Marketers' Questions on Cookie Law Answered
19 Mar 2021
What's the likelihood of getting fined for cookies by the ICO in the UK?
The risk of enforcement is low, there hasn't been any enforcement, against cookies, yet, in the UK and the ICO appear to have their hands full dealing with larger issues at the moment. And you can see, I mean, there is there are some examples, which are quite blatant, I mean, that Daily Mail example; loads of cookies being placed, taking no notice of the cookie banner, makes you wonder why they put it up there. The ICO could say something about that straightaway. But even considering how badly it's being done in that example, the risk of harm is very difficult for the ICO to make a case for. You have to think, "So I got nine cookies put on my browser, what damage or distress has that actually caused me?" And so, therefore, not only is it a low priority, because the damage and distress are actually quite small. But to try and justify that in a court would be very difficult.
Is the DMA website an example of best practice?
What was it my dad used to say? He always said, "Do as I tell you, not as I do." But like I said, this is a gradual process for a lot of organizations. And unfortunately, the DMA is not different in that case. So, we used to have almost nothing in place for cookies, just a standard banner that used to tell people what was going on. And we are gradually implementing more and tighter restrictions. It was just very difficult for us to just put everything in place in one go. So we are working towards that.
I had a conversation about this some time ago with a national broadcaster, I won't say who they are, but a pretty major organization. And they just asked the question, they said, "Well, what do we have to do to be completely compliant? Because that's exactly what we want to do." And I said, "well, you're going to have to get consent for your cookies." And they said, "Well, our business would go bust in a month if we did that." So, you have to be a little bit practical about these things and take it a bit at a time, you have to give people time to make changes and put in alternative, methods of dealing with this.
Will we follow the EU regulation, now we're not part of the EU?
So this has been a bit of a sticking point for quite some time. Part of our leaving the EU, part of our Brexit negotiations, was this data adequacy issue. The importance for the UK, to continue to be able to transfer data freely around the EU and to and from the UK couldn't be stressed enough. Because if that hadn't happened, anybody that was using services in the EU, maybe some sort of cloud computing, so the data was being transferred to and from an EU jurisdiction, would have had to update every contract with some very complicated legal clauses, and then make sure that those organizations were sticking to those agreements, to make sure that the data protection standard would then be considered adequate. So that would have been quite hard work for everybody. The data adequacy negotiations appear to have gone positively, we're on the verge of being granted adequacy. And then, the adequacy might come with certain restrictions, so it's entirely possible that we might be granted adequacy there but on the basis that we do things in the future. So it might not be entirely up to us whether we accept that European legislation.
Is there any work-around for getting statistics if statistical cookies can no longer be turned on automatically?
It goes back to how harmful it's going to be. If you want to do the letter of the law, you won't be able to have any cookies being dropped without consent. But I think most businesses have gone down the route of actually saying, what is the impact of that cookie? And is it harmful?
And I think there's that part of the cookie banner examples that you showed as well. What you've got is a notice that we still drop them, but we give people the option to turn them off if they want to, certain ones. So, showing that you are implementing stuff and doing stuff, you've got a plan.
Also, one thing I did notice, because it was a bit of a shock to a lot of people, was that even analytics cookies would require consent. And of course, it mucks up your analytics, if you're only dealing with people that check the box, because that's a subset of your visitors. And there are some products out there that have been marketed to deal with this issue. I can't remember for the life of me the names of the products, but there are some things that are out, they don't share data with anybody. They use anonymous information to give you the kind of feedback that you might have got from Google Analytics.
If a marketing agency controls your website for you, are they responsible for breaking the cookie law? Or is it still the customer?
You can't offer offload responsibility to an agency. The buck stops with the owner of the website.
Should your analytic cookies be set to off as standards and the individual to actively opt in? Or is there something that the individual should have to opt out of?
If I was to pretend to be a lawyer for a second, I'd be quite strict about that. Because GDPR consent is very tightly defined, and it has to be a positive action from the consumer in order to indicate consent. So technically, every cookie checkbox, apart from those that are absolutely essential for the running of the website, which are put there anyway, should be set to the "no" position and the consumer should have the choice to allow them.
