With Six months to go until the Information Commissioner's (ICO) own moratorium on enforcing the revised Privacy and Electronic Communications Regulations (PECR) - "The cookie law" UK businesses are awaiting further guidance from the ICO of how the law will be enforced and the potential impact.
Following the statement that "from May 2012 onwards the Commissioner will follow the approach to enforcement set out in his Data Protection Regulatory Action Policy" it is hoped that a "Half Term Report" will soon provide greater clarity.
However as the clock ticks down towards the May 2012 deadline the ability for companies to pro actively manage the situation continues to reduce.
This post is aimed at providing a quick summary of the current situation and recommends what we believe website owners should be doing as a minimum.
Look at some of our earlier posts e.g. Waiting to see how the cookie crumbles is not enough? or Do a quick Cookie Audit if you fear the Cookie monster ? for more background
Quick recap ?
Cookies are currently the focus of the discussion and the current target for enhanced awareness. However the real purpose of the legislation and hence any activity should really be around what data is captured, stored and how this is then used.
Cookies are one type of Locally Shared Object and the best way to consider them is more as a Fortune Cookie with a raffle ticket inside it rather than as a Biscuit (It's a Dinner Jacket not a Tuxedo anyway!). This concept is more practical because when you access a webpage each of the web servers serving content can set cookies onto and read the cookies they have set on your machine.
- What data is stored ?
- Why and where it is stored ?
- What is it used for and by whom ?
- Does this correspond with what the consumer (the 2nd Party) agreed to or could reasonably expect ?
There are various initiatives attempting to respond to the cookies law that each provide different methods of attempting to comply. (I say attempting to comply as what compliance is has yet been set). These range from
1. Behavioural advertising icons
The Internet Advertising Board's European Initiative focusses through its Your Online Choices site upon information being provided after the capturing of data i.e. the ability to withdraw permission for unspecified data relating to digital activity once it has been captured, analysed and used and once you become aware of it!
2. Reliance on the main browsers manufacturers to solve the issue.
Even if they did this will only address cookies (Locally stored Objects) set through web browsing (what about emails, Smartphone Apps etc ?) and only when the general population catch up with the latest release of the browsers
3. Use of Pop Ups - e.g. the ICO website.
The ICO website site uses a pop up requesting permission to set cookies to enable tracking which does not preclude people using the site but until opted in stops analytic tracking cookies being set
After opting in to tracking by ticking the box a ICOCookiesAccepted cookie is set to "true" enabling Google analytics cookies to be set
However if you (the user) manually alter the cookie (It’s just a text file) to "False" this has no impact to turn tracking off
Despite a clearly stated (revised) preference the ICO keep tracking my activity after I make a change
as highlighted by the Google tracking cookie continuing to operate after the change.
You will see from above I first noticed this in June 2011 and informed the ICO hoping that they would resolve it - Checking again today it appears it is still a glitch as the value of False set in September is still being ignored.
So what should you do ?
Whilst any immediate legal risk was temporarily removed, in May 2011 the ICO has stated they urge all UK businesses and organisations to read their advice and start working out how they will meet the requirements of this new law. They also warn that those who choose to do nothing will have their lack of action taken into account when they begin formal enforcement of the rules.
With regard to cookies laws like all changes in legislation it provides three main areas of risks for all business owners that need to be assessed and appropriate actions taken to mitigate against them.
1. Legal Risks
The immediate risk of censure from law enforcement and any associated penalty - The ICO have highlighted verbally that initial focus will be on education and specifically targeted against those who have done nothing to mange the situation.
2. Commercial RisksBusiness can incur costs or lose revenue by making poor decisions. The ICO's own site made an adjustment in May 2011 (to be seen to be doing something) but this meant that they lost the capability to track and understand 90% of their web traffic.
It is not clear what the actual impact was on visitor numbers or user engagement with content due to the presence of a rather unattractive opt in box. Usability and design professionals would suggest that the opt in box would have a detrimental effect rather than a positive effect
An additional commercial risk is that non compliance or unawareness will highlight poor data protection practices and could result in data held for marketing in other areas being deemed non compliant and therefore not usable.
3. Reputational RiskPeople do business with people they trust – Sony recently suffered from losing subscribers information and are more concerned with the loss of brand value as consumer trust diminishes than any fine they may receive.
Mitigating any loss of Trust is the area companies need to focus on particularly as consumers awareness is enhanced. Recent Department of Culture Media and Sport research highlights over 80% of people were unaware of the changes but once aware 70% believed it is very important they know why cookies are being set and how to delete them.
Next Steps ?
Until the legislation is clear companies should be adopt a Ready, Aim, Fire approach, i.e. Get Ready by understanding what cookies you are responsible for setting (1st & 3rd Party) and why you set them. This then enables you to be in a position to move when things become clearer i.e. where to aim and what to do ?