Thursday, 08 March 2012
The EU Cookie directive came into force on 26th May 2011, with the ICO offering a grace period of one year before starting to enforce it. Plenty of people are sceptical over the content of the directive, it's motives and enforcement. As such, I've come across no other examples of websites seeking permission to drop cookies, other than the ICO website - though according to eConsultancy even that doesn't meet the regulations, and they are the people due to be enforcing this.
So with so much scepticism, where does it leave smaller affiliates?
Before we go any further...
I'm not a legal expert and the opinions here are merely ideas and thoughts. Enough said.
Fantastic and Concise Summary To begin With
First up, take a look at this excellent and frank video explaining the EU Cookie Directive from a UK perspective. Naturally, it's embedded using Youtube's enhanced privacy (cookie free!)
What Are the Options?
Option 1) Ignoring the Law
My money would be on most affiliates doing this. For smaller affiliates where time and resources are scarce, it's easiest to opt for this method. In fact I reckon there's a few large affiliates considering doing the same. If it's not going to be enforced that well for smaller sites then there's no incentive to make extra work for yourself. But that's a big "if".
Quite frankly there needs to be a test case before the courts to determine what the likely punishment would be for not complying, and to determine the size of website owner that will be charged with failure to comply. For example, will a part-time hobby blogger be charged if they unlawfully drop an analytics cookie? Similarly, will a voucher code site be charged for doing the same? Is size even a factor?
The only way I see this being implemented successfully is if everyone is treated the same and assessing millions of websites and prosecuting website owners for failure to comply is not going to be an easy task for the ICO.
This seams the easiest and most hassle-free. The cookies I knowingly have coded into various sites are nothing more than timesavers for visitors. For example, storing the user name and email address on a comments form in a cookie is not a major privacy concern for me. More-so, it offers a time saving feature to the website for repeat visitors. It's a pain leaving comments and having to type your name and email address each and every time.
The truth of the matter though is that in instances like these it may well be easier and more effective stripping the cookie dropping code than coding in a compliance script.
Option 3) Making The Changes
So if your love of Google Analytics is so great that you desperately want to keep running the service or if you're using cookies for something else that's important to keep (polls, forums, quizes, forms, etc) then there's always the option of covering your back and making sure you're compliant with the law. Obviously this is the best option and perhaps the most safest.
First you need to work out what your cookies are doing, where they are being set, and whether they are essential. The IAB Affiliate Marketing Council recently released its Consumer Transparency Framework which looks at ePrivacy guidance across the performance channel. It features a nice and neat section on cookie auditing that is seemingly aimed at larger affiliates and merchants but is easily adaptable for smaller publishers.
So now you know where your cookies are being set. Now you need to alter that code so that they are only set if permission is gained.
How you go about implementing a method to seek permission will no doubt have an impact on your visitors and could be crucial to your bottom line.
There's a blog post over at eConsultancy which provides three mock-up solutions to seeking permission to drop cookies. There's also a real life example of an intrusive modal pop-up on All About Cookies, a website documenting the humble cookie. Ironically, to persistently reject permission for the Google tracking cookie, the website sets another cookie. It could be argued that this preferences cookie is an essential one (and thus does not need to actively seek permission to be set) but as the website would still function without it, I wonder whether it can be classed as such. As such, a second pop-up would probably be required to seek permission for that particular cookie, or the description needs to expressly state that this new cookie is being set.
And this is where the problem lies. So much of the talk about the EU Cookie Directive is vague and much of the debate is full of conflicting information and guidance. It's a very vague law that doesn't seem to be that well prescribed and one which leaves room for interpretation, which can subsequently lead to confusion.
Rather than having official guidance that says you must do this, that and the other, the guidance on offer is non-committal and indemnifies itself. If the guidance can't be relied upon there's little hop for a acknowledge universal solution - other than moving the responsibility for seeking permission to set cookies back to the web browsers (apparently this isn't good enough though the option for cookie control has been contained within browser settings for years).
Whatever route you choose, it's certainly not going to be an easy piece of legislation to integrate or work with. Come the 26th May 2012 and we'll finally see how the ICO intend to police this law and how many websites will be affected as a result.
Expect all this cookie chatter to continue long past that date.
Hang on, What about Affiliate Cookies?
