Who's watching you

Article  \  28 May 2011

Increasingly, retailers see the need to have a web presence in addition to a bricks-and-mortar store. Some retailers only have a web presence. Most, if not all, businesses that have a presence on the web use html or 'flash cookies'.

Local Shared Objects (LSO), commonly called flash cookies (due to their similarities with HTTP cookies), are pieces of data that websites which use Adobe Flash may store on a user's computer. While websites may use flash cookies for purposes such as storing user preferences, there have been privacy concerns regarding their use.

Most websites use cookies to track where people come from, what they look at on a website, where they go when they leave the site and how often they come back. Some cookies go further and track a user's overall web use.

Cookies, therefore, provide those that use them with a significant amount of valuable intel which can be segmented and used to target consumers about products and services they are interested in. The information gathered can also provide insights for a retailer in how to structure their website and drive traffic through to the order page.

Some controversy has recently arisen regarding flash cookies because of not only how they are used, but also the difficulty in deleting them from a computer. There have also been some assertions made that flash cookies are used in some websites as hidden backups, so that they can revive HTTP cookies when a user deletes them.

In New Zealand and Australia there is no specific control over the use of cookies. Provided the use of the cookie does not breach privacy laws, retailers and other businesses are free to use cookies to track users' behaviours.

Privacy laws

Privacy laws in both countries prohibit the collection of data by cookies or other means where the information collected identifies a particular individual or - when pieced together with other available information - identifies an individual, without informed consent. In that context, it's not just New Zealand law that is relevant but also the law in the country of the person whose data you are collecting. The collection of personal information needs to comply with privacy laws in the user's country.

As the web is borderless, retailers can therefore, without even being consciously aware of it, reach consumers in far-flung places. This has the potential to increase the compliance issues for that retailer, particularly around privacy and the collection and storage of personal information.

Cookie use has, however, come under the spotlight internationally, along with its cousin 'targeted marketing'. There is a feeling by some that Internet users need to be protected from unwarranted observation of their on-line activities. Legislative changes and private legal action to protect consumers' privacy are currently under way in the European Union and the US.

In August 2009, it was reported in Wired Magazine that more than half of the top websites used flash cookies to track users and store information about them - but only four of them mentioned it in their privacy policy. It is this lack of transparency in the use of cookies that has led to the disquiet expressed by some that the use of cookies intrudes upon an individual's privacy. As flash cookies are relatively unknown to web users, a user may not even know that they are being tracked. And even if they do know, and they take steps to remove the cookie, they most likely have not done so.

In the US, that disquiet has now turned into legal action. Five class action lawsuits have been filed since July 2011 in relation to the use of flash cookies. At issue is how flash cookies are used and the difficulty in removing them. Anyone using flash cookies in the US should follow these cases and, until they are determined, use cookies with caution where the consumer's computer is in the US.

European legislation

In Europe, legislative changes are afoot to protect privacy on-line. The changes are being driven by the European Commission, which has decided to specifically regulate the use of cookies. If your website is aimed at users in the European Union (in part or whole) you need to look at complying with this set of rules.

To regulate cookie use, the European Commission has issued a directive requiring all 20 EU member states to pass national laws requiring user 'opt in' consent before a website can send a cookie. The only exception is where the cookie only helps provide a service that the user has asked for (such as remembering the contents of a shopping cart while the user clicks through a website). So far, only seven EU members - including the UK- have passed national laws as required. But the European Commission has started legal action against the remaining member states to force them to pass laws in accordance with the directive.

In the UK, the new law provides a maximum fine of £500,000 for serious breaches of the 'opt in' approach - and it's only a matter of time before someone is prosecuted.

Closer to home, the Australian Privacy Commissioner has advised that Australian privacy law is under review and the Commission is watching the EU approach with interest. But it looks unlikely that any specific control of cookie use in New Zealand or Australia is imminent.

What the above means is that if your website is aimed at New Zealand and Australian users only, then nothing has changed. There are no specific rules around cookie use, but you need to ensure you comply with privacy laws. However, if your site is directed at the European Union or the US, the rules around cookie use are changing. In the European Union you are likely to need to have users opt in before you can send them a cookie.

More broadly, this change in how cookies are treated in the European Union and the lawsuits involving flash cookie use in the US are a timely reminder that you need to comply with national laws in the countries at which your business is aimed.

This caution applies not only to the use of cookies, but also to the broader rules of how you do business generally.

An edited version of this article was published in NZRetail magazine, issue 700.