How the cookie crumbles for UK & EU e-tailers

This is the way the EU Cookie crumblesWith the deadline to comply with the EU e-Privacy directive just a month away (26thMay), the confusion amongst marketers doesn’t look to be dissipating at all. In fact, in a recent study by Econsultancy, 61% of marketers said they still don’t understand the options for gaining user consent.The lack of understanding is adding to the confusion and panic around the approaching deadline. However, if brands take things back to basics, they will see that there are actually just two main approaches to consider here – automatic opt-out (auto opt-out) and automatic opt-in (auto opt-in).

An auto opt-out approach essentially means that you don’t use cookies without explicit consent from consumers. and the ICO itself have adopted this approach, asking all visitors for their consent when they land on the site (see shots below).

A clear approach that enables consumers to opt-in upfront is perhaps the most logical route for brands to take. However, as the ICO site saw its traffic drop 90% when it first introduced the opt-in banner, it is sensible for brands to also consider an auto opt-in approach.

An auto opt-in approach means that whilst consumers are given the tools to opt out of having a cookie placed on their machine, they are automatically tracked from the moment they hit your site. follows this approach. When a consumer lands on the BT site a pop-up appears, providing them with information on cookies, what they are, what they are used for and how they can opt-out if they wish. In a similar, but less proactive way, has updated its privacy policy and cookie notice for consumers and introduced clearer sign-posting on its site about where consumers can find this information as well as explaining how they can opt-out.

Both an automatic opt-in and opt-out approach are viable options. The question brands should be asking themselves is ‘Am I providing my customers with the opportunity to provide their consent?’

Of course, if you operate internationally, you will also need to understand how your approach will play out when the directive is enforced in new countries. The UK is leading in introducing the cookie law but all 27 member states of the EU are planning implementation of their own laws. The US Congress is also looking at introducing a similar e-Privacy directive. From a legal perspective, brands should start by adhering to the UK law and then take market specific legal guidance as the directive is introduced as law into each new market.

In focusing on complying with the UK law, don’t focus on the financial punishment for missing the deadline. The ICO is unlikely to administer the maximum fine of £500,000 to just anyone. In fact, whilst the ICO may seem to have been harsh in its handling of the directive’s introduction and enforcement so far, it has provided a more flexible non-prescriptive approach for UK websites than its counterparts in the EU look set to offer.

As a UK brand, embrace the flexibility on offer to find an approach that enables your customers to easily provide their consent. Get it right in the UK and no matter what territory you expand into you will be on (and stay on) the front foot.

  • Wolf Software

    We have created a suite of products to enable people to gain consent if they want to. The various plugins are available from:

  • Andrew Girdwood

    The ICO are saying they care whether this significantly impacts on a business. Which, of course, it always does.

    Sadly, this is one that’ll run and run.

  • LHorton

    What happens with Facebook, Twitter, sites hosted on free CMS’s like WordPress, where the person setting up the site has no control over cookies being collected, and there is no facility for the site owner to ask consent? Having read the ICO’s advice, it looks like all these sort of sites would fall foul of the regulations even if they are only collecting analytics in some cases. The ICO needs to issue some very clear and urgent advice about these, it’s clear as mud at the moment.