Six Serving Men Blog

With Six months to go until the Information Commissioner's (ICO) own moratorium on enforcing the revised Privacy and Electronic Communications Regulations (PECR) - "The cookie law" UK businesses are awaiting further guidance from the ICO of how the law will be enforced and the potential impact. 

Following the statement that "from May 2012 onwards the Commissioner will follow the approach to enforcement set out in his Data Protection Regulatory Action Policy" it is hoped that a "Half Term Report"  will soon provide greater clarity. 

However as the clock ticks down towards the May 2012 deadline the ability for companies to pro actively manage the situation continues to reduce. 

This post is aimed at providing a quick summary of the current situation and recommends what we believe website owners should be doing as a minimum.

Look at some of our earlier posts e.g. Waiting to see how the cookie crumbles is not enough? or Do a quick Cookie Audit if you fear the Cookie monster ? for more background 

Quick recap ?

Cookies are currently the focus of the discussion and the current target for enhanced awareness. However the real purpose of the legislation and hence any activity should really be around what data is captured, stored and how this is then used.

Cookies are one type of Locally Shared Object and the best way to consider them is more as a Fortune Cookie with a raffle ticket inside it rather than as a Biscuit (It's a Dinner Jacket not a Tuxedo anyway!). This concept is more practical because when you access a webpage each of the web servers serving content can set cookies onto and read the cookies they have set on your machine. 

Increasingly web pages are made up of various content from a variety of content providers. When you (The Second party) access a destination website (the First Party) they may enable content to be served from other servers (Third parties) - Hence the distinction between cookie types.  

Previously websites were effectively brochures and you accessed set content and cookies may have been used to store information in isolation on your machine. Nowadays websites operate supported via database functionality and cookies can provide the link between the database, your machine and ultimately you.

For example I visit a site and on the database my raffle ticket number is stored against when I visited, what I looked at, to record my preference e.g. type of colour preferred for screen resolution etc. As an anonymous visitor this may not be considered an issue but if I then provide personal information the database can store this along with my raffle ticket number. This then provides the ability to retrospectively link any previous data with my personal data.

If the cookie is treated as a Personal Unique Identification Number (Purn) the questions to address to ensure compliance with any legislation is 

• What data is stored ?
• Why and where it is stored ?
• What is it used for and by whom ?
• Does this correspond with what the consumer (the 2nd Party) agreed to or could reasonably expect ?

Solutions ?

There are various initiatives attempting to respond to the cookies law that each provide different methods of attempting to comply. (I say attempting to comply as what compliance is has yet been set). These range from 

1. Behavioural advertising icons 

The Internet Advertising Board's European Initiative focusses through its Your Online Choices site upon information being provided after the capturing of data i.e. the ability to withdraw permission for unspecified data relating to digital activity once it has been captured, analysed and used and once you become aware of it!  

2. Reliance on the main browsers manufacturers to solve the issue.

As recently reported by The Register whilst plans for a Do Not Track Standard are being drawn up this focusses predominantly on 3rd party and this "Cavalry" looks very unlikely to arrive by May 2012.

Even if they did this will only address cookies (Locally stored Objects) set through web browsing (what about emails, Smartphone Apps etc ?) and only when the general population catch up with the latest release of the browsers

  

3. Use of Pop Ups - e.g. the ICO website. 

The ICO website site uses a pop up requesting permission to set cookies to enable tracking which does not preclude people using the site but until opted in stops analytic tracking cookies being set 

This could prove a solution for businesses where they have only a few simple cookies being set - The ICO is a public body and therefore does not allow third party advertising etc. and so such a solution may become very clunky for some sites

However even the ICO's approach is currently flawed as it makes no allowance for the 4th Data Protection principle regarding accuracy and maintaining up to date data because it ignores individuals own capability to adjust cookies and thereby presumably permission.

After opting in to tracking by ticking the box a ICOCookiesAccepted cookie is set to "true" enabling Google analytics cookies to be set 

However if you (the user) manually alter the cookie (It’s just a text file) to "False" this has no impact to turn tracking off

Despite a clearly stated (revised) preference the ICO keep tracking my activity after I make a change
as highlighted by the Google tracking cookie continuing to operate after the change.

You will see from above I first noticed this in June 2011 and informed the ICO hoping that they would resolve it -  Checking again today it appears it is still a glitch as the value of False set in September is still being ignored.    

So what should you do ?

Whilst any immediate legal risk was temporarily removed, in May 2011 the ICO has stated they urge all UK businesses and organisations to read their advice and start working out how they will meet the requirements of this new law. They also warn that those who choose to do nothing will have their lack of action taken into account when they begin formal enforcement of the rules. 

