Last month I was fortunate enough to hear a talk from Andrew Tibber(@tibber), Senior Associate Solicitor at Burges Salmon who specialises in Marketing & Advertising Law on the digital industries new monster: Cookie Compliance. Many of you by now will have heard about big changes that are coming to how website owners can track their users, goals and site performance. For those of you that don’t this article will aim to enlighten you a little as to how you can hope to comply.What is wrong?The whole issues centres around cookies which are the digital equivalent of a fresh out of the oven confectionary item to the web site owner. These cookies are strings of letters and numbers that are placed on your device to identify you from other users and can show when you complete a business aim. In the digital advertising industry we mainly use these for Google Analytics, conversion tracking and remarketing. The worry about cookies is how to protect user privacy and give them a choice on how their online activities are being monitored as research has shown very few users have an awareness of what cookies are and what they do.What is changing?On May 26th amendments were made to the Privacy and Electronic Communications Regulation 2003 that now require consent to be obtained for the storage of cookies on any “device” including computers and mobiles. This replaces the old legislation which required website owners to merely inform users through their privacy policy that they used cookies.What is required?The ICO have indicated that “consent must involve some form of communication where the individual knowingly indicates their acceptance”. This statement infers that consent needs to be “prior consent” before the cookie is set. The ICO have accepted though that prior consent presents certain issues for site usability and as a result cookie information and options should be presented at the earliest opportunity.The consent method can take a number of forms such as a static header box, a hidden fly out which may be more suitable for those of you wanting to maintain the aesthetics of your site, a popup that locks down the site until an answer is provided, a header box that follows as you scroll down or just a message saying that you’ve put a cookie on and linking people to information on how to remove the information.As you can see there is no coherent method and the ICO won’t provide a simple tick list to compliance. So what can you do?How can I comply?The ICO have outlined compliance methods in their recent guidelines but for a quick (but partial) solution whilst you decide on a long term strategy they have the following suggestions:

1.Create a separate “cookie policy” or adapt your current “privacy policy” to simply outline why you use cookies, what sort of cookies you use, & how they can be removed.

2.Change the name of your “privacy policy” link to say for example “cookie & privacy policy” or “learn about our cookies”

3.Place your cookie policy link in a more prominent position

4.Highlight your cookie info link with a different colour/font/sizing

The ICO’s long term suggestions are the following:

1.Audit all the cookies on your site and remove any that are unnecessary.

2.If you don’t need to use permanent cookies then switch to session cookies which are less intrusive.

3.When you have your final list of cookies then gauge how intrusive these are as the general rule is that more intrusive a cookie the more likely the issue of consent needs to be addressed.

Once you know this choose the method of consent that is best suited to your site and implement it.What effect does this have for PPC?The three main types of cookies we use to track our customers performance for paid and organic search are for Google Analytics, conversion tracking and remarketing. These are best discussed in this order due to the increasing intrusiveness of the cookie involved.The ICO have stated that the only exemption to consent is where the use of cookies is “strictly” necessary” to provide services for the user. As a business owner you will disagree with the concept that these cookies aren’t essential as you want to gauge how people are engaging with your site and products but unfortunately the ICO doesn’t agree.Google Analytics cookies have been expressly excluded from being “strictly necessary” but the ICO have said that “it is highly unlikely that priority for any formal action would be given.. Where there is a low level of intrusiveness” which would infer that analytics cookies will be of a low priority.Conversion tracking cookies which we use to track forms submissions will unfortunately not be deemed as “strictly necessary” so will rely on people providing consent for us to account a lead to your paid search. We will have to wait and see what Google’s point-of-view is on this topic in the coming months but there likely stance will be that by using their services it is your problem to solve.The remarketing cookies is seen as particularly invasive due to the fact ads will then follow the user round the internet on the Google Display Network. As a result we may see Google move away from this service as users develop a greater understanding of what cookies are, what they do and how they can get rid of them.What do we do next?The advice given in the guidance can sometimes appear a little contradictory and not fully explained but our suggestion would be to follow the ICO guidance as closely as possible to maintain compliance. We would also suggest that you look at others sites consent methods and cookie policies to develop your own. The ICO are not going to come out all guns blazing if you aren’t totally organised by the 26th May as they accept that there is no solution suits all businesses, that there are costs involved and that legal policy is organic. However if you wilfully ignore your legal obligations to meet compliance then to quote Andrew Tibber the ICO might reasonably ask “if they can do it, why can’t you?”.