There are only three months left now for brands to comply with the new cookie legislation by implementing solutions to collect consent from users before any tracking technology, including cookies, is deployed on a user’s web-enabled device.

Many have argued that this law is unworkable, that solutions need browser software development, and that creativity and usability of the internet will be adversely impacted, but doing nothing is not an option; the fact that some brands have taken steps to comply shows that solutions can be developed which do not adversely impact user experience on the web.

This new legislation, originating from an update to the EU e-Privacy Directive, has actually been in force in the UK for nine months, and the twelve-month compliance ‘grace period’ announced by the Information Commissioner’s Office, which has government enforcement responsibility, is rapidly counting down.

Last year Ed Vaizey, communications minister said the government recognised “that work on the technical solutions for cookie use will not be complete by the implementation deadline. It will take time for meaningful solutions to be developed, evaluated and rolled out”.

The end of May 2012 deadline is immoveable, yet, a quick trawl across the internet on a few well-known brands suggests that very few have done anything to address the update.  Indeed the ICO, at the end of 2011, issued a review on progress where the phrases “must try harder” and “could do better” were key to the overall sentiment on progress.   Are Brands simply hoping the law will go away, or be changed, or maybe they’re waiting to the very last few days before their solutions go live?  I suspect it is the former, but maybe they are actually missing a trick.

We don’t really know how the law will be enforced, but in time there are financial penalties, not to mention adverse publicity for those who do not comply, both of which could be quite damaging.

Brands will want to continue to use cookies on their websites for behaviour tracking, web analytics, and to make their sites appealing and user friendly.  In essence, what the legislation is forcing them to do is to be more open and honest, educating consumers about what they do with the personal data collected via cookies, and why its use is ultimately of real genuine benefit to the consumer.  Meanwhile, more and more consumers are increasingly aware of the privacy debate, and they are concerned that their personal data is not used without their knowledge and agreement.  Being ahead of the game in implementing solutions to educate and collect consent could well add respect, credence and strength to some brands, reinforcing their values, and creating positive PR opportunities.

So what should brands have done so far?

1. They should have completed an audit covering the use of all cookies across all their websites to understand:

• which are used,
• how they work,
• what they do,
• what personal or ‘computer demographic’ data is retained, and
• how that information is used, both at an identifiable (linked back to an individual), and an anonymised (not linked to an individual) level.

1. They should have considered the business impact that a lack of consent could present, and what current activities and processes might not be possible without consent:

• Consideration on third party cookies, which find their way onto a computer or device from links in a website to banner advertising, video streaming, and other third party feeds will be particularly challenging.

1. They should also have already amended their existing website privacy statements, acknowledging the existence of the new legislation, and making it clear that they are working towards appropriate solutions in line with the “grace period”, and the guidelines issued so far by the ICO.

1. They should be well underway with solution development which collects consent, and educates consumers about the cookies used on their sites,

As indicated earlier, one can only speculate as to how the ICO is planning to enforce the law, once the ‘grace period’ expires, whilst in other EU Member States it is equally unclear as to what enforcement may mean.  Indeed, there are several countries who have, as yet, failed to even implement the updated e-Privacy Directive into law!

However, it is clear that brands that cannot clearly demonstrate that they have sought compliance could well face close examination, especially if complaints are made.  As with previous laws in this area, such as data protection, it is only as enforcement commences that the boundaries of compliance versus non-compliance become totally clear.

It is certain that no brand will want to be the one used publicly as the example of non-compliance, whilst those who implement solutions early will be seen as exemplars in the market – which is more preferable?

Ben Cooper is Head of Data at TMW.