With regard to cookies laws like all changes in legislation it provides three main areas of risks for all business owners that need to be assessed and appropriate actions taken to mitigate against them.  

1. Legal Risks 

The immediate risk of censure from law enforcement and any associated penalty - The ICO have highlighted verbally that initial focus will be on education and specifically targeted against those who have done nothing to mange the situation.

2. Commercial Risks

Business can incur costs or lose revenue by making poor decisions. The ICO's own site made an adjustment in May 2011 (to be seen to be doing something) but this meant that they lost the capability to track and understand 90% of their web traffic. 

It is not clear what the actual impact was on visitor numbers or user engagement with content due to the presence of a rather unattractive opt in box. Usability and design professionals would suggest  that the opt in box would have a detrimental effect rather than a positive effect

An additional commercial risk is that  non compliance or unawareness will highlight poor data protection practices and could result in data held for marketing in other areas being deemed non compliant and therefore not usable.  

3. Reputational Risk

People do business with people they trust – Sony recently suffered from losing subscribers information and are more concerned with the loss of brand value as consumer trust diminishes than any fine they may receive.

Mitigating any loss of Trust is the area companies need to focus on particularly as consumers awareness is enhanced. Recent Department of Culture Media and Sport research highlights over 80% of people were unaware of the changes but once aware 70% believed it is very important they know why cookies are being set and how to delete them. 

Next Steps ?

Until the legislation is clear companies should be adopt a Ready, Aim, Fire approach, i.e. Get Ready by understanding what cookies you are responsible for setting (1st & 3rd Party) and why you set them. This then enables you to be in a position to move when things become clearer i.e. where to aim and what to do ? 

If you are unclear on what to do refer to the Information Commisioners website or Contact us to discuss ?

In 1519 Hernán Cortés landed in Mexico with 600 men, 16 horses and 11 ships, looking to conquer the Aztecs and seize their riches for Spain.

According to legend Cortes knew that he had a number of disadvantages. He was in a foreign land, massively outnumbered and his well organised enemy the Aztecs had survived & flourished for almost six centuries. The night prior to the initial battles Cortes allegedly sent a few men to burn all their boats.

  

His men awoke with their ships on fire and Cortes explained to his men “If we are going home, we are going home in their ships.” With their no means of escape, or fall back position, Cortes and his men had a simple choice "Succeed or die". They went on to conquer the Aztecs! and are attributed with the phrases "To burn ones boats or bridges"! 

After seeing Jimmy Wales founder of Wikipedia speak this week in London and it made me review two specific conflicting things that business leaders need to focus upon

• Decision making can be regarded as the mental processes (cognitive process) resulting in the selection of a course of action among several alternative scenarios.
• Procrastination refers to the act of replacing high-priority actions with tasks of low-priority, and thus putting off important tasks to a later time

Any decision is based upon the quality of the information available and what is considered but sometimes too much focus is spent upon collating information before making a decision! Apparently 72% of all statistics are made up (that one is!) and any figures quoted need to be sense checked against who is providing them – and why. If you are involved in business today then you will be trying to understand & evaluate how you can benefit from Digital media channels e.g. LinkedIn, Facebook, Twitter, etc.

Before burning your boats and jumping into a Digital Strategy based upon "gut feeling" or that is easy to start, its worth ensuring that you focus your time & resource upon the areas that your customers use rather than the tools "evangelists" promote.  We've extracted some data from three recent information sources that we hope help you in your decisioning.

So what are UK consumers using for communications ? 

So how are UK consumers doing on Social Media ? 

Whilst the blogosphere may suggest everyone is using social media for everything recent research conducted by Exact Target suggests that consumers are not necessarily engaging with brands in the same way as US consumers.  

How are UK Businesses using Social Media and how well ? 

Econsultancy & LoudMouth Media's report the State of social highlights how UK companies are embracing social and how well they believe they are doing it .

So what does this mean for you?

Feel like Cortes ? In a foreign land, with a vast array of options and against an increasing number of competitors at a time when consumers are becoming more familiar with the range of communication channels and with rising expectations.

Strategy is ensuring you do the right things - Operations are doing things right! However the correct strategy for your business depend upon a number of factors unique to you. To guide you digital strategy we recommend focussing upon the Who and What questions

1. Who you are wanting to communicate with
2. Why and What you want them to do

This can then drive the How, Where and When of how you implement your strategy.

 You could choose to burn your boats and dive into social media or you can choose to do nothing although bear in mind that when you have to make a choice and don't make it - that is in itself a choice ! Tell us what you think ?