EU Privacy Directive: The Cookie Conundrum


When the EU Privacy Directive on cookies came into effect in May of this year – the first time the legislation had been updated since 1995 – it left a lot of people in the industry scratching their heads as to what it meant and for whom.

As with any law or Directive the wording was somewhat ambiguous and open for interpretation, but what was clear was that companies found to be mishandling personal user data would face hefty fines.

The Directive came into full effect in May 2011 but the industry has been given a cool year to get its house in order before the hammer comes down and fingers are pointed. This is an unusual occurrence in law but a welcome one, so mark it in your calendar people – May 2012.

The trouble is, however, as it currently stands many publishers don’t have full ownership or even total knowledge when it comes to cookies and data tracking – heck, some of the biggest publishers in the world aren’t aware of exactly who’s dropping what and where on their sites. Networks, advertisers and agencies are just some of the players involved in the sharing of online data.

What this new Directive means though is that going forward those wishing to trade in user data will have to gain full user consent and as such there’s going to have to be a lot more transparency when it comes to cookies – but what is less clear is how best to do it?

Confusion Reigns 
In a mission to find out more I took myself over to the Evidon Cookie Compliance Conference in London where there were a raft of speakers and industry types all eager to find out the answer to that very question.

Speaking with those in attendance, it was good to hear that most were equally puzzled – regardless of what side of the industry they were on. I spoke with publishers, solutions providers as well as agencies and I – as did many I spoke with – took solace in the industry’s collective confusion.

Whilst uncertainty over actions reigned, all seemed united in the notion that data sharing, cookies and online privacy needed revamping from its current form. Again, the solutions were less forthcoming.

David Evans of the Information Commissioners Office (IOC) said that whilst there was no ‘silver bullet’ when it comes to complying with the Directive, publishers would need to scour their sites and find out exactly what information was being passed and to whom, and then assess how intrusive this data sharing was and act accordingly.

All great in principle, but from speaking with those in attendance, ‘intrusiveness’ was a contentious topic in itself, with seemingly everyone offering a different opinion as to what the term meant to them.

Evidon’s Scott Meyer addressed the confusion, but suggested a wait-and-see approach was not the answer.
“Despite the lack of perfect clarity on how best to comply with the Directive, sitting around and waiting is not the answer,” he said. “There’s plenty that businesses can do right now, starting with the understanding that data collection is happening across their sites and disclosing everything clearly to consumers.”

Those sentiments were echoed by David Evans of the Information Commissioner’s Office (ICO); “Companies need to start showing they are moving in the right direction as the Directive has been around since May. As a regulator, we can point to lots of people doing different things, but do something is the message.”
Empowering and Educating Consumers 
A seemingly viable solution for publishers was put forward by Louise Thorpe from Vodafone; they are set to implement a ‘Privacy Dashboard’ for users at the telecom giant. Here users would be presented with the information regarding their data situation but, more important, they could control the flow of information – if they so chose. An option that is set to also be undertaken by rival telecoms giant O2.

Panellist Khan Smith from Akamai felt that the cookie itself was being portrayed as the villain of the piece and that users should simply be better informed about them, again touching on the theme of intrusion.
“A cookie is an integral part of the Internet – amongst other uses it’s what helps browsers remember login details,” he said. “Predominantly they are there to provide benefits for the user and are not intrusive.”

Robert Reid from consumer group Which? agreed that there was a lack of information around cookies. According to Which?’s research, whilst users preferred behavioural targeted ads and saw them as relevant, as much as 40% felt uncomfortable at the idea of having cookies dropped on their machines.

Seemingly the lack of information presented to users currently regarding cookies is the first thing that will have to change.

The Internet Advertising Bureau’s (IAB) Nick Stringer agreed: “Transparency is the key. It’s important to let people decide and let them make choices; not everyone’s going to want to know, but let’s give them the option.”

Publishers solutions are not enough on their own though – browsers and networks will have to do their parts in aiding transparency. Browsers will have to make it clearer when third-party data collectors are involved and networks will no longer be able to enjoy universal opt-ins when it comes to user data, instead having to earn actual consent.
Again, the nuts and bolts of exactly how to implement these changes are left to us – but with the window we’ve been given, we’ve the time to get it wrong a few times before the deadline hits.
An Answer Emerges

At the end of the day, the Directive was born out of a need to protect the user and to be more culpable as an industry, Damian Scragg from Evidon summarised: “We all need to work together to educate consumers about making informed choices – as an industry we need to do better.”
So unfortunately from the information gathered, there is no one culpable party, no ‘silver bullet’ solution to comply, but rather an ecology of solutions based on transparency, information and governance that will need to be put in place by all concerned.

It may not be the answer many of us hoped for but at least it’s an answer – no more head scratching, doing something is the answer as we’re all in this one together and we’ve been given the time to do it.