A compliance strategy for the controversial cookie opt-in regulation

Businesses face many concerns with the PECR cookie law. Compliance expert Alan Calder offers a compliance strategy for the cookie opt-in regulation.

The PECR ‘cookies’ regulation is meant to protect users’ privacy, but it raises practical, strategic and financial problems for organisations operating websites. In this tip I will discuss the problems website operators face as they make website changes to comply with PECR, and I will offer some advice for cautionary steps to take now.

Google Analytics installs one or more third-party cookies into the browsers of website visitors. It is not clear that Google is about to change its technology model to suit the EU.

The problems with PECR
The new PECR cookies regulation will be enforced beginning in May 2012. The ICO expects organisations to take appropriate steps in order to be compliant by that date.

In considering compliance strategies, organisations have a number of concerns, including the impact on visitor traffic, competitor behaviour and implementation costs. As a result, many website operators are likely to view an early move to PECR compliance as potentially disadvantageous to their businesses.

A Direct Marketing Association (DMA) briefing earlier this year reported daily visitor traffic to the ICO’s own website fell from around 18,000 visits per day before a cookie opt-in form was installed, to below 2,000 thereafter. This finding reflects the hard-won experience of website operators and developers everywhere: cookie consent pop-up boxes or banners that force visitors to provide a response or information before they can go further into a site are likely to drive a high proportion of visitors away. There are three reasons for this:

  1. Barriers to interaction with a website, and distractions for users – such as pop-ups – are avoided as a matter of course by reputable websites. Pop-ups annoy visitors and drive them away.
  2. Clicking on a pop-up box is increasingly a sure way of inadvertently downloading malware onto a computer; the increasing number of browsers who are aware of this threat are likely to leave – and perhaps blacklist – a site that asks users to click on a pop-up.
  3. Many users are unlikely to know what a ‘cookie’ is and may be put off by the opt-in requirements that have to be completed before they can do what they came to the site to do.

Organisations fear their traffic will go to their competitors’ websites instead and, as the Internet is a market without geographical boundaries, those competitors could be anywhere in the world.

More tips for compliance strategies

How to apply PCI DSS guidance to virtualisation technology

How to manage third parties for DPA compliance

There is little evidence other EU countries are moving as aggressively to enforce this directive as the ICO is doing in the UK. Therefore, many UK companies will view their implementation of the cookie directive as directly benefiting their competitors elsewhere in the EU.

Cookies are also more widely used than many realise. Many websites use Google Analytics to understand their website traffic. Google Analytics installs one or more third-party cookies into the browsers of website visitors. It is not clear that Google is about to change its technology model to suit the EU, and website operators will only reluctantly move to non-Google Analytics options.

Social media plug-ins, such as bookmarking sites, Facebook “Likes” and Twitter re-tweets, install third-party cookies. Website operators are unlikely to rush for solutions that reduce the effectiveness of their various social media plug-ins, particularly if their competitors are not obviously reducing the effectiveness of these plug-ins on their sites, too.

Guide to EU cookie compliance

This article is part of the EU cookie compliance guide which contains news and advice for organisations in Europe and around the world for complying with the cookie law.

Finally, making changes to websites is likely to be both expensive and time consuming, especially if the website is based on a standard website application package that is not likely to be updated by its developer. With the current economic condition, few organisations will want to invest in a compliance project that could damage their businesses.

Steps to take now
Non-compliance, however, is clearly not an option, as the ICO has said it will enforce the PECR regulations. The sensible commercial approach, therefore, for any organisation is to follow the ICO’s advice:

  1. Conduct a comprehensive cookie audit across all your organisation’s websites;
  2. Assess the intrusiveness and importance of each cookie;
  3. Identify, for each cookie, a practical path to compliance.

Organisations should start working on these steps right away. Even if the organisation is not compliant immediately when the regulatory changes go into effect, taking these steps today enables the organisation to demonstrate it is taking the law seriously. While the compliance process is a manual effort today, I expect a greater range of practical compliance assistance products and services will become available in due course.

About the author:
Alan Calder is a leading author on information security and IT governance issues. He is also chief executive of IT Governance Limited, the one-stop-shop for books, tools, information and advice on governance, risk management and compliance in the UK. Alan was previously CEO of Wide Learning, a supplier of e-learning; of Focus Central London, a training and enterprise council; and of Business Link London City Partners, a government agency focused on helping growing businesses to develop. He was a member of the Information Age Competitiveness Working Group of the UK Government's Department for Trade & Industry, and is a member of the DNV Certification Services Certification Committee, which certifies compliance with international standards including ISO27001.

Read more on Regulatory compliance and standard requirements