Personally, I'd interpret these to be third party cookies that are outside the scope of responsibility of affiliates. When a banner is displayed a cookie may or may not be dropped. Whilst it's my choice to display the banner I do not control nor have access to the cookies dropped thus I'd call them third party cookies. This would suggest the onus is with the relevant affiliate networks and independent affiliate programs in making sure they comply with the law on behalf of affiliates.
However, I'm sure this is a very grey area and it would be very interesting to see whether anything has to change in terms of how banners are delivered and served. Perhaps an AdSense style "(?)" needs to be introduced over all banners to enable visitors to opt out of cookie dropping? Perhaps they simply cannot drop any more cookies as banners cannot gain express consent before being displayed?
It would be very useful from an affiliate perspective to see some clarification and guidance being issued by affiliate networks on how they are dealing with the legislation and how they would prefer affiliates to tackle it (in terms of affiliate cookies).
You may also be interested in reading:
Comments are manually approved and hence can a while to appear. Questions, informative posts, and feedback comments are gladly accepted. Spam is deleted. Spam-type comments have their links removed (Comment Policy)
Technically, the only cookies my sites drop are login for wordpress, and as I'm the only one who uses them they're beyond the scope of the law. Analytics cookies and affiliate cookies are not set by my site but by the services that supply them, so beyond my scope to alter. There's not a line of code in any of my sites that says to drop a cookie. Gray area maybe, but I think it's the one most of us will be taking, and certainly will be the line I take should there be any legal issues. Quite happy to go to court and show them the source code of my sites to prove it.
Written on Thursday 08 March 2012 at 13:13:21 GMT (Permalink)
@DaveL - Pretty much the same here. The next question I am now wondering is why permission is needed to set a Google Analytics cookie when it is Google that sets the cookie (I believe). This is what the ICO have sought permission to set so presumably even though that's a third party cookie they are seeking permission for it. The ramifications of this on affiliate banners, AdSense and the like could be quite huge if these are considered as "necessary to seek permission, even if they are set by third parties"
Written on Thursday 08 March 2012 at 21:02:40 GMT (Permalink)
We'll be sending out communication very soon on this (with the Framework attached).
The ICO has been clear in saying to the Affiliate Marketing Council that site user logic should be applied so for example, a user visits your site and interacts with your content, therefore you carry the responsibility for explaining what information is stored and how regardless of which third parties are serving it. The assumption should be that the user won't be aware of the mechanics behind the content: they have interacted with your site and therefore you need to provide 'informed consent'.
If you're an Affiliate Window or buy.at affiliate you should receive our communication very soon.
Written on Friday 09 March 2012 at 09:33:15 GMT (Permalink)
@Kevin Edwards - Thanks for your comment and I look forward to reading the communication being sent out.
From what you've said it sounds like as affiliates need to gain informed consent. Would that imply that affiliates need to seek users permission to serve an Affiliate Window or Buy.at banner before it's displayed? Or does it imply that affiliates can serve the banners as normal, but make clear that third party cookies may be set and that it's down to the visitor to opt out of these via Affiliate Window or Buy.at?
Written on Friday 09 March 2012 at 12:26:25 GMT (Permalink)
To be perfectly honest it's for everyone to make their own decision and whilst I appreciate it's not helpful on one level not having something prescriptive in place there's one very good reason for a lack of prescription: to enable us to have flexibility in putting our own, 'light touch' approach in place.
What I would recommend, and this is my opinion and is in no way definitive but based on my interpretation of the situation, is to seek to 'inform' in a transparent way. In other words, make it clear to consumers to your site where they can find out more information about how your site operates and the range of cookies you use to generate revenue. The disclaimer just needs to be upfront that you make money from the content and use third parties to do so.
We will be helping affiliates with this in due course.
The key I think will be in the language used: it has to be consumer friendly and clear. This I believe at present goes a significant way to the heart of the issue. We may choose to offer affiliates the ability to allow people to opt out of our cookies in the longer term but we are unlikely to in the short term.
Opt in or opt out are really misnomers as they are currently unlikely to be symptoms of informed consent (when was the last time you waded through indigestible privacy policies).
We have the ability to control the message - educate and then enable consumers to decide.
Written on Monday 12 March 2012 at 23:17:02 GMT (Permalink)
Thank you to all previous commenters.
Comments are now prohibited for this post.
This could be for a number of reasons but is most likely due to prevent the discussion from digressing.