February 8, 2012
In about three months, the UK will begin to enforce long-awaited legislation commonly known as the European Union (EU) E-Privacy Directive (or the EU Cookie Law, although it extends to all tracking, not just cookies).
This marks a watershed moment for many international and US online retailers that have customers and prospects located in the EU. Many EU regions such as the Baltic states, Scandinavian nations, France, Austria, and Hungary already have enacted laws ensuring certain requirements (including an extremely onerous cookie "opt-in" approach in the latter case) of the directive. However, as the UK enforcement date of May 26 looms, the international, English-speaking business world is paying more attention than ever.
A pressing issue of the directive is the complex, fluid concept of "consent," the permission that website owners need to seek and secure from their visitors, allowing them to place certain cookies on visitors' computers. Such consent must be acquired before any cookie is set which is not deemed "strictly necessary" for the proper functioning of the website and the user’s experience interacting with the website.
Even at this late stage, the jury is still out as far as how to interpret the consent requirement and what can universally constitute an effective mechanism for securing it—especially when countries themselves differ on the concept and whether it must be "implied" or "explicit." This is further complicated by the notion that consent is a relative concept, influenced by the user’s degree of expectation regarding what is likely to happen when he or she performs certain actions, such as visiting a website.
Education on cookie usage and the practical consequences for the user is as important as actually obtaining a clear "opt-in" action from the user. In turn, the action that the cookie will facilitate also becomes a question: How ‘"intrusive" will the consequences be?
Options for consent include pop-ups, Ajax lightboxes, or relying on the do-not-track mechanisms built into the most recent versions of web browsers. Each of these and more have been discussed and tried by companies, legislative bodies and industry spokespeople. No single solution currently prevails as a clear-cut choice.
What we do know is that doing nothing is not an option. Here are seven suggestions that can help you get prepared:
1. Follow relevant industry media and groups such as the International Association of Privacy Professionals (IAPP) or the IAB and look into their initiatives such as Your Online Choices.
2. Sign up for relevant Twitter feeds. TagMan has a dedicated feed around privacy @tagmanprivacy.
3. Review the usage of cookie data with your service provider, and make sure you are confident in your technical understanding of what is happening and why.
4. Perform a cookie audit, and keep good records of the work you’ve been doing to stay current across this area.
5. Create an action plan. If the worst happens and you are somehow challenged after the directive is implemented, this will serve as your best defense.
6. Investigate tools and systems that can help with cookie management and compliance. Tag management systems such as TagMan are helping companies understand and control their tag and cookie activities, providing tools for compliance such as cookie opt-out management.
7. Engage suitable legal advisors.
In general, it is not likely that the “good guys” will be targeted, at least initially, but there is often an appetite for a scapegoat in order to demonstrate that the powers that be have the ability to enforce the word of the law.
In terms of enforcement, for companies that are not based in the EU but target or are exposed to web users from EU countries, there is some risk based on: the size and profile of the company; how intrusive their tracking and cookie activities are; and whether they have a presence or assets within the EU, including domain names, corporate entities, offices, employees, and hosting and data facilities.
Believe me when I say I wish as much as anyone that there was more clarity I could share on this privacy directive. However, I still have faith that government and industry will find a practical end position that educates and protects consumers, while allowing businesses to reasonably transact online.
Angus Glover Wilson is the chief privacy officer at TagMan, an enterprise-level tag management platform for online retailers, where he's responsible for technical client services activities. Previously general manager at NBC’s iVillage UK and president of New York-based digital boutique agency, dComm, Angus has more than 10 years expertise in digital media/marketing management and operations.
Editor's Note: Monetate is not affiliated with TagMan.