While U.S. digital industry commentators were debating the “Do Not Track” initiative in May, the UK industry was rushing to meet the deadline for it’s own privacy D-Day: May 26, 2012. This was the date on which the EU Privacy Directive, which had become UK law the previous year, started to be enforced by the UK regulator, the ICO.
What is The EU Privacy Directive?
The bureaucracy and mangled legalese the EU pumps out is legendary. Suffice to say there is a long Directive which, distilled down, requires brands to get “consent” – that’s a word that will keep cropping up – before tracking consumers. How it’s interpreted and has been written into law varies by EU country. This article focuses on the UK.
More Than Cookies
Cookies have been the focus of coverage of the Directive – the crumbly bad boys consumer should fear if you believe some – but other technologies are covered too, including Flash objects (aka “Flash cookies”). Broadly speaking, if a piece of technology tracks consumers, you need their consent to do so.
Consent Doesn’t Mean an Explicit “Yes”
There’s that word again. “Consent.” When the UK regulator first announced the date for the Privacy Directive to become law, a flurry of articles debated what “consent” meant. Over time consensus grew – consent meant a drop-down message, pop up or similar mechanism that actively asked consumers to explicitly say “yes” to tracking. Debate followed around whether this had be done for every site visit – it didn’t – and whether this applied to cookies required for the site to function – it didn’t. The ICO issued guidelines and industry bodies lobbied and debated.
In the weeks leading up to the 26th the ICO stated that analytics cookies would not be a focus of enforcement – and that they were writing to 50 high-volume websites to suggest how they should comply.
Then on the Thursday before the deadline the ICO announced that explicit consent wasn’t necessarily required – so all of the pop-ups, drop downs, overlays and other clever mechanisms web designers and marketers had been working on, trying to walk the line between compliance and not damaging conversion rates suddenly looked like they might not have been necessary.
Post-Directive: The Reality
Where does this leave brands today? If your UK site isn’t compliant yet, you’ve probably got a breathing space (unless your traffic levels are high and the ICO’s noticed you). So how do you comply?
1. Audit Your Tracking Technologies
The first thing to do is audit the cookies, tags and tracking technologies used on site – including those set through tag containers. Browser extensions like Firecookie for Firebug and Ghostery can help with this alongside the knowledge of developers and webmasters.
It’s useful to categorise what you find – what’s required for site functionality, what’s used for analytics, what’s used for tracking advertising etc.
2. Is Implied Consent Enough?
However, if the data your site collects is sensitive (e.g., health information), then explicit consent could be required (and other data protection laws might apply too).
Your policy should have a section explaining what tracking technologies are used on the site – or a separate page, which is what many UK websites have done. This should detail what cookies and tracking technologies are used – ideally arranged by category with links to sites offering more information about cookies and any opt-out links from the providers of the technology, like the one Google provides and the industry NAI site.
4. Decide How to Tell Consumers
5. Keep Your Policy up to Date
As your site changes, the list of tracking technologies in the policy needs updating – so you need to make sure you have the right internal process in place to make sure this happens.
Do Not Track?
You might be wondering at this point if the “Do Not Track” initiative will mean that via browsers offering an easier way of managing (read: blocking) cookies, compliance can be achieved. The ICO’s thought of this too, and the answer is “No”. The need to comply with the Directive on UK websites – and across the EU – won’t go away as browser publishers address privacy concerns at a software level.
Image Credit: Alan Cleaver/Flickr