The Privacy and Electronic Communications (EC Directive) Regulations 2011 was introduced into the UK last May as a response to wider European legislation on Internet Privacy, specifically around the use of cookies.

What are cookies?

Cookies are small text files stored on users computers that allow websites to retain a variety of pieces of information. Cookies allow websites to remember users login status, shopping carts contents and any preferences for the current ‘state’ of a web page. They are also used to help target advertising based on behaviour patterns and power tracking tools like Google Analytics.

Oh, so this applies to my site then?

Yep! And it caused quite a stir at the time of launch until the Information Commissioner’s Office (ICO), who will enforce the law, gave companies until 26 May 2012 to ensure their websites were compliant.

At the time many of us hoped that this issue would be taken up at a browser level and therefore not impact websites directly but as we cannot guarantee that users will use the latest versions of these it would be impossible to implement the law across the board. IE 6/7/8 strikes again!

So from 26 May website owners must supply users with information about the cookies on their websites, and crucially, must seek their implied consent to place them.

Some key facts

• The location of your hosting is irrelevant. The location of your company or organisation is what matters.
• The law does not cover cookies “strictly necessary for a service requested by a user” so if the lack of cookie breaks your website functionality you are probably fine. We are talking about logging in, shopping carts etc. here. However this does not cover anything relating to tracking or advertising.
• You are responsible for identifying and gaining consent for cookies placed by 3rd parties such as Google on your website. More on that later.
• Realistically no one will get fined for cookie consent breaches under the current UK law. Despite the headlines the threshold for monetary fines under UK data protection law is high. This doesn’t mean you can ignore it though. You will eventually be pursued by the ICO to become compliant.
• I would advise you ignore any alarming “scam” emails you get on this issue unless they are from the ICO, the government, your customers, your lawyer… or me.
• Adding the words “By using this site you agree to...” to your privacy policy will NOT be enough.
• Consent is required on a website-by-website basis.

Implied (or Informed) Consent

The big grey area in all of this has been around how you gain user consent. Thankfully terms like “opt-in” or “express” are not contained within the law so we don’t need to worry about tick boxes or other such nonsense.

Consent does mean that it must be obvious to the average user what is happening, which in practice means that a visible and clear notice must be displayed and made available long enough to be seen and digested. This could be in the form of modal box (new style of pop up) that fades after a while or is clicked, an accordion bar (at the top or bottom of the browser) that the user dismisses or several other options.

Amusingly the ICO themselves (LINK: http://www.ico.gov.uk/) implemented a compulsory tick box strategy accompanied by a pervasive message which severely dented traffic to their site. Even the implementers don’t really get it.

(source: http://privacylawblog.ffw.com/2012/three-truths-about-cookie-consent)

A word on 3rd party analytics tracking cookies

As mentioned earlier you are as liable for cookies placed by 3rd parties as you are for those created by your own website. Typically these are placed for analytics tracking and advertising. If your website has any cookies at all they are likely to be for tracking. Once you have identified which 3rd party cookies you have you need to research them and communicate their purpose back to your users.

But do not panic! A recent statement on tracking cookies from the ICO said:

The Regulations do not distinguish between cookies used for analytical activities and those used for other purposes. We do not consider analytical cookies fall within the ‘strictly necessary’ exception criteria. This means in theory websites need to tell people about analytical cookies and gain their consent.

In practice we would expect you to provide clear information to users about analytical cookies and take what steps you can to seek their agreement. This is likely to involve making the argument to show users why these cookies are useful. Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals.

(source: http://www.theregister.co.uk/2012/04/05/eprivacy_directive_web_analytics/)

So what should we do?

At the bare minimum we recommend that if your website uses cookies, you should:

• Perform a Cookie Audit of your website. Here is a chrome plugin that will help you audit the cookies on a website.
• Include a link to your cookie policy on all pages.
• Explain in your policy how and why you use cookies and what their names are with short descriptions.
• Include a link in your policy to www.aboutcookies.org so that your visitors can access instructions on deleting and controlling cookies.

(source: http://www.out-law.com/page-5486)

In as much as the above will probably keep the gaze of the ICO off your business it is unlikely to pass the rigors of compliance. You will need to think of a way of drawing users attention to it as well without confusing them or putting them off.

The example being lauded as good practice is BT who fade in a small but noticeable modal window with clear message and calls to action. If it isn’t clicked on it fades after about 6 seconds, implying consent.

Here is a pretty handy 3 minute video that summarises most of the above.

Thanks for reading this all the way through. Because you did I am going to give you a killer tip. Check out this open source Cookie Consent tool from the guys at Silktide.

From March 2011 digital advertising falls more strictly under the remit of the Advertising Standards Authority (ASA). In short this means that any digital content in the UK that may result in or prompt a sale must now comply with the Committee on Advertising Practice (CAP) Codes on advertising.

This seemed to me like quite a big step and not one I fully understood. If you actually go to the ASA website you will find the CAP Code there but unless you are au fait with legal jargon and have a lot of time to spare you will be none the wiser. In essence I took the CAP Code to broadly mean, “don’t lie” but there had to be more to it than that.

