Francelj and his wife caught in marketing traps
During his evening browsing, Francelj clicked on a link and was taken to a website displaying a visible cookie usage notice. Just as it should be according to cookie usage guidelines. Francelj wasn't bothered by these matters and clicked Allow.
At the moment, Mother Nature called Francel to a place where even the emperor must walk. His wife took advantage of the opportunity and slipped onto Facebook. She saw an interesting ad and clicked on a link that led to another page of the same online store Francelj has just visited. There was no cookie usage notice this time because Francelj had already allowed it.
The online store was actually in violation because it placed cookies in the browser of the user (Francelj's wife) without her permission.
Technical - user - legal marketing salad
This summer, there will be thousands of such cases. Millions, if you will, as a similar legal framework applies across the entire European Union. In fact, thousands of websites will be in violation if not almost every one of them (except those that completely disable cookies because they aren't interested in web statistics).
At this moment, there are already some providers creating these solutions for their clients. One of the more prominent is, for example, piskotki.com. ut if we visit their website and allow cookie usage, we can see that after giving permission, they placed 2 cookies in our browser (screenshot from 20.5.2013 at 14:30):
The first cookie is clearly intended to store your consent for the use of cookies. The duration of this cookie is set to approximately 48 hours.
The second cookie comes from the Google Analytics code and is set to last for 2 years. But of course, the second one wouldn't be there if the first one wasn't accepted or if it expired, which is fine.
The problem lies with the first cookie, which has a duration of 2 days. This means it's assumed that the same users will be using the same browser on the same computer for the next two days. If you close the browser )like an average, inexperienced user, without clearing history or cookies) and open it again, the same website will load without a new cookie consent notice.
If we shortened the cookie's duration to, say, 2 minutes or set it to last only for the session, as it is in the free SilkTide code, we would face the issue of the user being asked for consent again after just 2 minutes. Assuming the average user stays on a website between 1 and 15 minutes, we might conclude that the cookie's validity should be capped at 15 minutes.
But the real issue is that even in this case, we still cannot be sure that it's the same user. Especially since we have no way of knowing whether the browser might be used more widely (e.g., internet café, library, school, etc.).
Does the law actually change marketing?
It seems that the lawmakers approached the matter thoroughly and prepared for many variations of cookies. From the guidelines issued by the Information Commissioner, it's clear that the intention is genuinely to allow users to independently decide on the use of cookies.
However, while it's likely that users will soon become very annoyed of the law is strictly enforced, the more important question is whether the law actually protects the users or just the browsers?
Opinion of the Information Commissioner
Regarding how to ensure it is the same user and what the validity period of the consent cookie should be, we asked the Information Commissioner and received the following response:
Dear,
as explained in the guidelines, the legislation stipulates that website operators may use cookies or other technologies to store data on user's device, or gain access to data already stored on the user's device, only if the user consents and has been provided in advance with all information regarding such data processing, as required by the Personal Data Protection Act.
The legislation does not resolve the issue of multiple users sharing the same device. If the multiple users share the same device and the website operator does not distinguish between them (e.g., they do not each have their own user account), then it is reasonably assumed to be a single user, from whom consent must be obtained for certain cookies. However, if the website can distinguish between users, then consent must be obtained from each individual user.
The legislation does not define a specific validity period for cookies.
As we can understand from the explenation, the legislation does not address the issue of multiple users. The legal interpretation is that it is a justified presumtion that there is only one user. Of course, this is not a justified presumtion. It is merely a legal way out of the dilemma.
How to process in marketing?
From legal perspective (not ethical), you should act as follows:
1. Inform the user that you use cookies, in accordance with the guidelines.
2. Once the user consents, store a consent cookie in their browser for a very long period (2 years of more).
This will, of course, mislead many users because usually one browser is used by multiple people, whom you will track without their consent. Therefore, ethically and thus from a marketing standpoint, it is correct to proceed like this:
1. Inform the user that you use cookies, in accordance with the guidelines.
2. After receiving consent, keep a visible notice on the website stating that cookies are in use and that the user revokes consent at any time via button.
And what are the consequences of the browser protection law?