Saturday 9 July 2011

Cookies – the current mess is even being reported by the BBC

When the BBC decides that a data protection issue is sufficiently important to draw public concern to it through an article on its news website, people usually begin to sit up and take notice.

So I was delighted to read Michael Miller’s article, published yesterday, under the headline “Cookie: monster? How will business cope with new laws”.

As he wrote, “By any yardstick the implementation of the EU's Privacy and Communications Directive by its member states has been poor.

When the deadline to implement it passed in May only Estonia, Denmark and the UK had taken steps to bring it into law.

Denmark has now decided to puts it draft rules on ice indefinitely and the UK has given firms a year to comply.

To give the UK's Information Commissioner's Office its due, its guidance on the law is probably the most comprehensive of any member state so far.”

He pointed to the confusion that exists between those cookies which are apparently acceptable, and those for which consent may be required. We all know that most cookies perform basic functional tasks like storing your login details or personal preferences. But what’s permitted and what’s a bit iffy? In other words, what’s “strictly necessary” (and how on earth can we illustrate this phrase with practical examples that normal people can understand)?

There is still dispute among the legal fraternity as to whether a cookie that enables an online shopping basket to function is fine, but a cookie that remembers you prefer your website in English rather than French is not.

As Michael remarked, "Marketing professionals argue cookies are misunderstood and most actually enhance the consumer experience, allowing people, for example, to be directed to a Hilton hotel rather than Paris Hilton. (Or indeed, vice versa.)”

Critically, however, we need to reflect on the comments of Paul Carysforth, a partner at Amaze, which runs online marketing campaigns for companies like Unilever, Lexus, Toyota, Coca-Cola and Dyson.

"Cookies are the primary means by which all online businesses determine the return on their investment," he says.

"Without cookies it would be almost impossible for companies to understand their ROI and in particular isolate which strategies are delivering a positive return, and which would hamper investment and innovation."

I think the ICO is finding this now, if the objection rate for their Google Analytics cookie is still running at 90%.

But how can anyone run an international campaign properly when the cookie rules are so different in the various Member states?

"In the Netherlands there is discussion about whether consent must be 'unambiguous', which might make browser settings - a convenient way of getting consent - less likely to be acceptable," says Matthew Norris, global head of technology and media at the insurer Hiscox.

"German and French legal commentators use the term 'opt in' and that is more draconian than the UK, where the Information Commissioner's Office has specifically said that UK law does not amount to a requirement to opt in," he says.

There is talk in some places of a 'double opt in', where consumers would have to click on two separate links to give their consent.

I agree with Eduardo Usturan’s view that a double click policy would be fatal to online commerce.

Let’s hope that the strain on enforcement doesn’t cripple the regulators, who obviously have far more significant issues on their hands.

Politically, though, I think the confusion needs to be resolved pretty quickly. If the authorities are seen to be incapable of taking a co-ordinated approach, then surely this does not bode well for the forthcoming review of the entire Directive.

Here is a glorious example of an institution (the European Commission) creating a set of incomprehensible rules, and then sitting back as the frustration (and then blame) focuses on the regulators – who are really only charged with trying to enforce them.

Will history repeat itself as the wider review of the Data Protection Directive takes place? Especially, given the very different privacy expectations which exist in each of the Member States?

Or, turning the question on its head, how can it not?