This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Find out more here

FEATURE18 April 2012

Not a crumb of comfort

Alex Burmaster finds an industry unsure of how to respond to the website measurement challenges posed by the European Union’s cookie laws.

A year ago the revised European ePrivacy Directive was incorporated into UK law. More commonly referred to as the “cookie law”, the directive requires website owners to get explicit permission from consumers to store and access tracking technologies on their devices. Previously it was OK to do this unless consumers’ explicitly said no.

The change from opt-out to opt-in will seriously affect how websites deliver their material, measure their visitors and serve advertising. In the UK the last year has in essence been a grace period for any sites using tracking technologies. The government and the data regulator, the Information Commissioner’s Office (ICO), agreed a phased approach to implementation and enforcement.

However, this relaxed approach is set to end next month and the online industry is feverishly trying to make sense of the law and decide what action to take to comply. Trade bodies are advising site owners that the first step is to conduct an audit of all the tracking technologies they employ and their purpose – including text and flash cookies and page tags.

“The change from an opt-out to an opt-in system of consent will seriously affect how websites deliver their material, measure their audiences and serve advertising”

The audit is likely to throw up surprises. Tim Cain, head of research and insight for the Association of Online Publishers (AOP), indicated that audits were revealing “large amounts” of cookies that site owners were unaware of – including the maligned third-party variety. Recent analysis by cookie-management firm Evidon of the ten most popular news websites revealed that between them they employed over 1,000 tracking devices. The Guardian led the way with 163; even BBC News, which doesn’t carry advertising, used 111. It’s difficult to imagine that there is anyone working for these websites who knows what each of these trackers does, let alone constructing a privacy policy that covers them all.

At Sky Media, the advertising sales arm of the satellite broadcaster, media research manager Rebecca Rangeley explains that a project team has been set up specifically to deal with the cookie audit. The first step, she said, is segmenting cookies into “four types: essential, functional, analytics and tracking”.

Based on the audit, there are three avenues publishers can take when it comes to tackling the required opt-in. The first is a strict adherence to the EU legislation – getting explicit “I accept” consent from visitors to track their behaviour. Evidon’s findings point to this being the most straightforward method for sites with large numbers of cookies. This is what the ICO itself did last May – the result being a 90% drop in measured visits to the site. This is the huge problem that site owners face – dramatically reduced information with which to analyse and improve their sites, while becoming far less appealing to advertisers as a result.

AOP’s Cain argues the ICO’s experience was an “extreme” and that they aren’t advising publishers to follow suit by putting “a great big warning sign slap bang in the middle of the page.” He says most businesses will address the requirements in a much more subtle way. Measured traffic will “only drop if you stir up more fear in consumers’ minds than you take away,” Cain says.

Carrot and stick

Conrad Bennett, Webtrends’ VP of technical services in Europe, has advised his clients to make cookie opt-in as attractive to consumers as possible by reinforcing what they get out of it. “The ICO experience shows what happens if you don’t.” Furthermore, he suggests making the website experience as “painful as possible for visitors who decide to opt out so they have to opt in to use the site effectively”.

Bennett fully acknowledges this is an “alien” concept for publishers – making life difficult for their users – but it’s simply a case of being practical. “Striking that tricky balance between carrot and stick is the only way to go,” he says. “Visitors who opt out are almost completely valueless.”

Sky’s Rangeley thinks consumers will most likely accept cookies from sites they trust and those that are useful to them. “Those not in either camp will be most at risk of appearing to haemorrhage unique users and losing valuable audience insights.”

Vicky Brock, a board director at the Digital Analytics Association, is more concerned that opt-in consent fundamentally changes the nature of the data available to websites. “The value of much analytics data is that it is observational; it is whole-population; it lives in a big data world, rather than an intercept world,” she says. “This is where the problem of a significantly reduced data set (and a biased, opt-in one at that) is going to come in.”

Even without cookies, sites can still collect data through registered logins, log-file analysis and IP addresses combined with browser agents. Webtrends’ Bennett says these provide “a reasonable stab at data and insight, although obviously not quite as good as cookies when it comes to heavy-duty analysis”. And another way round having a shallower pool of data is to look at trends “to see how much the numbers change, rather than being fixated on the absolute numbers,” he says.

Pragmatism versus dogmatism

Ultimately the severity of the impact of the EU cookie law will depend – at least in the UK – on whether the government is (and can be) as pragmatic as it says it wants to be in implementing the rules.

“Uncertainty is diluting any sense of mass panic. Most site owners are proceeding cautiously, with a tangible feeling that the law will have to be revisited some time soon – but when?”

Individual countries have the discretion to decide how they make the EU directive law. Nick Stringer, IAB UK director of regulatory affairs, says: “It’s a balance between strict adherence to the law and a pragmatic interpretation to make it work in practice. If people have to explicitly opt in by ticking a box then this has massive implications – as the ICO experience shows.”

Consequently, the UK approach is centred on implied or implicit consent. That is, consent is implied if consumers are provided with clear, transparent and accessible information about cookies and “empowering” actions to control their use, but then continue to use the site without specifically ticking an opt-in box. Stringer says: “The new law is about informed consent and the ICO even points towards implied consent. This method is simply the only practical way the industry can see for moving forward. But it remains to be seen how the EU Commission will react to this interpretation, which may mean ending up in the law courts.”

For Bennett, this approach is “sailing close to the wind of what’s legal” and “the spanner in the works will be what the EU does about the UK’s interpretation and the ICO’s enforcement.” He also cited the Article 29 Working Party as the “dark lining on the cloud”. Article 29 have been the “most vociferous group on the issue” – repeatedly stressing that opt-in consent is needed “prior” to the use of cookies. “They are the ones most likely to be unhappy,”
says Bennett.

But like the IAB, Ian Twinn, director of public affairs at advertiser body ISBA, is full of praise for the government and Culture Minister Ed Vaizey’s approach. “The implementation is really intelligent and we respect the way they’re going about it. Consequently we’re not too worried about people turning off cookies blanket-style. One size fits all doesn’t work when it comes to this legislation.”

Risky business

The final option open to publishers – the most risky legally – is doing nothing. Some within the industry have an underlying feeling – or perhaps it’s more of a hope – that the cookie issue is just too complex, the law unenforceable and that the ICO simply doesn’t have the manpower or funding to take thousands of website owners to court.

It’s not a position the AOP advocates, says Cain. “No one can afford to ignore it. Examples of non-compliance will be looked for and held up; no one wants to be that person.” Webtrends’ Bennett says this is particularly true for large consumer-facing brands typically in the firing line – those that would make for a particularly eye-catching headline, a high-street bank perhaps. “These will be the ones who most need to conform to the legislation simply because consumers have great appetite for complaining about them.”

Ultimately, no one is really sure how the UK’s approach will affect the level of tracking data available to publishers and advertisers for measurement purposes. Bennett says he’s seen a “polarised” attitude from clients. “Some say they’ll do very little; others are more extreme, saying they’ll switch off analytics altogether.”

However, uncertainty is diluting any sense of mass panic. Most site owners are proceeding cautiously, waiting to see what everyone else is doing, with a tangible feeling that the law will simply have to be revisited soon – but when?

As Bennett told a packed room of publishers recently: “I’d be surprised if anybody in this room will be contacted by the ICO in the next 12 months”. Whether that’s down to a rigorous adherence to the law, a pragmatic implementation or the ICO’s inability to get to offenders remains to be seen.

0 Comments