If you've got your legal team, they will go to the easiest common denominator which says "the legal stance is ’off’.” But if you look at any website at the moment, give or take the cookies will be dropped in. They're doing the opt-out methods, or as John showed you in the first example, there's no method at all other than just saying, “you know what, I'll take it away if I want. If you come on my website, cookies are being dropped.” It helps if you're starting to show that you're doing something, So "this is how we're implementing it. And we've taken it that, we're not capturing sensitive data or harmful data" then you're going a long way to appeasing if anything came up. That would be the middle ground way of looking at it, if that makes sense. You have to recognize that It's not strictly okay. But you're halfway there.
What are the implications of working with third-party cookies like Spotler?
Whether it's Spotler cookies, where we can track what somebody is doing on their website, or IP lookup or analytics, which even actually, Google can do some kind of tracking it by the letter of the law, you need to get consent. But as most people have interpreted it, it's now “Give people the option to update their cookie preferences.” And whether that's based on a message that says we drop cookies, and this is how you can manually delete them if you want, or you've got those other tools where you can turn them on and off. And they're categorized.
What about the case of YouTube, or LinkedIn or Facebook. Because those are sending data over to those platforms?
I'm assuming we’re talking about retargeting ads, maybe that is third-party cookies. They're at the higher end of risk, if you want to use that example. Because that data is going to a third party. And in the case of somebody like YouTube or Facebook, somebody that's well-known for building quite large and intricate profiles about people. And of course, it wouldn't matter if you were a Facebook customer or not. Facebook would still receive that information about you if there was a Facebook third-party cookie on somebody's website. Facebook doesn't only have profiles on people who are Facebook users, they also have profiles on people who are not Facebook users as well. They don't like to miss out on anybody.
I'm not sure what kind of data, Facebook captures over LinkedIn or YouTube other than to say, that the cookie just shows that that particular LinkedIn user has visited. So I know LinkedIn knows the individual because they resolve it back to the LinkedIn user profile. But we don't get access to that information. All we can do is say, "Can you display some ads to people that have been on our website and are back on LinkedIn?" So I guess, John, from that point of view, if that might be deemed as low-level data because we're not receiving any of the information? If that makes sense?
Well, it's sometimes difficult to gauge how people will feel about these things. I think, if I'm visiting a website, and then, without any input from me, everything that that website knows about me is being shared with an organization that I'm not a part of, maybe, if I'm not a member of Facebook. That’s the sort of thing that freaks people out. But the important thing to remember here is the transparency thing, right? Part of the problem that we have with things like cookies, and online advertising and things like that, is that people really don't understand it. And you get sensationalist articles like that BBC one, which, you know, refers to it as spying. Or, you know, the classic thing is profiling. Now, when people think about profiling, MI5 do profiling. And so if it was very important for you to have a link with a third party, then, let people know what it's doing, You could have a very sensible explanation for sharing data with Facebook, probably nobody would object to, but the fact that they don't really know what's going on, makes them mistrust this kind of thing.
I think the interesting part for marketeers is it's basically just saying it so we can sell more to you. How would you work that into something nice saying that, “Rather than randomly advertise to you, we can advertise based on your preferences”?
Exactly. There's plenty of research that shows that consumers would rather have targeted advertising or advertising that is more appropriate to them than just random stuff. Certainly, in the case of Facebook, if I if I had a first-party relationship with a company, and I also had a first-party relationship with Facebook, it wouldn't be completely unexpected for me to see an advert for that company when I went to Facebook. Right. So that's okay. That's not Yeah.
There isn't. But of course, it has to be reasonable. And, you know, different cookies have different, you know, times associated with them, it might be perfectly reasonable to have a cookie that stays there for 12 months, right? Yeah, I have seen cookies that are set to stay there permanently. there obviously. It would be very difficult to justify that.
Are cookies related to b2c or b2b websites viewed differently?
No, cookies are cookies
Do you need consent on your website, if the cookies are in the emails you send with a web link?
