Wednesday, 2nd November, 2011

Cookie time

People are becoming increasingly aware that companies are keeping tabs on them and trading their personal information.

They are miffed about this, to say the least. They are not convinced that targeted marketing is really in their best interest.

In an interconnected world it pays not to upset your customers. One thing that is sure to get them going is finding out that you have been spying on them when they are on the web.

Enter the cookie. In Europe and the United States it seems that the public, and the regulators that protect them, have had enough with cookies, especially html or flash cookies and extra especially cookies that 'respawn' themselves when deleted.  As you know, most websites use cookies to track where people come from, what they look at on a website, where they go when they leave the site, and how often they come back.  Some cookies go further and track a user's overall web use.

In the United States five class action law suits have been filed since July in relation to use of Flash cookies. At issue are how Flash cookies are used and how difficult it is to delete them. At the same time legislation has been introduced in both the House of Representatives (the "Do Not Track Me Online Act of 2011") and Senate (the "Commercial Privacy Bill of Rights Act of 2011") looking to regulate cookie use. Anyone using Flash cookies on websites that are aimed even in part at consumers in the United States should follow this situation.

In Europe, the European Commission has taken steps to regulate the use of cookies.  The Commission has issued a directive requiring all 20 EU member states to pass national laws requiring user 'opt in' consent before a website can send a cookie.  The only exception is where the cookie only helps provide a service the user has asked for (such as remembering the contents of a shopping cart while the user clicks through a website). So far only seven EU members, including the United Kingdom, have passed national laws as required.  But the European Commission has started legal action against the remaining 14 member states to force them to pass laws in accordance with the directive. Again, if your website is aimed in part at consumers in Europe you should follow this situation.

In the United Kingdom the new law provides a maximum fine of £500,000 for serious breaches of the 'opt in' approach.  And it's only a matter of time before someone is prosecuted. In the US a class action cookies case involving a number of mainstream online media companies settled in June with an award of US$3.5 million.

Closer to home, in New Zealand and Australia there is no specific legal control on the use of cookies.  Provided the use of the cookie does not breach privacy laws, companies are free to use cookies to track users behaviours.

Where things are changing closer to home, is self regulation of behavioural advertising by mainstream online advertisers. In Australia (as in Europe), a website has been set up (youronlinechoices.com.au) where web users can turn off behavioural advertising from all or some of the members of the initiative. Members include Google, Yahoo!, the Telstra Advertising Network and Fairfax Digital.

In Europe things have gone slightly further, with a 'privacy icon' (a misdemeanour if ever there was one) being created for use by those who offer behavioural advertising. The icon is to be displayed on or near behavioural advertising and will provide a click through to information about behavioural advertising.

So what does all this mean if you are using cookies in little old New Zealand? Firstly, if your site is aimed at other countries, such as the United Kingdom or United States, you should make sure you comply with the legal requirements in those countries, and keep a track of what is happening in this area. Secondly, if your site is aimed at New Zealand only you need to ensure your cookie use complies with the Privacy Act. Don't collect what you don't have permission to collect, don't use it for things you don't have permission to use it for, and don't keep it longer than necessary to perform the function you said you were collecting the information for. Finally, behave yourself and all will be well in the world.

An edited version of this article was published in NZ Marketing magazine - November/December 2011