Andrew Walmsley on Digital: The EU cookie problem
A view from Andrew Walmsley

Andrew Walmsley on Digital: The EU cookie problem

European legislation applying to websites' use of cookies will have a fundamental impact on brands.

Geek Pride Day is 25 May. It started as a celebration of the anniversary of the premiere of Star Wars in 1977; now it's an opportunity for check-shirt-wearing, multiple-pen-in-top-pocket geeks worldwide to gather (in all likelihood in chatrooms) and talk about massively multiplayer online role-playing games, Ruby on Rails and pizza.

No doubt it was with this in mind that the EU named 25 May as the date by which governments across Europe should have enacted into law the provisions of the Privacy and Electronic Communications Directive.

This has been causing real headaches for the industry as it has sought to conform to what some saw as a law drafted by folk with little understanding of how the business side of the internet works.

The issue of most concern has been cookies. These small text files are placed on a user's computer by a website, allowing that user's actions to be tracked. They have become a fundamental part of the web's architecture and control how everything from shopping baskets to behavioural advertising works.

Two grey areas immediately became apparent. First, consent. As drafted, the directive called for cookies to be allowed only if the 'subscriber concerned has given his or her consent, having been provided with clear and comprehensive information ... about the purposes of the processing'.

Does this mean prior consent? Yes, according to pressure group Privacy International, which claims it is a clear requirement for users to opt-in to behavioural targeted advertising (BTA).

No, says the Internet Advertising Bureau - backed, apparently by the EU - which believes a user's browser privacy settings represent sufficient consent to meet the obligations of the directive.

The IAB has embarked on an initiative to inform and equip the public to opt out of BTA. An icon will be placed in or next to ads, allowing consumers to click to find out more and avoid further tracking if they wish. This technique is already in use by retargeting companies such as Criteo, which links to an explanation of the technology and offers an off-switch, but the plan is to adopt a common icon across the industry.

As I discussed here in January, the IAB in the US has rolled out such an icon, and the idea is that the same one will be used in Europe, linking to a European site offering a blanket opt-out.

The IAB's hope is that by taking sufficiently rigorous self-regulatory action, it will fend off more aggressive interpretations of the directive and avoid government regulation.

The second grey area, however, is not covered by the IAB.

The directive applies as much to websites as to BTA, and from media to retail, sites are big users of cookies (the rules apply as much to Javascript files, Flash cookies and other workarounds). The rules allow cookies where 'strictly necessary ... to provide the service'; wording intended to allow features like shopping baskets to continue working without having to request consent.

What is 'strictly necessary'? Analytics? Recommendation techniques? Sites would work without them, but both help the businesses make more money.

The ad industry has worked to ensure its motor keeps running after 25 May, but these efforts have not been mirrored on the site side. In the absence of published guidance, regulators plan to keep a light touch, but are under pressure to show they are in charge.

So we can expect some sites to fall foul as the ASA settles into its new enforcement role. Even as I write, the staff are stocking up on check shirts and ballpoint pens.

Andrew Walmsley is a digital pluralist


- Cookies are not programs that 'do' anything; they are text files that typically contain a site name and a unique user ID, acting as a way of authenticating users online or using servers.

- In its simplest form, when a consumer visits a website that uses cookies, one is downloaded to that visitor's computer. The next time they visit that site, the computer checks whether it has a cookie containing the site name and sends the data contained in the cookie back to the site.

- This tells the site that the user has visited before, so it can tailor content (its own or advertising) accordingly.

- More sophisticated cookies record information such as dwell time on a site, what links the user clicks on, their preferences and the contents of shopping baskets, making users' experience of sites they visit often more smooth.

- Web browsers enable consumers to block cookies or be selective about those they accept. However, some sites are unusable when cookies are rejected.