EU Privacy Directive: Why All The Fuss? Just Be Open With Users

EU Cookie legislation is now in force across Europe, but in a last minute change on Friday, the UK’s information commissioner amended the way it will be implemented in the UK. It’s now the case that sites will only have to obtain ‘implied consent’ from users not explicit consent. This is much friendlier for businesses but means the UK is now out of the step with the EU on privacy online and the transparency of cookies. In the middle of a recession, UK businesses probably won’t lose too much sleep. This is a much more pragmatic approach and most websites have yet to even comply with the legislation.

In this guest post, Mark Macdonald, of Skimlinks argues sites should still consider being up-front with users about their use of cookies.

The grassroots of the internet are a force to be reckoned with. With national and international legislation threatening their online way of life, the denizens of 4Chan and Reddit can be relied upon to make life a misery for those US politicians proposing mis-construed acts. We saw it with SOPA and PIPA. They’re holding off ratification of ACTA for the time being, and CISPA is taking a beating.

But where were they three years ago when the EU first debated its e-Privacy Directive?

The directive passed into UK law a year ago ‘on-the-nod’, i.e. without any debate in Parliament, and was intended to protect users’ privacy by forcing sites to seek consent when placing certain cookies. This week marks the end of a year-long grace period during which website owners were issued confusing guidelines [PDF] from the enforcing body, the Information Commissioner’s Office (ICO).

You’ve probably heard all about how the ICO enforced its own guidelines and killed its traffic, plenty has been said about how the law is pretty much unenforceable, and I previously wrote, perhaps prematurely, about how the fundamental technologies that fund free content on the web were threatened.

Maybe I missed the point. There’s no doubt that our legislators are behind the technological curve, and crass law writing can be massively damaging, but likewise an honest communication about how your site operates is essential to building a trusting, and valuable, user base.

Advertisers love playing the data game, and will continue to find ways to target their audience with or without cookie legislation. Use of server-side pixels allows for cookieless tracking, and definitions of 1st and 3rd party cookies are increasingly blurred by ad networks to sidestep some interpretations of the laws. Our lawmakers won’t catch up with this stampede of innovation, so it falls to us, the innovators, to implement technologies responsibly and hold ourselves accountable.

The politicians in Washington and Brussels may not have a clue what they’re talking about, but the spirit of respectful user interaction may not be so misplaced.

Monitoring customer behaviour and habit is nothing new. The supermarkets have been collating your data through loyalty card programs since the early eighties, building customer profiles and using this data to ‘enhance the shopping experience’. It’s a pretty honest understanding though: you give me discounts on goods or services, and I’ll let you build a profile to establish how much cat litter I can handle.

This kind of mutual understanding should form the very minimum of an unwritten contract between site owners and users. Am I saying that your grandfather understands the extremes of data crunching each time he swipes a loyalty card? Certainly not, but there’s a policy of providing clear disclosure to customers in order to maintain their hard-earned trust. That policy must be replicated on the web in some fashion.

In an ever more socialized web, readership and user engagement are a site’s biggest asset. It’s that user engagement that drives Facebook’s inflated stock price, and Pinterest’s huge funding rounds.

It’s also user engagement that drives value for advertisers in the long run. Supportive communities understand that making money from a site need not impact on their enjoyment of the site, and will respect advertising technologies that they are informed about.

So what changes? In all honesty, nothing much. Most of the UK’s governmental sites aren’t going to be compliant today.

At Skimlinks, we made some recommendations to all our publishers but the ICO have indicated to us that they’re not going to be prosecuting sites unless they appear to intentionally avoid compliance.

The ICO aren’t likely to come after you this week, but users deserve to be treated with respect anyway. It’s not hard to do either. Disclosure should be a given. If you run a site or web service, tell people what technologies you’re using, and make sure you have clear links to any appropriate opt-outs. Likewise, act as an agent for your users and demand that 3rd party technologies give you a clear indication of what data they collect, and how it is used.

Don’t do it for the legislators. Do it because we’re all users, and it’s what we’d all expect.

But finally here’s a bonus video on why the EU cookie law should just die: