Thursday, 12 January 2012

Cookies: even more guidance coming soon

Hot on the heels of the revised ICO cookie guidance that was launched last month comes word that the mighty UK Chapter of the International Chamber of Commerce is close to publishing its own guide to compliance.

The usual suspects will soon be placing cold towels around their heads as they try to work out the differences between the ICO’s and ICC’s advice, and to advise about what people should be doing next.

Don’t scold yourself too severely if you have not already digested the ICO’s latest effort. Published on 13th December (right in the middle of the Xmas party season), the 27 page document tries as hard as it can to explain what the law now is, and how responsible data controllers might choose to comply with it. The unwritten subtext is pretty clear – that the ICO did not create the law, so it shouldn’t be blamed for the position that data controllers currently find themselves in. What you get this time is examples (and pictures) of the types of words that the ICO considers could usefully appear on websites, and where the text should ideally positioned for the maximum regulatory impact.

I explained this to some friends who run websites a few days ago and was taken aback by their incomprehension. It was pretty clear that I was speaking a very different language to that which they use.

“What on earth do you mean?” they challenged me, incredulous that anyone would want to focus on designing websites for maximum regulatory impact, rather than in terms of what customers actually wanted to experience for themselves. I was told about piles of consumer research which suggested that the very best websites these days try their very hardest to tailor their content to the needs of the individual user. As far as they were concerned, this well-intentioned initiative was going to struggle to survive in its present form.

The core of the problem seems to lie in a common understanding about why certain websites exist in the first place, and in customer’s unwillingness to want to understand the magic that goes on behind the scenes to give them the content they want when they visit a website. I was told that the regulatory solution – one of consent – is not really achievable, as users are very unlikely to genuinely have sufficient knowledge about cookies to actually be capable of providing this consent. Finally, the web designers I have spoken to have very firm views on what cookies are strictly necessary, and their views are not reflected by the ICO.

Let’s unpack this a little.

First, it’s important to agree understand that websites are created for a range of purposes, by organisations who have very different views about the prominence they play in the overall offering to the customer. While some well known organisations are principally known as purely on-line companies (eg Amazon, Facebook, BBC and other media organisations), most of those who have an internet presence also employ specialist Customer Services staff. The consumer research I have seen suggests that websites are not very helpful when customers have a problem that needs resolving then and there, where handling or seeing a product is important, or when quire specialised advice is needed in order to make a decision. Such cases are better resolved when a customer deals with a real person. Websites excel when they spread general advice, facilitate social or professional networking contacts or allow users to purchase standard items (say groceries, books or concert tickets).

The consumer research I have seen suggests that consumers really don’t want to know about the magic that goes on behind the scenes to put relevant content in front of the user. And the discussions I have had with web developers indicates a degree of incredulity that they would ever deploy cookies that were not strictly necessary to maximise the user’s on-line experience. These developers were painfully aware of the fatal consequences of getting a website wrong – customers don’t return in huge numbers and the result is commercial death. (To paraphrase the Bard: Wherefore art thou, Bebo?)

This is one of the fault lines of the ICO’s advice. It’s analysis of the lawfulness of using certain cookies without specific consent is based on functionality (ie “is it possible for a web site operate without this cookie”) while others base the legitimacy of their cookies on the perceived expectations of the user (ie “is this the best experience that we can offer the user so that this website gives them what they want, when they want it, and how they want it?”).

The ICO’s solution can be summarised in 3 words: “Education and consent”. Education can take the form of long lists of cookies being published on a website. (Yet, I’m also told by the ICO that long explanations in privacy policies generally don’t work, as people ignore them.) Consent can take the form of a process which suggests that the user has “accepted” something. The real problem, of course, is that if we are not careful, some litigant will argue that this is hardly proper “consent”, because the user simply ticked some boxes and, not having read the accompanying bumf, didn’t really know what they were consenting to anyway. So it doesn’t meet the really high definition of “consent” in the Data Protection Directive.

Is all lost? It’s never all lost. Soon, I’ll get to review the approach recommended by the International Chamber of Commerce. I’ll then be able to work out whether customer behaviour is likely to change as a result of that guidance, and whether website operators are getting any closer to finding a solution to a legislative issue that wasn’t much of a problem in the first place.