There is so much noise around the ePrivacy Directive in the marketplace that at times it can feel as though everyone has a different plan for how to come into compliance.
In reality, compliance approaches only seem complicated when they are based on short-term improvements that fall short of the legal standard. Many of the approaches you have seen in the market fall into this category, and seem disconnected precisely because they are fanciful creations of sites that have made their own standards and are hoping that the regulator will not challenge them. This clearly is not a sound legal strategy.
To comply with the ePrivacy Directive you need a basic understanding of what the law requires and a plan for how to meet this requirement in a manner that is appropriate for your business. The law requires consent for virtually all of the commercial tracking activity taking place on your site, both 1st and 3rd party.
Here’s a 10-point plan to help you build a sensible commercial plan to gain consent:
1. Audit your site for tracking activity
The ICO (UK regulator) and CNIL (French regulator) have both been explicit in their written guidance that you need to obtain a tracking audit before you obtain consent. After all, consent must be specific to the companies collecting data on your site, and must be proportionate to the intrusiveness of their data use. You clearly can’t do this until you know who is tracking and how they are using data. Make sure that your audit is not just limited to cookie data, and that you have enough context to evaluate the commercial value and performance impact of each of tracker.
2. Assess the 3rd parties collecting data on your site
Make sure you digest the contents of your tracking audit and are comfortable with the 3rd parties on your site. If any are collecting data for non-approved purposes or are impacting the performance of your site, kick them off. Make sure that none of the remaining trackers are engaging in especially sensitive data practices, like the targeting of health care conditions or children. And be clear on whether your site allows 3rd parties that engage in behavioral advertising.
3. Make sure you can account for the purpose of your own tracking
There is no exemption for 1st party tracking, and most companies that dig deep into their 1st party cookies find that the majority require consent. Run the list of 1st party cookies from your tracking audit through your IT team and make sure there is an accounting of the purpose for each cookie.
4. Pick implied consent, explicit consent, or both
Most companies vastly prefer implied consent, as it allows you to continue with current tracking activity unless the consumer takes an opt-out action. If you are based in the UK and serve a UK specific audience, it’s likely that you do not need to go further. But if you are based in a country like France or the Netherlands, or are managing content for audiences in either territory, you may need to consider an explicit consent model, or a hybrid approach that allows you to be implied where you can and explicit where you must. You might want to add an updated cookie policy to your consent system.
5. Understand the difference between ‘notice’ and ‘consent’
To be clear, implied consent does not mean that ‘opt-out’ in the traditional sense will suffice in any market. Even implied consent requires that you can argue that a reasonable consumer understands the tracking that is taking place, and is taking a positive action, having been informed, to indicate their consent. A footer link or language in the privacy policy clearly do not meet this threshold. For examples of implied consent, see uk.reuters.com or nectar.com.
6. Provide on opt-out option for all non-essential trackers
The most complicated component of your consent solution will not be the generation of the user interface, but rather the setup of systems that allow the user to opt-out of 1st and 3rd party data collection. Telling the user that they can disable cookies in their browser will not cut it. Look to a solution provider like Evidon to help you through this if you have more than a few trackers on your site, and you might also want to consider a tag management partner like Tag Man or Adobe Tag Manager.
7. Make sure that you have rationalised the consumer experience
At the end of the day, your consent interface will be yet another high profile consumer facing communication tool with prominent positioning on the homepage of your site. IT should not drive this project alone. Make sure that the marketing department has fully rationalised the approach, including visuals and language. Also make sure that you haven’t built an elegant, non-intrusive solution that will gain the consent of less than 10% of your users, as the ICO has done. Clever check boxes are cute, but will leave you with a 90% non-consented audience, and kill commercial data collection on your site.
8. Deploy consent
With your background work done, push consent live on your site.
9. Implement a system for keeping consent up to date
Remember that tracking activity is highly dynamic and that your consent solution must continue to be specific and complete over time. Consider systems that provide ongoing updates to your tracking audit, alerts when new trackers appear, and that automatically synchronise with your consent solution. Evidon provides auditing and consent solutions that integrate and manage all of this automatically.
10. Move on and continue with your core business
Ultimately, your business is not about obtaining consent. If you follow these steps in good faith, your compliance will be well in hand and you can get back to your core business.