Wednesday 11 May 2011

New cookie guidance: don’t panic! (My cunning compliance plan unveiled)

It’s official. New rules will take effect in less than two weeks. It’s not often that the “business friendly” Coalition Government finds itself in the position of imposing huge changes on extremely significant parts of the economy with virtually no notice whatsoever. In my experience, it’s only the Inland Revenue that can get away with such major changes in such a short timescale.

So let’s get real here. It’s not going to happen.

And, in the UK, we are the “lucky ones”. There are rumours of possible changes in a couple of the other Member States, but most of the European Governments are as concerned at hitting the EU Commission’s deadline of 25 May as they are about winning the Eurovision song contest.

I think I detect a theme here. As Corporal Jones from Dad’s Army used to urge: Don’t panic.

Take a look at the relaxed grins on the faces of those awfully clever people at Department of Culture, Media and Sport, who have miraculously transposed the Directive into UK law just in time. (Well, it will be law once it’s clear that Parliament isn’t going to perform a U-turn and withdraw it). And then take a look at the twinkle in the eyes of those awfully industrious people at the Information Commissioner’s Office, who have laboured night and day to publish stuff on the internet which indicates what they really think of the rules. And then ask yourself "wow, if they’re not worried, then what have I got to be worried about?"

If we’re not careful we’ll all turn into a group of fundamentalists who believe that the demands of the Directive are written in tablets of stone, from which no deviation is possibly permitted.

In a free society, we don’t work like that anymore. Just as citizens can rebel against their Governments, web masters will point out that some of the words in the Directive just don’t make any sense, so they’re not going to meekly comply until their human rights have been respected, too.

Am I calling for an all-out strike here? Or a work to rule? Of course not.

I’m not calling for a sprint to the compliance podium, with the requirement that everyone complies before 25 May. Instead, I’m calling for a reasoned debate on how webmasters can meet the legitimate aspirations of the customers who access their on-line portals, to give them transparency, choice and control over the stuff that really matters. And, I’m calling for those who will be enforcing the Directive to cut some slack with the webmasters, and allow them to be creative and push the barriers out when it comes to deciding how to tailor the user’s visit to the website, to give them a great experience. Which means not overwhelming the poor user with a snowstorm of cookie warnings and other tick boxes that can so easily ruin what should be a wonderful on-line experience.

I’m probably preaching to the converted – so here’s my cunning compliance plan:

AIM – keep customers happy and keep the European Commission off our backs.

1. Demonstrate to the regulator that despite being given virtually no notice whatsoever, we care about compliance. Do this by asking contacts within the business to identify who actually operates the business websites, and whether they know how these websites are constructed.
2. A few months later, suggest to the IT / Sales Department that there really ought to be someone in charge of these websites, and that it would be helpful to know their name so that we can get them to find out what they are really in charge of.
3. Require the person in charge of the websites to carry out an audit of the different types of cookies that are currently on them.
4. Read the guidance that ought to have been prepared by then which categorises these cookies into various types. They are likely to include categories where the webmaster has a legitimate interest in using cookies (as they help provide a great user experience), and categories of cookies which basically track the user when they’re doing other stuff on the internet (which is information that the business or a 3rd party finds useful and can derive some commercial value from, so the user does not have to be charged a fee to access the main website).
5. Check the ICO’s website to see how the guidance on cookies has been revised. We’re only on version 1 now. We’ll probably see a few more versions slip out as the months roll on.
6. Thank your fellow industry colleagues for having the courage to interpret the term “strictly necessary” in a way that makes common business sense, given the prevailing technologies. Support them if (ok, when) they run into any significant resistance from some European regulators, whose understanding of that term causes problems.
7. Follow the market leaders (Google, Amazon, Tesco, EverythingEverywhere etc).
8. And, until you get past point 3, keep reminding the regulators that we do care about compliance, but we also need to take a little time in making sure we’re all creating the best possible experience for our customers.

Finally, don’t be downhearted. Sing along to the words of the Cookie Compliance Song. Keep a smile on your face and let’s hope that Paul Simon or Art Garfunkel won’t get too upset at the liberties we’re taking with their wonderful 59th Street Bridge Song.

Back to the 1960’s, kick off those sandals, and stick flowers in your hair.

Now take a deep breath and sing (and also clap your hands):

Slow down, you movin' too fast
You gotta make this moment last
Just kickin' down the cobblestones
Lookin' for fun and
Feelin' groovy____________

Hello website
Whatcha knowin?
I've come to count these cookies growin'
Ain'tcha got no consent from me?
Wow man, that’s because they’re strictly necessary,
Doo Bee Doo Doo,
Feelin' groovy____________

Got no deeds to do
No promises to keep
I'm dappled and drowsy and ready to sleep
Let the EU drop all its directives on me...
Just wait for guidance, we’re not up a gum tree.
Life, I love you,
All is groovy____________________

Sources: (The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011)