There have been some pretty hysterical over-reactions to the (not so) new EU cookie law, some of them more factually correct than others. There have also been a lot of accusations that this law is fairly vague (which it is), that the guidance has changed (which it sort of has) and that it is unnecessary (which it isn't).
Some of the apparent difficulties with implementing the law stem from the fact that companies which are in a position to make compliance with the law easy - companies like Google and the big advertising agencies - have absolutely no incentive to make compliance easy. I'm not accusing anybody of being deliberately obstructive, but big media hasn't sat around a table and pro-actively tried to sort out a way of implementing the ICO guidance (PDF warning). They haven't done that because it's in big media's interests to build up cookies and privacy into a huge, insurmountable problem, kick potential solutions into the long grass and continue to track individuals on the web.
I've been thinking about the spirit of the law rather than the letter and in spirit, I think it's very simple. Just pretend your website is an actual, physical store and ask yourself whether what you're doing would be acceptable if it was.
So a customer visits your shop on the high street and starts to browse.
They can put things in their shopping basket, obviously. No question. Then they can take that basket to the till and pay.
Once at the till, you can ask if they have a loyalty card. If they do and hand it over, you can record what they bought and use that information to target advertising and offers, since that's part of the loyalty card deal you make with your customers. All fine so far.
Maybe your customer has brought a voucher with them. They fill in their details on the back in exchange for a discount and that's fine too.
That's a couple of easy ways to collect information about some of your customers - usually in exchange for a discount - and your customer is well aware that they're trading this information with you.
On the internet, cookies are essential to the virtual versions of those physical transactions. You put goods in your basket and the cookie remembers who you are, just so that the basket works. And only so that the basket works. That last bit is important.
All of those cookies are fine. The ICO says so and always has.
Now we come to a few tricks that are easy with cookies, but you might not like to try them in an actual store if you want to keep your customers.
You do a deal with the high street car park to put up posters advertising your store. Instead of just paying a fixed fee for the posters, you make a deal with the car park owner that you'll pay £1 for every person who visits your store straight from the car park and buys something, before they go anywhere else.
You don't tell your customers what you're doing, but you get some students on minimum wage to follow people out of the car park and see where they go. Obviously you need evidence that they're being counted properly, so you snap a quick photo of them on the way out of the car park, another on the way into the store and one at the checkout, time-stamped to prove it's the same person and that they went straight to your store.
That's probably not on, right? Which is why affiliate cookies could well have a problem.
And now inside the store. We already said loyalty cards are fine, but by using cookies you can track the in-store behaviour of something like 95%+ of your customers, without asking permission. That sounds useful. Let's do that.
We'll need a way to identify shoppers when they come back to our physical store though, without them volunteering the information via a loyalty card. Sounds like a job for more students on minimum wage! You pay a few people to walk around the store, surreptitiously dropping RFID chips into any open handbags so that when that customer comes back, you'll be able to invisibly read their ID at the checkout.
A few people notice and complain. You tell them they should keep their bag closed if they don't want ID chips dropped in it. Which is basically the argument that's being deployed when the industry tells users to turn off cookies in their browser if they don't want to be tracked.
You can stretch the analogy further if you want. Physical stores have always known how much of each product they sell. That data is like page hit counters and it doesn't need cookies. Without a loyalty card, physical stores don't know if you, personally, come in three times a week; once for a big shop, plus two short visits for milk and bread. They get along just fine without that information and always have.
Part of the reason they get along fine is my favourite quote about sampling,
Data on a sample of (well informed) customers who have traded that data with you is fine. You don't need to track 100% of visitors to understand your customers and tracking every single click on the web is an unhealthy and expensive obsession.
The EU lawmakers and the ICO evidently understand that most of the complaints coming from the marketing industry are bluster. We should also understand that in the end, treating customers with respect is the way to retain them. If you're confused by cookie laws then ask yourself if you'd do the same thing in a high street store. If you wouldn't, then don't do it on the web.
Some of the apparent difficulties with implementing the law stem from the fact that companies which are in a position to make compliance with the law easy - companies like Google and the big advertising agencies - have absolutely no incentive to make compliance easy. I'm not accusing anybody of being deliberately obstructive, but big media hasn't sat around a table and pro-actively tried to sort out a way of implementing the ICO guidance (PDF warning). They haven't done that because it's in big media's interests to build up cookies and privacy into a huge, insurmountable problem, kick potential solutions into the long grass and continue to track individuals on the web.
I've been thinking about the spirit of the law rather than the letter and in spirit, I think it's very simple. Just pretend your website is an actual, physical store and ask yourself whether what you're doing would be acceptable if it was.
So a customer visits your shop on the high street and starts to browse.
They can put things in their shopping basket, obviously. No question. Then they can take that basket to the till and pay.
Once at the till, you can ask if they have a loyalty card. If they do and hand it over, you can record what they bought and use that information to target advertising and offers, since that's part of the loyalty card deal you make with your customers. All fine so far.
Maybe your customer has brought a voucher with them. They fill in their details on the back in exchange for a discount and that's fine too.
That's a couple of easy ways to collect information about some of your customers - usually in exchange for a discount - and your customer is well aware that they're trading this information with you.
On the internet, cookies are essential to the virtual versions of those physical transactions. You put goods in your basket and the cookie remembers who you are, just so that the basket works. And only so that the basket works. That last bit is important.
All of those cookies are fine. The ICO says so and always has.
Now we come to a few tricks that are easy with cookies, but you might not like to try them in an actual store if you want to keep your customers.
You do a deal with the high street car park to put up posters advertising your store. Instead of just paying a fixed fee for the posters, you make a deal with the car park owner that you'll pay £1 for every person who visits your store straight from the car park and buys something, before they go anywhere else.
You don't tell your customers what you're doing, but you get some students on minimum wage to follow people out of the car park and see where they go. Obviously you need evidence that they're being counted properly, so you snap a quick photo of them on the way out of the car park, another on the way into the store and one at the checkout, time-stamped to prove it's the same person and that they went straight to your store.
That's probably not on, right? Which is why affiliate cookies could well have a problem.
And now inside the store. We already said loyalty cards are fine, but by using cookies you can track the in-store behaviour of something like 95%+ of your customers, without asking permission. That sounds useful. Let's do that.
We'll need a way to identify shoppers when they come back to our physical store though, without them volunteering the information via a loyalty card. Sounds like a job for more students on minimum wage! You pay a few people to walk around the store, surreptitiously dropping RFID chips into any open handbags so that when that customer comes back, you'll be able to invisibly read their ID at the checkout.
A few people notice and complain. You tell them they should keep their bag closed if they don't want ID chips dropped in it. Which is basically the argument that's being deployed when the industry tells users to turn off cookies in their browser if they don't want to be tracked.
You can stretch the analogy further if you want. Physical stores have always known how much of each product they sell. That data is like page hit counters and it doesn't need cookies. Without a loyalty card, physical stores don't know if you, personally, come in three times a week; once for a big shop, plus two short visits for milk and bread. They get along just fine without that information and always have.
Part of the reason they get along fine is my favourite quote about sampling,
"You only need to try a spoonful of soup, to know what the whole bowl tastes like"
Data on a sample of (well informed) customers who have traded that data with you is fine. You don't need to track 100% of visitors to understand your customers and tracking every single click on the web is an unhealthy and expensive obsession.
The EU lawmakers and the ICO evidently understand that most of the complaints coming from the marketing industry are bluster. We should also understand that in the end, treating customers with respect is the way to retain them. If you're confused by cookie laws then ask yourself if you'd do the same thing in a high street store. If you wouldn't, then don't do it on the web.
