The EU “Cookie Rule,” which requires companies with European customers to get informed consent from visitors to their websites in order to use most cookies (other than those “strictly necessary” for the service requested by the consumer), went into effect on May 25. As an example of how they wanted websites to behave, the UK Information Commissioner’s Office put the following banner on their website:
Thanks to a Freedom of Information request from Vicky Brock, we can see the effect of the opt-in cookie requirement on tracked traffic to the ICO website:
Vicky has also made the underlying data available in a Google Docs spreadsheet.
While this does seem to pose a challenge for marketers, there are a couple of things about this data to keep in mind:
1) The UK ICO implemented the opt-in via a banner on the top of the page. People have grown so used to ignoring banners that they might not have even looked at the option being provided. Thus, another method for requesting consent might have a greater opt-in rate. Guidance from the UK ICO states that consent can be obtained via the following methods:
- Pop-ups. A website operator could ask a user directly if they agree to a website operator putting something on their computer and if they click “yes”, this would constitute consent.
- Terms and conditions. A website operator could alternatively make users aware of the use of cookies via the terms and conditions, asking a user to tick a box to indicate that they consent to the new terms.
- Settings-led consent. Consent could also be gained as part of the process by which the user confirms what they want to do or how they want the website to work, e.g., some websites “remember”
which language version of a website a user prefers. If this feature is enabled by the storage of a cookie, then the website operator could explain this to the user and that it will not ask the user every time they visit the website.
It is worth noting, however, that the guidance does not purport to be exhaustive. The ICO states that they will consider supplementing the advice with further examples of how to gain consent for particular types of cookies in the future. It goes on to say that the examples listed are not intended to be a prescriptive list on how to comply,
rather, that a website operator is best placed to work out how to get information to users and what users will understand. Each case will be facts-specific.
2)
Even for those who did see the banner, there isn’t really any incentive to opting-in. If a website makes a case for the opt-in by pointing out additional functionality or other benefits to opting-in, that may increase the opt-in rate.
Another issue for websites is that it is not yet clear whether the Cookie Rule applies to non-cookie tracking technologies like web beacons. Technically, the Cookie Rule applies to “the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user.” However, given the assertive position that many European Data Protection Authorities take towards the protection of personal information, it may be prudent to assume that anything that lets a website track users could require consent. In the case of web beacons, as well, since they could disclose a users IP address, which could be personally indentifying information, they might be subject to the general obligation to obtain user consent before collecting personal information,
anyway.