Aside from the announcement itself I could not find much editorial on what the implications were. Thankfully the British Interactive Media Association (BIMA) that David is Vice –Chair of organised an event with lawyers Kemp Little to explain it all. The remainder of this blog post is shamelessly paraphrasing their excellent presentation.

Why the need to introduce changes?

Digital has woven itself into the fabric of our daily lives and is now the first port of call for our consumer decision-making research. Digital marketing has also become a lot more sophisticated. Banner ads and paid search are only part of the tool set for influencing businesses and consumers online.

It is worthy of note that £200 000 of the funding to extend the ASA came from Google whose paid-for listings were already being regulated (see next section). Why? Because Google needs the content appearing in it’s natural listings to satisfy the user and not mislead. They are protecting the authenticity of their brand.

Additionally there is growing concern in our society over the role of the Internet in the lives of our children, young people and vulnerable adults.

Between 2008-2009 the ASA had to reject 3500 complaints relating to content on websites that fell outside of their existing remit. The claims were often regarding misleading information.

So how is digital advertising regulated in the UK?

It would not be fair to say that digital has been unregulated in the UK prior to this year. In 2008 two pieces of legislation - Consumer Protection from Unfair Trading Regulations and Business Protection from Misleading Marketing Regulations - were passed through government. They were created in order to:

• Treat consumers fairly
• Not mislead through acts / omissions
• Stop aggressive commercial practices
• Stop misleading advertising
• Create a framework for comparative advertising

In effect this helped to put an end to hidden adverts on websites and also pushed bloggers to declare affiliation with a product they were seeding.

The ASA added a self-regulatory element into this mix. It may surprise you but they did actually have a limited digital remit prior to this year covering emails and advertisements in paid-for space including:

• Banner and pop-up advertisements
• Paid-for search listings
• Commercial classified adverts
• Paid-for listings on price comparison sites
• Sales promotions in paid-for and non-paid for space online (social networks)

Summary of the changes

The CAP Code now also applies to:

Advertisements and other marketing communications by or from companies, organisations or sole traders on their own websites, or in other non-paid-for space online under their control, that are directly connected with the supply or transfer of goods, services, opportunities and gifts, or which consist of direct solicitations of donations as part of their own fund-raising activities.

What you should take note of:

• The catchall term at the start
• That this excludes individuals selling online e.g. on Craig’s List
• That all content of social networks (not just paid-for space or obvious sales promotions) applies
• The fact that anything resulting in a sale is covered
• That this also includes charities

The following is exempt:

• Marketing communications that promote causes or ideas
• Investor Relations (that has enough regulation already!)
• Heritage advertising such as the old “Guinness is Good for You” campaign

User Generated Content is outside of the ASA unless it is adopted in marketing communications or is featured on your own website or online space under your control.

This could strike fear into the hearts of marketers but I think context is key. Consumer feedback as part of a chat flow is not going to be taken as a serious breach compared to say, highlighting the same feedback on the homepage.

What are marketers required to ensure then?

The CAP Code requires digital advertisements to be:

• “Legal, decent, honest and truthful”
• Socially responsible
• Prepared in line with the principles of fair competition

How is it enforced?

Although it is very unlikely that any financial penalties will occur for falling foul the ASA has an incremental scale of sanctions that it will follow:

• Most guilty cases will result in a public adjudication on their website (negative publicity that journalists looking for a story will pick up)
• Withdrawal of trading privileges
• Pre-vetting of future advertising (for repeat offenders)
• Referral to OFCOM (for extreme repeat offenders)

Agencies are also not allowed to submit any work that has breached the Code for any awards and media owners are permitted to refuse to run ads by offending companies.

The ASA can ask search engines to remove the marketer’s paid-for advertisements and can themselves place paid-for ads referring to a public adjudication. However they cannot impact upon natural search listings.

One thing that we do not know yet is just how SEO friendly these public adjudications might be in search results for a brand name. It could be that adjudications hang around for years. The impact could be extremely damaging to a brand.

What should you be aware of?

The lawyers I met at Kemp Little have already dealt with the ASA on behalf of digital clients and had these words of warning should you ever be investigated:

• They are not always consistent and their previous judgements do not set a legal precedent.
• They can raise their own issues so an investigation is not necessarily triggered by a complaint from the public.
• There do not need to be obvious grounds for a complaint to be investigated. Their remit is to protect the most gullible consumer.
• Just one complaint can trigger an investigation and the consumer’s identity is protected. This may lead to “guerrilla” complaints, for example a family member of a person working for a competitor who complains.

I hope this has been helpful and prompted you to think more about the new regulations. Although I am sure this will create a lot more red tape and hassle for some advertisers I am in favour of a more accountable, safer digital space. The more credible it is, the more we will continue to use it as the foundation for our future lives and thus further innovate and improve.

However, I do hope that the ASA keep a balance on what is fair and reasonable and that we don’t end up in a similar position to some of the ridiculous Health and Safety laws we currently have to abide by. I for one like to take the chance of drinking my coffee without a sealable lid on it and I also believe I have some good sense and judgement when it comes to spending my own money.

Please do let me know your thoughts in the comments below and thanks again to the lawyers at Kemp Little for all their help.