EU Passes Cookie Law - Opt-in Required

On October 26th of this year, a vote took place in Europe that most digital marketers are unaware of, but one that has the potential to redefine the rules of digital marketing. The vote on the 'Telecoms Reform Package' included an amendment to a existing privacy directive that now requires a user's consent before dropping a cookie on their computer.

Websites use cookies extensively, hence the implications this may have. As an industry we use cookies for providing a good web experience such as storing products in a shopping cart until checkout or for holding login information from page to page as we browse, but we also use it for targeting advertising, and it's the latter that the Council is trying to get in front of.

Part of the new change states:

"ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his/her consent, having been provided with clear and comprehensive information."

So is this law today?

No. The way the European Union works is that the Council has now voted on this issue and has suggested it must be so. This still needs to be approved by the European Parliament by the end of December '09, and if passed, each member state must interpret the ruling in the context of their own country and implement it by April 26th 2011. Those close to the situation call the 'rubber stamping' just a formality and would be surprised if this didn't pass.

As an industry we must presume this will happen and plan for it.

There are a number of ways in which a member state could interpret this law, and the outcome in each one is likely to be effected by the voice from our industry to the policy makers. For instance, the original directive also required notification of cookies, but the language was such that this could be provided through the site's privacy policy, something read very infrequently by site visitors. This was considered a fair and balanced approach, and is a method that served us well for a number of years. This latest amendment however requires much more in terms of notification.

But how much more is reasonable?

I for one really do not want to have to read and click on a popup as I arrive on every site or as I jump from page to page within the same site. Think about the negative impact this would have on your day to day browsing experience as you read content, perform online banking or shop online. The good news is that the Council seems to recognize this and as a

Clickz article

highlights, there are steps to protect 'functional' or 'operational' cookies from this ruling.

Cookies without user consent would only be allowed when they are "strictly necessary" to provide a service "explicitly requested" by the user such as storing shopping cart information on e-commerce sites, for example.

So what format is this likely to take?

It's hard to say, but there are several options. When arriving on a site you may be presented with a popup that asks for permission, you may have to pass through a 'landing page' of some sort whereby you grant permission for cookies, or perhaps we will move to a model where we see browsers become more sophisticated and the existing cookie options will become more comprehensive.

The latter seems to be the ideal interpretation of this law for the marketing industry - an option in the browser that says "allow cookies for advertising" and when checked all advertising cookies will be allowed.

My greatest concern though is that whatever direction the interpretation takes, this is going to highlight cookies and tracking to online users in general. Now, I agree and believe in transparency, but the terms 'cookies' and 'behavioral targeting' have negative implications and we MUST partner with the government to make users aware of why cookies are not evil and actually facilitate a lot that is great about the web. If we don't the only message to consumer is that "we have passed a law to protect you from something evil."

Are consumers aware for instance that their beloved Facebook is funded by advertising and data? Will they be made aware that if they don't accept these cookies that Facebook's earnings will decrease? Are they aware that this means Facebook might not be free anymore?

And of course the implications are far broader than just Facebook.

We need to educate everyone about the role advertising plays in their lives and that free content and functionality is funded by advertising, they need to know advertising isn't going to go away and at the end of the day we are simply trying to make the advertising they see more relevant to them.

So that's Europe, what about the US?

Well I feel the US is more in front of this situation. The equivalent body that may pass such a ruling is the

FTC

, and they are a period of time away from making a decision. They would prefer our industry to self regulate and we have bodies that are trying to do this. The

NAI

for instance is pushing hard for an opt-out situation rather than an opt-in. They are bringing networks and publishers together and looking at a mechanism to place "About this Ad" above or over every banner ad and when clicked that will present an individual opt-out option.

Some are saying the European situation has occurred because of a lack of self-regulation within the industry in Europe, and that the

IAB

has done far too little to satisfy the law makers, forcing them to step in and take action.

Let's not allow this to happen in the US. Go learn about the NAI, get involved, be part of the voice. If you don't the law makers will walk all over our industry. If the NAI can get the support then maybe we can stop the US from following the EU's lead and allow us to self regulate with opt-out.

And note that the EU is not afraid to take action, this is not a soft threat. Back in April 2009 the E.U. Telecoms Commissioner Viviane Reding went after the UK for their 'breach' of European Law with regards to BT's trial of the controversial ad network, Phorm. (Phorm was a 'deep packet inspection' system that I followed closely for some time, and can be read about

here

,

here

and

here

).

So what can you do right now?

  • Spread the word, let's make sure that our industry knows whats going on
  • Understand the issues yourself, go read as much as you can
  • Know what the NAI is trying to do and help them do it

This is an industry defining moment.

Important resources:

Consent will be required for cookies in Europe

Proposed changes to cookie laws