent model, please understand that the alternative is opt-in. Implied consent sound any better now?

Photo (cc) ROSS HONG KONG.

Comments

We have created and released

We have created and released an entire suite of consent solutions, both free and commercial to allow website owners to request consent from their users.

http://demos.dev.wolf-software.com

I have the same questions as

I have the same questions as this other person asked. This law seems a little ridiculous.

Suffers no penalty?

so how does this implied consent work?  If someone says 'I want to opt out of cookies on this site' - does the website have to respond in some way?

And how might a user 'suffer no penalties' by opting out? If they don't want cookies, then surely to avoid placing them the site has to turn off funcitonality that relies on cookies work?

If they opt-out - presumably they want to remain opted out in future visits.  But that relies on a cookie to be set so the site knows someone is a returning visitor - otherwise they will automatically be opted-in again - which defeats the whole purpose of the law.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <p> <br>
  • Web page addresses and e-mail addresses turn into links automatically.
  • HTML tags will be transformed to conform to HTML standards.
  • Each email address will be obfuscated in a human readable fashion or (if JavaScript is enabled) replaced with a spamproof clickable link.

More information about formatting options

Type the characters you see in this picture. (verify using audio)
Type the characters you see in the picture above; if you can't read them, submit the form and a new image will be generated. Not case sensitive.