Almost two years ago the busy-bodies in Europe, spearheaded by Germany and France, decided it was time to clamp down on internet privacy concerns.
And after they clamped it down they hit it repeatedly with a hammer until we were left with a broken mess that helped no-one.
Then they hit it some more.
Why did this come about?
Their main concern was about business websites installing cookies (and other code snippets) on visitor’s computers to perform data scraping. But more specifically the practice of this being done without the visitor knowing.
Now this seems far more nefarious than it really is so don’t be too alarmed. Not all websites use cookies and the vast majority that do use them to either deliver a better experience or to track the visitor journeys through the site.
The problem was that the few troublemakers employing less ethical systems were using the same method of deployment as the businesses who genuinely had your best interests at heart. But legislation decided to ignore the shades of grey and impose a blanket policy.
“If you install cookies on a visitor’s computer without gaining their express permission you are breaking European law (this is important because you can meet your native countries legal requirements but be in breach elsewhere in the EU and still be liable) and can face a fine of £250,000. You have 12 months to comply.”
Pretty scary stuff. It brings to mind Gandalf bringing down his staff and telling the Balrog “You shall not pass!”. Gandalf said it in four words though. The European government said it in a very confusing 28 pages that left everyone with more concerns and more problems. And just to help things along most of Europe remained oblivious because business owners weren’t told this was coming into effect. Cue last minute panic.
How was this news taken?
Joe Public is largely aware of cookies and for the most part is unconcerned by them. Surveys have shown that 2/3 of people would rather not know that the problem exists and would rather have any security decisions made for them without them having to get involved.
Business owners fell into three camps:
“Let’s do exactly what they say” (result: more expense, stilted user journeys, and loss of valuable data)
“Let’s nod our head at the ruling, make people aware we are using cookies, but not really give them a choice about it” (result: some expense, a slightly stilted user journey and they get to retain their important analytical data)
“Let’s do nothing and wait to see if the law changes again” (result: so far, nothing bad has happened)
Most businesses use Google Analytics on their websites. This is an invaluable marketing tool that let’s site owners know if their site is working as hoped. This data allows them to deliver the very best possible experience to their customers and ultimately everyone wins.
With this stripped away it's like trying to fly a plane without your instruments. You will probably manage it but God alone knows where you will end up.
We wrote to all our clients and advised them of the impending law change and we saw a good cross sections of routes take. Clients with Government contracts or positioned in such a way that meant they had to keep their noses clean went for full compliance. Clients wanting to show willing went for implied compliance. And the remaining majority did nothing.
To this date there hasn’t been a single test case brought before the courts as a result of anyone being in breach of the ruling. The UK’s IPO was as confused by what was required and what was enforceable as were the rest of us. They even went so far as to state they believed that analytics was essential (and thus exempt) despite what Europe said. They had no power to change the law but they made it clear they didn’t really plan to enforce it.
The waters were muddied further by repeated revisions of the ruling and particularly in the UK by a further softening of the stance. Technically this was good news but the companies that had already paid out or had taken an analytics hit weren’t quite so impressed.
Purple Frog saw its visitor statistics drop by 90%. The visitors were still coming to our site but we had very little clue what they were doing. For us its an inconvenience but for an online retailer or service provider its a nightmare.
Where are we at now?
The first time you visited our site you may or may not have noticed a grey bar appear at the top of the page. It told you that if you carried on using the site you were cool with us tracking your movements and if you wanted to know more about why it was a good thing there was a handy link too.
After you moved on that was it. You don’t get to see it again. You haven’t been inconvenienced. Our data is intact. And UK interpretation of the law has been satisfied. This is implied consent at work. It might seem a little underhanded but it’s actually a massive step towards addressing privacy concerns without alarming the public. Basically its business as usual while demonstrating an ethical code of conduct and it actually strengthens the bond between you and your clients “we care about your privacy, but we aren’t going to get in the way of you enjoying the web”.
Ironically across the whole of Europe the two countries who have done the least to implement this (with close to 0% take-up) are Germany and France...
Our advice
We cant advise you do nothing. Our lawyers would have an absolute fit at us.
Implied consent is a good way forward. It keeps you on the right side of the law and sends positive messages to your clients. Especially if you trade across Europe.
But if you dont want the expense just yet then you will probably be safe for a while. If you are found to be in breach you will receive a warning from the IPO. At which point we advise you act quickly and decisively. Its not as big an undertaking as you might think and is certainly cheaper than a court case.
So. Would you like a cookie?
Perhaps the question should be “would your customers like a cookie?”.
Most likely (they just don't want to know about it).
If you have any questions or concerns or would simply like to talk to us about online compliance and standards then give us a call on 01844 295170. And you never know, if you decide to implement a consent system we might even send you a whole packet of cookies!
James Olney
