Roger Tomlinson treads carefully in the minefield of EU Privacy Directives and the so-called ‘UK cookie law’ which comes into force next week
Millions of us use Google search and Twitter every day, LinkedIn and Facebook most days. They are treated as essential software tools in our daily lives. Purportedly ‘free’ to use, there is an oft-quoted argument that we in fact ‘pay’ for these services with loss of our privacy. Most people don’t seem too worried, but the European Union is increasingly concerned about the unknown invasions of our privacy, especially when combined with our increasing web browsing, email and social media usage.
I have to step carefully here. As an advocate for needing to know as much as possible about our attenders and their behaviour – and their socio-economic profile – to inform personalised, tailored messages, targeted marketing and web browsing, I want us to compile knowledge about customers and use that intelligence intelligently – but openly. I have also championed Data Protection and the need for permission to use a customer’s data, laws that stem from earlier EU Privacy Directives. Transparency is all.
The UK Coalition Government is tardily implementing the latest EU Privacy Directive, becoming law in the UK on 26 May this year, a year late. Commonly called the ‘cookie law’, though it encompasses all on-line advertising and targeting tools, it brings a hidden web tool heavily used behind the scenes out into the open. It is hard to draw attention to something people did not know was there. Many people are pleased that websites “remember them” when they return, but don’t appreciate that it was a ‘cookie’ stored on their own computer that did it.
It is simple really: when you browse to a website your computer gives some basic information to that site, not least the browser you are using, the IP address and country of origin. While you are connected, the website tracks what pages you visit, the text you type into fields, click-throughs, log-ins and any preferences such as language, etc. and compiles information to track behaviour in analytics. It can create a file on your computer to store that data for next time: a ‘cookie’.
So far straightforward, and relatively easy for you to know what you may be giving your permission for: in general it’s probably benign and helpful. In fact the cookie mainly gives information about the returning ‘computer’, not the person, but remember Amazon mostly relies on the multiple cookies it leaves, including remembering your name: “If you are not Roger Tomlinson click here”. And it can also record in the cookie which website you came from and then where you went to, possibly adding in information from those websites about you.
So a website visit might trigger the creation of dozens of cookie files, some of which share information, especially from search, clicks, ads and social media. The Guardian newspaper, wanting to get the public to help research cookie usage, had to reveal its own extensive deployment, showing that a simple browse of their website potentially left dozens of active cookies linked to other websites. Browse a travel article and expect to see ads on other websites for holidays, car hire, ferries, etc. Read another article and that goes into your personal profile and affects the pages served up in future. Use search, and dozens of cookies track what you looked at, the links you followed, the ads you saw, and help determine future search results. Watch out when using social media for the data on your friends being unwittingly shared with e-commerce engines. And analytics will be tracking and monitoring all this.
Google recently, in defiance of an EU request, combined their privacy policies for their different products and essentially created a situation where any of your usage is shared across its suite of products. Use a gmail address and expect ads relating to message content, but this is now passed to Google search, affecting the results, and to Google+, spreading into your social network, and vice versa. After ‘content is king’ comes ‘context’, a key determinant of effective advertising. Google is an advertising channel after all.
The new UK law tackles this with a simple requirement: the public get asked for permission for websites to use their personal data, track their behaviour and share it, and therefore to leave cookies on your computer. But once they understand more about cookies, many people will refuse, fracturing the way much web advertising and e-commerce works, especially shopping carts. Even now, many sites require cookies to be enabled so you can book flights, trains, etc. It is not clear how the law will be interpreted in the face of disruptions to established e-commerce practice.
As with Data Protection, there is an argument about opt-in versus opt-out. Clearly opt-in is best practice: you cannot leave cookies unless you have explained what they are for and the visitor has accepted them. But some early adopter solutions are already opt-out such as BT: www.bt.com bottom right of the webpage ‘Change Cookie Settings’, though there is a pop-up message which disappeared before I could finish reading it. This is in the hazardous territory of ‘implied consent’ which has so dogged Data Protection. Since so many consumers are shocked when they discover how their data is being used on the web, opt-out and implied consent may not be the right response to complying. At a DCMS seminar on the new law at the beginning of April, the Information Commissioner Christopher Graham emphasised that the compliance regime would be pro-active and no one should ‘wait and see’.
I suspect most arts organisations will be able to comply, because most arts websites appear to work normally if I turn off cookies in my browser security settings, and those websites which need them come back with prompts to change settings, hopefully with compliant requests for specific permissions in future. However, since this law also covers analytics, which may seem benign and are used by many, there is a type of cookie in more general use for which permission is also needed. Web developers and online internet ticketing suppliers need to take urgent action to help arts organisations comply using opt-in.
Ironically there could be an advantage here, because getting permission for a cookie to properly recognise returning customers and keep them logged in, helping serve up personalised tailored pages, would be a good thing for them and us, and being open is always better for building trust. There is an incentive: the fine that can be imposed by the Information Commissioner for not complying is up to £500,000.