Cookie: monster? How will business cope with new laws?

By Michael Millar
Business reporter

image captionMe love cookies: Cookie monster might not be so enthusiastic about internet cookies, which can be used to track your movements online

By any yardstick the implementation of the EU's Privacy and Communications Directive by its member states has been poor.

This is the "cookie law" that governs what information a web site can collect on its visitors without explicitly asking them if it's OK.

When the deadline to implement it passed in May only Estonia, Denmark and the UK had taken steps to bring it into law.

Denmark has now decided to puts it draft rules on ice indefinitely and the UK has given firms a year to comply.

To give the UK's Information Commissioner's Office its due, its guidance on the law is probably the most comprehensive of any member state so far.

Internet stalking

This Directive was born of consumer concerns upon finding adverts for a particular product they had previously looked at mysteriously appearing on subsequent sites they visited.

This led to an outcry as people realised they were basically being stalked around the internet.

And who was this sneaky perpetrator? Cookies.

Most cookies perform basic functional tasks like storing your login details or personal preferences.

The perceived villain of the piece was "third party cookies" - the ones that enable companies to work out what you like and what you might want to buy, thus allowing them to tailor their marketing to you.

So the Directive was drawn up which divided cookies into those which are "strictly necessary" for a service being provided and others, which will require consent from users.


This has caused uproar, particularly among Europe's marketing community, who are thoroughly confused.

image captionMatt Isaacs, CEO of Essence, says there's confusion in the marketing community about the new laws

Matt Isaacs is CEO of Essence, which develops and places online advertising for brands such as Google, eBay, eHarmony and YouTube.

"Some are suggesting that it means nothing more than making users aware of the standard security options within their browsers, while others believe it means users need to be proactively alerted of each and every cookie ever placed on their machine," he says.

The problem is the definition of "strictly necessary" is very narrow, says Ben Allgrove, partner at the international law firm, Baker & McKenzie.

He believes the term would cover a cookie that enables an online shopping basket to function, but it would not cover a cookie that remembers you prefer your website in English rather than French.

"This law can't be complied with in any sensible way," Mr Allgrove says.

"If you had full compliance you'd have pop ups coming up all the time asking for consent; consumers hate that and most web browsers automatically block the pop ups anyway."


Marketing professionals argue cookies are misunderstood and most actually enhance the consumer experience, allowing people, for example, to be directed to a Hilton hotel rather than Paris Hilton. (Or indeed, vice versa.)

Paul Carysforth is a partner at Amaze, which runs online marketing campaigns for companies like Unilever, Lexus, Toyota, Coca-Cola and Dyson.

He says cookies are the lifeblood of an online business and restricting them will do more than just interrupt consumers' while they are online.

"Cookies are the primary means by which all online businesses determine the return on their investment," he says.

"Without cookies it would be almost impossible for companies to understand their ROI and in particular isolate which strategies are delivering a positive return, and which would hamper investment and innovation."

Slightly more optimistic is Ben Cooper from Tullo Marshall Warren, which has created online campaigns for the likes of Lynx, Guinness, Nissan and Sony Ericsson.

He says there is a new challenge for marketers.

"There is little value in communicating with individuals who are patently not engaged or interested," he says.

"With the changes in the cookie legislation we are now faced with trying to convince individuals that there is indeed value in sharing their information with a particular brand," he adds.

Mr Cooper says there could be something of a return to "the good old days" of marketing.

"In some sectors, notably financial services, there has already been a resurgence in the use of direct mail where, for some products and services, the returns can be measured more accurately and the targeting has improved," he says.

Prior consent

What will test companies operating across Europe perhaps the most is just how much "prior consent" will be required by regulators before a consumer is judged to have accepted cookies.

Here things get more confusing than ever as the 27 nations of the EU have differing ideas.

"In the Netherlands there is discussion about whether consent must be 'unambiguous', which might make browser settings - a convenient way of getting consent - less likely to be acceptable," says Matthew Norris, global head of technology and media at the insurer Hiscox.

"German and French legal commentators use the term 'opt in' and that is more draconian than the UK, where the Information Commissioner's Office has specifically said that UK law does not amount to a requirement to opt in," he says.

There is talk in some places of a "double opt in", where consumers would have to click on two separate links to give their consent.

European divide

Eduardo Ustaran, a partner in Field Fisher Waterhouse's privacy and information group, says early signs are that member states will fall into one of these two camps - those that impose a strict "opt in" consent requirement and those that recognise the ability of visitors to express consent through, for example, appropriate browser or other application settings.

Mr Ustaran believes a double click policy "would be fatal to online commerce".

Many are waiting for the browser companies to ride to the rescue with enhanced security settings that will allow consumers to weed out the cookies they do and don't want.

The strain of enforcement could be very big on the regulators.

"There are millions, if not billions of websites in Europe and the world accessed by UK citizens," says Richard Dennys, chief marketing officer at Qype, Europe's largest consumer reviews site.

image captionBaker and McKenzie's Ben Allgrove says taking a wait and see approach is not enough

"Will the UK be issuing legal proceedings against non-UK websites which are accessed by UK citizens? How many prosecutions can they handle per year? Will there be test cases, then appeals, then what?"

But Ben Allgrove from Baker and McKenzie says a "wait and see" approach will not suffice as regulators are empowered to hand out big fines and cause big dents in brand images.

"Enhanced browser controls may not happen and you can't palm off your obligations to a browser manufacturer," he says.

Eduardo Ustaran is advising clients to identify all their cookies, assess their necessity (for the functionality of the site) and intrusiveness, make clear and prominent disclosures on their websites about cookie use, and consider potential strategies for giving users effective control over them.

Back to school

The cookie law was pushed through to satisfy a public that was suddenly aware their privacy was at risk, even if they weren't sure how.

Essence's Matt Isaacs thinks it is time consumers were educated as to what cookies are and how organisations use them to enhance a user's online experience.

"This obviously requires an industry wide acknowledgment and commitment to consumer privacy, but also a focused approach to educating consumers about online privacy and when it's safe to release personal information online," he says.

But as yet there is no co-ordinated approach from industry on either of these and unless it comes soon it might be too late; the horse will already have bolted and be causing traffic chaos on the internet super highway.