We discussed this for some time at the DMA. And putting my lawyer hat on, if you desperately wanted to comply with that, you'd have to have a method of saying, "tick this box to say, it's okay for us to send you emails, and tick this box to say, it's okay for us to include an email tracker in there." That's the only way you could really do it. Now, people don't do that, because turning it on and off for an individual from an email service provider, just isn't available as far as I’m aware.
I think it will goes back to being transparent and upfront when they actually land on your website.
What I've also seen is in the footer of the email, so sometimes when people send the email, in the footer, where there are links to unsubscribes and privacy notices and things like that, they'll say, "this, this email includes an invisible GIF" or whatever it might be. And it gives you information about how to turn them off or whatever.
In email campaigns, what's the requirement for cookie notification? Is there any?
There is no requirement in an email campaign at the moment to say there are cookies, the only legal requirement in email marketing is to have an opt-out and to be able to understand legally who the sender is.
So in a b2b example, it doesn't quite work quite as well. So in a b2c example, somebody has to ask for that email, right, they have to tick a box and say, "I want you to send this email." And of course, that goes a long way to being able to justify a tracker, because you're not just sending it to anybody, and you're not sharing that information with anybody other than yourself. So you can build a case for it being low harm. When in a b2b context, you're probably going to put that pixel in the email anyway and send it. You haven't had the opportunity to give somebody the choice prior to that. But that's one of those cases where I'd put something in the footer of the email. But also, I think people are much more accepting of b2b marketing communications. I mean, it's part of doing business and we're all in business in one form or another. I get plenty throughout the day, I've never taken offence to them.
If you are selling into the EU, e.g. Germany, are there any issues? Thinking of the Planet49 ruling in Autumn 2019.
Yes, I remember Planet49. I can't remember the precise details of the ruling. But yes, if you're marketing into Europe, then obviously you have to comply with GDPR. I'm less certain about the PECR regulations and how they translate. I know that with certain PECR regulations, obviously, you have to take allowance of each country's individual rules. But I'm not sure about the cookie.
Is click tracking on emails a cookie?
Clicking on a link isn't based on a cookie, it's just a notification that says someone's clicked this link. What the “spy email” thing was about was actually a pixel, or normally a one-by-one white image has been downloaded. So it's invisible normally, because it's on a white background. So that's not actually cookie-based. It's not a cookie. But it comes into the catch-all.
I think what you're getting at is, when someone lands on a website, that's when a cookie could be dropped to them pick up that traffic. So again, it goes back to that part of what the risk is. I think in most marketing cases are, personally in my view and Spotler's view, as it comes under the low risk because it doesn't contain sensitive data. It doesn't contain gender, age, etc. In the b2c world, it's mainly an email address that's linked to a cookie so you can track what somebody is looking at to send them stuff. So I think our argument would be, although it's identifiable data, it's definitely on the lower scale, and it's not personally sensitive data from that definition.
What tools would you recommend?
The DMA are a fan of one called OneTrust. We're a fan of OneTrust purely because their pro version of the cookie tool is free. So get in there now while you can, the pro version of OneTrust is a free tool. So you, you can take the branding off, you can have your logo on there and everything. So that's one that we're going to look to implement. The other two that we've come across are called CookieYes, which is one that John had an example, of they seem to be very good. And then the big one, that the ICO and a few of the other use, is one called Civic. So they're three that we are recommending to our customers. But our OneTrust at the moment is one that I'm pushing to anybody that asked is because their pro version is free. I'm assuming they're doing it to try and get into your IT team because OneTrust is a massive, massive company.
And then the only other one is somebody mentioned about Flock, and I don't know much about it. But Flock, all I know is that it's meant to be the cookie-less tracking software. The irony is, it needs to drop a cookie anyway for it to work. What I quite like about it is that it doesn't deal in individuals, it deals in groups of people. A bit a bit like some of the profiling tools that you might get from Experian or an organization like that, where they never, they never give you one person. You get part of a street or a postcode or something like that. It gets groups of people that have similar characteristics. And then they will be targeted with an ad rather than an individual. And then that gets away from a lot of the GDPR complications.