Growth occurs as a series of jolts: your first kiss, your first
drink, your first pay packet. As the technology industry matures,
it's no different. But just as in real life, some people aren't too
good at dealing with change.
For the best part of two years now, parts of the online media
industry have been complaining about EU Directive 2009/136/EC,
which requires users to consent before web sites harvest data from
them.
After the government's year-long pause on enforcement, in the
wake of a highly successful industry-led campaign for common sense
enforcement, implementation is now only days away. In the UK, the
new rules kick in on Saturday 26th May.
Yet the moaning continues. Some still view the Directive as an
infernal doomsday machine that will "kill online
sales" and "
kill the internet". Robert Bond of the law firm Speechly
Bircham
describes the effects as "far-reaching and incredibly onerous"
for "all UK companies." Simon Davis of Privacy International argues
that proper
enforcement would "destroy the entire industry".
Those with something to gain have been spreading fear and
loathing. KPMG, a firm that never knowingly underestimates the
threats confronting its clients, recently announced
that 95 percent of British businesses and public sector
organisations are "not compliant" and may therefore face fines of
up to £500,000.
Separately, QuBit, a London-based data consultancy, estimates
("worst case scenario") that the EU Directive
could "cost" the British economy £10bn.
Let's not delve into the debatable maths underpinning QuBit's
alarmism. Instead, let's remind ourselves of what
Directive 2009/136/EC actually says:
"Member States shall ensure that the
storing of information, or the gaining of access to information
already stored, in the terminal equipment of a subscriber or user
is only allowed on condition that the subscriber or user concerned
has given his or her consent, having been provided with clear and
comprehensive information."
Consent? As any teenager will tell you, much depends on how you
ask the question. If regulators ever expected web site owners
to implement an opt-in
regime like this, they don't now. Colin O'Malley, chief
strategy officer at Evidon, the US-based data and privacy company,
says he has spoken with regulators in six European nations,
including some of the most conservative members of the dreaded
Article 29 Working Party. All of them, he says, "have specifically
cautioned against going as far as opt-in".
Here's where the wiggle room opens up. Much depends on language
and design. In May 2011, for example, the Information Commission's
Office started seeking consent from users of its own web site. When
users clicked through for the first time, an overlay told users
that the site "would like to store information on your
computer".
The aggressive tone was compounded by apparent bad faith. ("One
of the cookies we use. . . has already been set".) Next, the ICO's
overlay held a metaphorical gun to its users' heads, telling them
that "parts of the site will not work. . . [if] you delete and
block all cookies".
Unsurprisingly, the result was a 90 percent decline in measured
traffic. Ever since, opponents of the directive have argued that
the end of the world is nigh.
It isn't. Instead, we're starting to see some clever and subtle
implementations. If you click through to
BT's customer site, for example, the first thing you'll see is
a cleverly-worded overlay which suggests that "this website" is set
to "allow all cookies". (The language isn't threatening; moreover,
it encourages the notion that this has nothing to do with you, the
user).
The overlay goes on to explain that this has been done in order
to offer "the very best experience"(You're worth it, no?). It goes
on to say that if you click the "no, thanks" button below, you will
"consent" to "allow all cookies". (The "no thanks" button
instinctively appeals to the vast majority of users who don't want
to be sold something; it also encourages non-technical users
accustomed to things going wrong to vote for continuity).
Expect to see many more corporates adopting a similar approach.
This week, for example, FT.com took the plunge, with an overlay
strategy that resembles BT's.
We need to wait and see how many users refuse cookies at BT and
FT.com. My guess is that the number will be a lot less
than 90 percent, and that it will decrease over time. As users
encounter more sites with lookalike overlays, they'll become
accustomed to taking path of least resistance. Along the way, they
may start to understand cookies and privacy better. They may
actually start to feel confident about privacy protection.
Still unconvinced? Then examine the
guidance published by Whitehall's own IT bosses for anyone
running a public sector web site. In total, the advice runs to four
pages. It doesn't feel like a user manual for coping with the end
of the world. Alternatively, take a look at the current
guidelines from the Information Commissioners Office, which
strongly hint that "formal action" will be reserved for anyone who
"refuses to take steps to comply" or who has been "involved in a
particularly privacy-intrusive use of cookies".
Of course, there are perfectly understandable reasons why parts
of the online industry hate the directive with such a
passion. The first involves the cost of what the ICO describes
as "new sites and systems and upgrades". This, as one commenter
pointed out, is an industry in which it's already difficult to make
money. Well, yes: and at least some of this difficulty is
attributable to hot VC money, which has unleashed a torrent of
me-too revenue-lite ad tech start-ups. If regulation helps
consolidation on its way, the results may not be entirely
negative.
Awkwardly, the directive forces the online ad industry to think
about users, as well as data. (As the Government Digital Service
puts it: "It's not about cookies, it's about privacy.")
Like everyone else, online ad folk would much prefer to be
handed a series of binary policy decisions ("you can do this, but
not that"). Instead, they're been given some guidelines and asked
to think seriously about privacy. In the long term, this should
strengthen respect for privacy inside the industry. However, for
those who prefer not to think, the challenge is problematic.
Ad tech people are an inward-looking tribe: they need to get off
their backsides and educate the public about why metrics matter.
According to the IAB's
own research, 89 percent of British surfers say they want to be
able to control their own privacy online. Yet only 37 percent
understand what a cookie is. Squaring this circle will take years
of education and innovation. The directive is pushing the industry
in this direction. Again, this is no bad thing.
Without an effort of this kind, the online industry will face a
backlash eventually. As Simon Davis of Privacy International
argues, users can rapidly become "angry customers when they find
out they have not been told the truth". On this point, he's
right.
Anyone in the UK online industry who still dreams of Ayn
Rand-style freedoms needs to wake up, and quickly. Online accounts
for 28 percent of Britain's advertising market. That's more than
the 26 percent that flows into the heavily-regulated broadcast
sector, more than the 23 percent that flows into newspapers,
currently the focus of scrutiny by Lord Leveson.
Leveson is regulation in action. For those in the
spotlight, the experience is nasty, brutish and prolonged. Measures
like the EU Directive will avert the need for an equivalent of a
Leveson Inquiry for the online ad industry in three, five or 10
years' time. For this reason alone, the online ad industry should
embrace Britain's new cookie law with open arms.