 |
Company Information
Cognesia Ltd (formerly Intellitracker) was founded in 2000 and has offices in North Amercia, Europe and Eastern Europe.
The company develops and markets a suite of online business optimisation tools including Explore (online analytics) and Engage (online personalisation, testing and targeting).
Cognesia is recognised as one of the leaders in its field and works with well known organisations including Bourne Leisure, Rolls Royce, Visa, Associated Newspapers, Pinnacle Sports, M&G, Age UK and TUI Travel.
Contact
Lara Slyfield
Marketing
e: press @ cognesia.com
t: +44 (0)845 680 1900
Hot Topic
A digital version of this 'hot topic' can be downloaded by clicking on this link:
 Download PDF
|
|
The new EU Directive on Privacy
The new EU Directive on Privacy officially became law in the UK on the 25th May 2011 and appears to significantly impact the way internet businesses ought to operate in Europe.
Firstly, it is necessary to understand the EU process. EU directives are just that – a set of instructions (a directive) for each member of the EU. Each member then ‘interprets’ the directive and amends their legal structure to accommodate it. In the UK, the ICO has been responsible for interpreting the directive, and it is fair to say they have adopted a liberal and considered interpretation. Most countries appear to have adopted a similar approach, although a few appear to be adopting a more aggressive stance.
What does it mean?
The directive has caused much head scratching in the internet community, as in many ways, it appears to be difficult to achieve, or only achievable by saddling European businesses with requirements that the rest of the internet can ignore.
Perhaps worse than this, the ambiguity of the directive has given rise to various misinterpretations and myths. Firstly, let’s focus on these:
Dispelling a few myths
- The directive is all about cookies
o In fact, the essence of the directive is to protect internet users about the use of personally identifiable data, and clarifies that the definition of this includes such things as cookies and IP address data.
- All cookies are banned
o The directive bans nothing. Instead, it is requiring user ‘opt-in’.
- 3rd Party Cookies are banned
o No. Third party cookies are an unavoidable component of the internet. The directive seeks to differentiate between cookies which are ‘strictly necessary’ for the operation of the site (which can be excluded from the opt-in requirement) and those that are not. Quite what is ‘strictly necessary’ and what is not, is open to interpretation.
- Web analytics systems are banned
o In fact, the directive requires ALL systems that use personally identifiable data to allow users to opt-in. Web analytics is only considered because many think of it as ‘tracking’, not considering that in fact, the same processes are used by most marketing systems.
o In tests of various leading websites, we found the average number of systems in use that could arguably be considered not to be ‘strictly necessary’, was five, with some sites having as many as fifteen systems.
- Advertising networks are banned
o Again, there is no ban, but as these systems rely on collecting data across multiple sites, it is fair to say they face the most difficult ride in meeting the directive.
What does this effect?
The directive has significant implications for most marketing systems, including email, advertising, affiliate and contextual networks. But, it can also effect any system in use on your site.
What should the site owner do?
The ICO has requested that all sites ‘appear to be reacting’ to the directive, and has indicated that some time will be permitted for solutions to be devised.
This is a somewhat unsatisfactory state of affairs, so we have devised some suggested actions ourselves:
How can a user opt-in?
- Browser Settings: The early indications from the ICO was that they considered that each user’s browser settings (concerning things like cookie acceptance) as being sufficient to constitute ‘opt-in’. They have however now stated that current browser settings are not sufficient, but admit that currently, there is no clear alternative solution.
- Use cookies to store an opt in - Unfortunately, any cookie-based solution is somewhat ineffective, because cookies are not permanent, and tied only to the particular PC in use. (There is also a certain irony about using cookies to store privacy settings!).
- Login Only Sites: This would allow the site to store permanent settings and hence the user can ‘opt-in’ and have this choice permanently retained. But, any site that is not already requiring logins will clearly take a dim view of this. It is worth remembering that the directive applies only to European sites – so any non-European sites (think U.S., Russia, China and many others) would have a significant competitive advantage.
- Splash Screens: Prior to entering the site, the user meets a splash screen that requires acceptance before they can access the site.
|
|
| “ |
The directive has significant implications for most marketing systems, including email, advertising, affiliate and contextual networks. |
” |
| |
Mark Wilding
Head of Product Development
Cognesia Ltd
|
|
What if a user does not opt-in?
We have considered this situation and concluded that the only practical step is to prevent these users accessing the site.
Although this sounds draconian, it is in fact preferable to a situation where each user could effectively pick and select from your choice of business/IT systems.
Would such a situation be permissible in the offline world?
I would like to buy this steak, but the plate must be green. I am unhappy with your choice of till system as it is not a brand I like. The music is unacceptable, the chair should be a bench and the waitress is not acceptable because she is a brunette not a blond. In particular, I object to the lighting system, because my neighbour told me that those light bulbs omit a certain odour.
Summary
We have concluded the only practical long term solution involves new controls in the browser, working in conjunction with an internet-wide privacy system that the sites would be required to operate within.
The user would have the ability to set their browser to produce each website’s privacy statement prior to the user being able to access the site. The user can choose to ‘accept’ or ‘reject’ the privacy statement. This would require new features in all browsers, and a common privacy system to be adopted by all sites.
Clearly, most experienced internet users would set this system to auto-opt-in, or to only intervene on ‘new sites’, so that their internet experience was not interrupted, but it would allow users particularly worried by privacy issues to have site-by-site protection.
In the interim, we advise all European sites to:
- Review and if necessary, improve their privacy policies to be clear about the use of personal data within the systems on the site
- In this privacy policy, advocate the benefits of the systems in use on the site, and the reasons for their use.
- Draw attention to the privacy policy as quickly and clearly as possible
- If particularly concerned, install an opt-in splash screen that intervenes prior to an unknown visitor accessing the site’s normal pages. (Unless universally adopted, this is likely to introduce a competitive disadvantage)
- Should a user not wish to accept the privacy policy (terms of use) i.e. the user of particular systems and data, they should not be permitted access to the site, as it could be considered that someone who is sufficiently minded to object to the use of everyday systems, is also a likely candidate to exploit the law’s ambiguity and create trouble for the business.
|
|
