Cookie Killer Law – EU Commissioner Smack Down: Things just got more confusing…

Confusing and bad news for website owners – EU Data Supervisor says that industry guidelines for cookie use are not sufficient and that consent for cookie use must be actively obtained – criticizing the softer stance of EU Commissioner. 

Rather than have the usual picture of biscuits, jars or muppets to go with this cookie post I thought I'd channel some Johnny Cash instead. Image: Flickr - Diogo A Figueira.

This is another of my posts about the EU directive which threatens life as we know it. This is an amendment to the EU’s Privacy and Electronic Communications Directive which forces website owners to obtain consent from a website visitor before cookies can be left on their computer. The upshot of this would be a sudden, and profound, hole in the data we collect on customer behavior on our websites.

No one really knows what the hell to do – since the Directive’s amendment, confusion has reigned supreme with some EU countries not getting round to implementing it while others, like the UK, bashing out a rapid response – and then giving organisations a year to respond to it.

Websites which have attempted to get visitor consent have screwed their site, and their data collection, with unwieldy solutions – the UK Information Commission’s Office, I’m looking at you.

Right now, there has not been any major indications that cookie use is being reduced.

In the background, marketing and advertising associations have been putting together guidelines for how cookie users can respond to this – use cookies, and yet still remain within the law. Check out the guidelines from the Swedish brand of the IAB here.

EU Data Protection Supervisor criticizes EU Commissioner – Advertising Association guidelines unworkable?

Neelie Kroes, the EU Commissioner behind this directive, had previously said that European companies have a year to comply with the directive and that she supported efforts by advertising associations (such as the IAB) to create some kind of standardized opt-in.

Not good enough, responded Peter Hustinex the European Data Protection Supervisor. In a recent speech he specifically said that the guidelines suggested by the IAB fell short of the requirements of the directive, despite them being welcomed by Kroes, the EU Commissioner.  He went on to say that Kroes’ support for a US ‘do not track initiative’ also fell short of the Directive’s requirements. One measure he suggested was a default browser setting of non-acceptance for cookies.

Read his whole speech here.

What Happens Now?

More confusion – even the EU can’t seem to agree on what this directive means. Germany and Denmark have aready got a ban on using Google Analytics (from earlier concerns about IP addresses), but many companies in those countries continue to use it, knowing that the risk of being penalized is relatively low. However, for those of us operating in the public sector there’s a risk that we could get some form of all-encompassing edict of ‘no cookie use without consent’ and boom, there goes our main method for collecting data for improving our websites. Sigh. Where do we go from here? I really don’t want to be saying ‘I told you so’ in a few years time.

Cookie Law Comes Into Effect In Sweden – PTS are reponsible and no detail available yet.

The new cookie law came into effect, in Sweden, on the 1st of July. It’s a response to the horrendous EU directive, widely seen as a cookie killer, which is an attempt to address online privacy issues. I’ve previously blogged about it here. The short version is that the directive requires consent from a website visitor, before a cookie can be placed on their computer. This impacts a whole bunch of website functionality, but not least Google Analytics. Brian Clifton has blogged about the implications for Google Analytics in two blog posts, shortly after the launch of the directive in the UK and then a little later.

If you’re in Sweden, then there’s a couple of things worth knowing. First, the Swedish Post and Telecom Agency (PTS) is responsible for the execution of this new directive, and its Swedish interpretation. When I posted this, they had some information for website owners, but nothing concrete. There’s certainly not a ‘cookies are the big bad’ message from them – so far, so good I say. Right now, they are saying that they are giving website owners time to figure out how to get consent for cookies from website visitors.

The other important thing to know is that the Swedish arm of the IAB has prepared guidelines for website owners and are looking for feedback. The guidelines are available in both English and Swedish. Their suggestion is that consent is based on the users browser settings. The IAB guidelines are a best practice suggestion which avoid killing our website functionality with ugly consent requests (check out the banner on the top of the ICO’s website from the UK – and then take a look at what this has done to the data they’ve been able to collect from Google Analytics).

Best thing you can do right now? Don’t panic, read Brian’s latest blog post and get your website’s privacy statement in order. Checking to see what cookies your website is leaving on people’s computers might not be a bad idea either.

The Cookie Law in Sweden – Self regulation committee started by the IAB

The Swedish arm of the European Trade Association of the Digital and Interactive Marketing Industry (IAB) has created a self regulating committee in response to the introduction of the new Swedish law ‘Better Rules for Electronic Communication.

This law is a response to the recent EU directive which places tough standards on the use of cookies and has serious implications for, for example, the effectiveness of  cookie based tools such as Google Analytics and the various forms of online advertising.

The self regulating committee has created a group with members including Adform, Eniro, Google, Microsoft, Specific Media, Trade Doubler, IAB – Sweden, Swedish Chamber of Commerce, RO, Sveriges Annonsörer, Sveriges Mediebyråer, TU, and Sveriges Marknadsförbund/Näringslivets delegation för Marknadsätt (NDM).

The project is lead by Henrik Nilsson, a lawyer, and I strongly recommend reading  through the presentation he made at the recent IAB conference in Stockholm a few weeks ago, made around the time the new Swedish law was voted in. It’s in Swedish – and gives a background to the cookie law and the self regulating project.

The objective of this project is to create a best practice for the use of cookies. The project aims to deliver a best practice guide in July this year. Hopefully we’ll be seeing updates on the IAB website, you can also follow their legal arm on twitter here.

I work in the Higher Education sector, which is in the not for profit category and is not so well represented in the IAB project- I hope this will change, and I’m happy to say they seem very receptive to getting in other opinions and input. My concern is that limiting the use of cookie based analytics tools, such as Google Analytics, will detrimentally effect the ability  for organisations, such as the university I work for, to effectively manage and optimise their digital marketing activities.

To get a quick overview of the fallout from the EU law (allbeit from a mostly UK perspective) use the search ‘EU cookie‘ in twitter. I recommend checking out Brian Clifton‘s post on the impact of this new directive on the use of Google Analytics and this post, by Paul Hatcher, for a good calm overview – though there is a plethora of posts on this subject out there now.