They must get consumers’ consent to track behavior with cookies.
U.S. government regulators have discussed requiring consumers to agree to have their online behavior tracked, but so far stopped short of imposing an opt-in requirement. But the European Union has gone the opt-in route, and the law carrying that requirement is scheduled to take full effect in May, forcing e-retailers to consider how they will adjust their online marketing and web site designs.
The law requires web sites to ask for permission before placing a cookie on a consumer’s browser to track her behavior, such as where she’s come from and what she’s viewed and searched for. No such permission is required for a cookie used to track what a consumer puts in her shopping cart or to remember the shipping address of a customer who is logged in. The law deems the consumer to have given implied consent for essential functions of the site, such as remembering that she put a sweater into her shopping cart, since the site could not function otherwise.
It’s the behavioral tracking cookies that retailers must get permission for under the European Directive on Privacy and Electronic Communications, which was passed in November 2009 and took effect in May 2011. However, EU member states have until May 2012 to enforce the law, and various European countries have been moving at different speeds in releasing their regulations. The European Commission is considering legal action against EU member states that are late with the transition.
In the United Kingdom, however, the Information Commissioner’s Office has released rules that make clear that cookies used for essential tasks such as remembering the contents of a consumer’s shopping cart do not require consent. That was a relief to members of the British Retail Consortium, a retail trade group.
“For a start, we thought it would scare people and it would ruin the Internet shopping experience,” says Richard Braham, the trade group’s policy executive on distance selling and consumer credit. “But now, we U.K. retailers are happy that the Information Commissioner's Officer took a very clear approach to the regulation in the sense that there are different types of cookies and different ways cookies can be used.”
Still, there is confusion, and “a distinct lack of action from governments or e-business executives,” says Martin Gill, an e-commerce analyst for Forrester Research Inc. “Further changes to the EU Data Protection laws have added further to the confusion—confusion that will continue throughout 2012 as e-business executives struggle for clarity and those that operate pan-European operations are faced with a complex web of national compliance.”
What will make compliance complex is that a retailer will have to comply with the laws of the consumer’s country. Thus, a German e-retailer selling to an Italian online shopper will have to understand and comply with Italy’s interpretation of the law. “Suffice it to say that it adds a huge degree of complexity to pan-European operations,” Gill says.
In a recent report Gill pointed to a message on the e-commerce site deliaonline.com, the site of British cookbook writer Delia Smith. The message, which pops up when a visitor first reaches the site, reads: “Since 26 May 2011, the law now states that cookies on websites can only be used with your specific consent. Delia Online is currently formulating the best way to obtain your consent without compromising your enjoyment of the site. We will update you with this information once it is finalised.”
Retailers and site operators like Delia Smith will have to figure out a way to get consumer consent for the placement of tracking cookies, beyond data such as what a shopper buys and her shipping address that can be tracked by cookies without the consumer’s consent.
There are many ways a retailer could obtain that consent, says Charles Nicholls, founder and chief strategy officer of SeeWhy, a U.K.-based provider of technology for targeting ads to consumers based on their online behavior.
For example, Nicholls says, a retailer could put a banner on the top of each page of its site saying something along the lines of: “We want to personalize your experience and make recommendations for you. In order to do that, we need to store cookies on your machine. Could you give your consent for this to be the case?” He says the key will be to get that consent one time on each visit to cover all the ways the retailer wants to track consumer behavior.
But it’s not clear that approach would pass muster under the new regulations. Such a message would not comply with the requirement for informed consent, contends Kostantinos Rossoglou, a senior legal advisor at the European Consumer Organisation. He says a consumer should be told that behavioral advertising would require the processing of personal data for purposes other than simply completing a purchase.
European regulators, and possibly courts, will no doubt have to weigh in before online retailers are clear on what is permitted under these new rules.