ICO Issues Ten Page Guideline On The New EU Directive, As May 26 Looms For The Online Advertising Industry

The ICO issued a vague ten-page document on the new EU directive that is due to come into force on May 26. I’ve had several emails and phone calls from industry people about the ICO recommendations – and the general consensus is that the ICO document is giving little lead on how publishers, agencies, ad networks and other digital media stakeholders can cover themselves legally as the May date looms.

The directive is saying that consent is required for the majority of cookie tracking. The only exception to this rule is when a cookie is “strictly necessary” for a service “explicitly” requested by a user. There are no examples given here. None. So, are we just expected to infer from this vague overview? Let’s see how that one plays out, shall we?

My favourite bit of this ICO document is the recommendations. Let’s go through the sage advice provided in detail.

1. Check what type of cookies you use and how you use them

This might have to be a comprehensive audit of your website or it could be as simple as checking what data files are placed on user terminals and why. You should analyse which cookies are strictly necessary and might not need consent. You might also use this as an opportunity to ‘clean up’ your webpages and stop using any cookies that are unnecessary or which have been superseded as your site has evolved.

Now if the report couldn’t explain what cookies it deems “necessary”, how is a publisher ad ops team going to figure what cookies to pull from the site. I’m wondering if a publisher is serving relevant content to a user based on the journey within the site would this be deemed as a “strictly necessary” service. So would a “would-you-like-to-be-served-relevant-content” pop-up cover the publisher in this instance? Could you argue that advertising is effectively content? Would this be enough to cover the publisher legally? And what about analytics? I use Google Analytics like most small to medium sized publishers. Do I need to get consent for dropping that cookie as well?

2. Assess how intrusive your use of these cookies is

The new rule is intended to add to the level of protection afforded to the privacy of internet users. It follows therefore that the more intrusive your use of cookies is, the more priority you will need to give to considering changing how you use it.

Some of the things you do will have no privacy impact at all and may even help users keep their information safe. Other technologies will simply allow you to improve your website based on information such as which links are used most frequently or which pages get fewest unique views. However, some uses of cookies can involve creating detailed profiles of an individual’s browsing activity.

If you are doing this, or allowing it to happen, on your website or across a range of sites, it is clear that you are doing something that could be quite intrusive – the more privacy intrusive your activity, the more priority you will need to give to getting meaningful consent.

Now I have absolutely no idea what this means. Are there degrees of intrusiveness and as such do I need to have levels of priority for the more “invasive” cookies? How do you go about this? Is there a “loose” opt-in for one cookie and a “prioritised” one for anything thought to be intrusive by the user? Fairly subjective stuff.

3. Decide what solution to obtain consent will be best in your circumstances

Once you know what you do, how you do it and for what purpose, you need to think about the best method for gaining consent. The more privacy intrusive your activity, the more you will need to do to get meaningful consent.

Having provided absolutely no clarity on what cookies will need an “opt-in”, the ICO proceeds to list the best way of achieving this end. Detailed below are some options provided by the ICO.

1) Rely on browser settings: Not advised by the ICO given that your users might be using other means of accessing your site, like mobile apps.

2) Pop ups and similar technique: Again the ICO doesn’t recommend this option as it will, and I quote, “spoil the experience of using a website”. You can use the OMG phrase here if you wish.

3) Terms and conditions: Seems pretty logical – and the ICO puts this forward as a plausible solution. But states that the opt-in must be clearly labelled. So will T&Cs allow to cookie the user so they don’t have the fill in the same T&Cs again? And what happens if the cache is cleared will the user have to go through the same process. The other consideration here is how these T&Cs are presented. Even though the ICO cautions against the use of pop-ups, it might be necessary here. User experience be damned!

4) Settings-led consent: Consent can be gained from user asking for particular features on the site, like font size etc. Not very practical – given the tiny minority that would actually ask for this. Pop-up it is then.

5) Feature-led consent: Based around content preferences as suggested by user. Again not very practical. Pop-up it is then.

6) Functional uses: This is not really a solution here – but more a warning over the use of the analytic cookie and other related “background” cookie tracking. The ICO suggests scrolling text along the bottom of pages enticing users to click on link to T&Cs for opt-ins possible. Again not very practical. Pop-up it is then.

7) Third party cookies: Surprisingly, third party cookie tracking seems to be getting an easier ride here. This is less militant than the previous suggestions/warnings. It talks about working together towards maybe a “self-regulatory” environment. The ICO’s view of policing third party cookie tracking under the new directive can be summed up by the following comment:

…getting consent for these cookies is more complex and our view is that everyone has a part to play in making sure that the user is aware of what is being collected and by whom…

I’ve said it once, and I’ll say it again, this directive is absolutely unenforceable give the sheer scale of the industry. Will the ICO do random audits on sites? Or raid the ad ops departments of leading ad nets? I doubt it. It hasn’t got the resource. My gut tells me this whole thing is going to blow over – and self-regulation will be the key to placating the ICO and the EU. But if we are to play it by the book in the short term the industry should be issued with clearer guidelines so that we can at least get our house in order.