In May 2011 the EU Commission released an e-Privacy Directive in which the tracking of cookies is regulated. The Internet Industry is granted time to adapt towards this directive until May 2012. As a result of this e-Privacy Directive a few European countries came up with their own legislation. In the UK the Information Commissioners Office (www.ico.gov.uk) shows on her site how this will look like. In the Netherlands the Telecom bill passed the ‘ Tweede Kamer’ in which the use of all non-functional cookies is prohibited unless the visitor of the website explicitly accept the tracking cookies.
I will try to explain here why this is a problem for not only website owners, but also for the users of websites.
What are cookies?
But first of all let me explain what cookies are and which different kind of flavours they come. Cookies are small text messages which are placed through the web browser on the computer of the website visitor. The visitor’s computer stores this cookie on the hard drive. These cookies can’t harm your computer; neither do they know what you are doing on your computer. They don’t contain viruses.
The problem occurs as their are different flavours of cookies:
Why do websites use first party cookies?
The main purpose of the “ first party” cookies is to anonymously identify the website visitor. When the visitor returns to the website the cookie will still be there and the visitor will be recognized as a returning visitor. This way the web master knows if you are a returning visitor or a new visitor to the website. Web analysts cookies are not keeping your personal data.
If you have made a profile on a website this information of the user is also kept in a cookie. For instance if you have made a profile on a website you often visit, the cookies remembers your setting so you don’t have to crave through all the pages you are not interested in. The same applies when you want to remember your passwords for different websites.
A second type of first party cookies is a session cookie. These session cookies will be deleted after you leave the website. These cookies are needed in webshops to remember the items you placed in your basket and to make a shopping cart function properly.
What is the purpose of third party cookies?
With third party cookies companies can follow up on the browser’s activity of a user. Privacy organisations are mostly concerned about these kind of cookies as they can track you while browsing, building up a personal profile throughout the web, while you as a user have no idea about this.
In the browser settings you can make accept all cookies, only first party cookies or none of all. But as lots of people don’t know this, (most people don’t clear their cookies once a week), the EU commissioner and the different governments wants to protect the public by these new regulations.
So if people are talking about cookies and privacy they mostly are talking about third party cookies.
How is this going to work?
In the UK the introduced on their website a possible way how this is going to look like:
On the 25th May they introduced the opt-in for setting cookies. My friend and colleague Vicky Brock had the fabulous idea of making a data request by the Freedom of Information Act. She asked the ICO for their traffic data for a period before and after the cookie opt-in ( 25th may) The ICO obliged and as she showed the results in a graph:
As you can see the results are clear. As Vicky said: “ If common sense does not prevail, this is extremely bad for internet users and for analytics”
Killing Conversion rates
Measuring conversion rates (success rates) is a major issue on all websites. This seems obvious on e-commerce websites, but also information sites do measure conversion rates. Even sites of Governmental organisations are accountable one way or another to prove that tax money is spend well. And I do hope this is not only by number of visitors but by conversions. Killing conversion rates surely will mean a serious set back. Organisations do want to know if their money on different marketing efforts, is spend wisely. Organisations will have to know if their information is really reaching the target audience to be accountable.
Will I be glad as a website user? Is my privacy really protected by this Directive? I don’t think so. First of all I will not delete my cookies as often as I do now, because it takes a cookie to remember that I have opted-in on accepting them. This will mean that I will get those annoying pop-ups over and over again after I cleaned up my cookies. Websites will not improve as fast as they should, because webmasters have less data to make improvements. And I would not be pleased if I could not enter websites like Amazon to order books, because they refuse to make a explicit opt-in.
Internet is in principle an international platform. The same EU commissioner who is responsible for this e-Privacy Directive is also promoting more cross-boundary e-commerce. This could be a problem.
When we look at the Dutch and the British regulations according to cookies there is a big problem. For which websites do they apply? Do they apply for websites hosted in these countries? Do they apply for the reached audience in these countries?
When we look at the first option, companies and organisations can move their websites out of their country and host them in the e.g. the US. Because of the usability issues (people are not going to like all these consent opt-in popups etc.) foreign websites will have a huge advantage over the websites in the countries using this active opt-in on all sites.
The second option will mean that because of the penalties involved foreign websites will not be accessible for people in the Netherlands or Britain. As websites in e.g. the US can have tracking cookies first and mostly targeted on advertisements towards the US audience, they will not risk the penalty when they do not have an opt-in. probably they will just block visitors from countries with these severe regulations. This way we will set up new boundaries.
And to make things more complicated: In Germany, where Privacy issues are taken very seriously, cookies are not the bad guys. Here it is forbidden to track IP addresses as they are seen as personal information.
What should be done?
I do agree that privacy should be a major concern. In Norway third party cookie were forbidden a long time ago. But you can also think about better browser settings. The industry should come up with a regulation, and this should apply to the whole industry. At least towards the whole EU. Otherwise people in some countries will be prevented from a free use of the Internet or otherwise companies and organisations in those countries will see a serious set back on their businesses. This autumn a privacy symposium organised by the WAA is set up in Bruxelles to come up with solutions to both privacy, boundary free use of the internet and possibilities to make money for businesses.