A buddy and I were talking about expanding an online US business into England and the EU. We were talking about the online experience, currency, privacy and, and specifically, the cookie (use) disclosure difference between a US and an EU business. An EU business must disclose how they use end-user online data BEFORE they start tracking. While there are clearly differences between the EU and US models, and work involved to comply with any laws, I think there is great value in every online business into adopting these more participative forms of dialogue with their customers. The added information provides information and value to both sides. Fear and hiding the intended-use fosters a misaligned business relationship.  I’ll discuss these elements over, I’m expecting, three posts. The first will be mostly definitional. And note that I’m not going to review privacy overall. That topic is too intense and well, a little too personal for me.

In a nutshell we are talking about how a company uses information stored on visitor’s computers and how we recognize them over their session and numerous visits (at this time, mostly with cookies.) US has always taken the position of implied consent (it’s obvious what we’re doing and the fact you didn’t immediately leave when you got to this page is your consent) whereas the EU recommends (requires) the user must agree explicitly and be able to disable sub components from being gathered. The EU Cookie Directive (and now, law, country by country) in principle suggests a highly granular opt-out (some interpret teetering on one-to-many explicit Opt-Ins.) In summary, the directive stated:

1. Disclose (clearly) that you are using cookies to store usage data
2. Disclose (clearly) how you plan to use that data
3. Allow the user to disable (enable) one or more of the attributes you store.

In terms of use, we all know our goals often go well-beyond just improving the user navigation – so let’s say so. Additionally, the spirit of the EU guidance is at the onset of the user experience (before you take advantage of the cookie!) We shouldn’t wait to describe our use-policies like some of us do on the check-out page when we ask for explicit items like email address and phone number. It’s useful for us to review the EU guidelines since in the US, I only know of the myriad of state laws. We might be able to draw some conclusions of a future federal approach with a review of the less-stringent CAN-SPAM guidelines which only refer to email in an attempt to curb spam. It basically says:

1. Don’t use misleading information (don’t put the recipient’s email address in the “Sent by” or write deceptive subjects.)
2. Disclose (clearly) the message as an ad (your intent) and who you are
3. Allow the user to opt-out and honor the opt-out quickly

I repeat, CAN-SPAM is just for email, but the spirit is the same. I’m not talking to Spammers here, but those who want to do right by their prospects and customers. What do you want from the user and what will you do with it – and allow the user to opt-out.  Note there is widespread derision about CAN-SPAM and it has pretty much not been enforced. My focus returns to the EU-Cookie guidance.

Do users even know what cookies do and why they should care? No. Studies have been done and consumers don’t really understand anything about them and what is being “done to them” with this data. At this time, they are just happy with the free app or content or whatever. So why worry about the cookie laws? Why spend any time on this other than the absolute minimum?

Tease for part 2 – I think there is great value in the product team exploring their products and online user experience streams. The cookie guidance is merely a trigger to have the discussion on your online brand and culture. It’s amazing how intense and useful the discussion with the product team can be when you talk about disabling a (cookie) function, i.e. just how much functionality should/will the user lose? It focuses us to think about our customers, what makes some better than others, our products, the tangible value of each sub-component of the product and our business strategy and partnerships. The whole relationship. Don’t delay since there is value in using this as an opportunity to explore and take advantage of the potential value streams and explore or re-evaluate which ones are most favorable to monetize.  It also forces us to be focused so we don’t just capture everything we might want.

Back to the details.

How are organizations reacting to the EU cookie guidelines in practice? What is the accepted net etiquette? Is it even relevant to US businesses? US-only businesses? There are differences of opinion on the impact to US-based companies who casually or even substantially do business in the EU. The jurisdictional arm of the law doesn’t reach across the pond to solely US-based entities. Beyond the value it can bring to an enlightened company, I believe it comes down to being a good net-citizen and why wouldn’t we want to be that?

By the way, the cookie laws are “in-principle” laws/guidelines. It refers to any storage of this information and not just those rendered in cookies. So, whether it’s a back-end database, HTML5, Flash, etc., the same principles exist – tell the user how you are using their information and allow them to make participative decisions.

It seems many companies are aiming to comply with the spirit of the guidance. I think many with few products and/or immature net strategies have very simple, broad brush cookie explanations and a one-switch granularity. I’ve seen one simply say turn off cookies in your browser, an approach that won’t win many friends. But like all things, there is an evolution and a wide spectrum of treatments. I think it is fair to see that initially more interpreted they were to provide opt-ins for everything and are now merely take an explicit implied concept approach. What the heck does “explicit implied” mean? That means statements like: “Here is what we are doing and do you want to be bothered with all these e-commerce nonsense details?” and asking the user to press a button that says: “No thanks” or “Thanks for telling me.” It seems a slight deception to suggest the user press “No thanks” when it, in fact, means “go ahead and sell my use-data to whoever you please…” but the reality is the reality.  On the other side of the spectrum are those who highlight, specifically, what cookies do in each of the major categories of Ease of Use / Navigation; Performance; Security; Functionality and Social.

In the next posting, I’ll discuss why compliance with the spirit of the laws are a good investment for businesses.