I attended the first IAB Social Media Debate of 2012 yesterday afternoon. It was also the first since STEAK joined the IAB’s Social Media Council. The motion was as follows:

‘The online marketing industry is too easily distracted by the latest ‘shiny technical object’, reducing its effectiveness and ability to achieve results’  

The event was chaired by the ever-entertaining Tom Ollerton (@mrtomollerton) and featured John Pritchard, Jules Duncan (@juliusduncan) and Jon Bishop (@jonin60seconds) arguing for, and Rob Salmon (@rsalmonuk), Liz Scarff (@lizscarff) and Alex Tait (@astait) arguing against.

The debate’s subject matter apparently arose, quite unsurprisingly, out of a conversation about Google+ (ah, good old Google+). 

The team defending the motion quickly adopted the position of the frugal pragmatist, arguing that there are now simply too many social media platforms to spend time on – and dedicate resource to – all of them (Brian Solis’s mind-warping Conversation Prism was faithfully pulled out to demonstrate the point, with the accompanying claim that if you were to spend just two hours researching each of the platforms represented you would lose half of your working year – I looked into this and it’s not quite true: there are 108 tools and platforms in the Prism giving a grand total of 216 hours which divided by a working day of 7.5 hours is actually more like a month and a half. For the sake of fairness, however, I should point out that that Solis’s illustration is now 4 years old and doesn’t include Google+, Pinterest or Quora or any number of the other 50 million social start-ups that have kicked off since 2008. Point made and taken.) They argued that resources simply can’t stretch forever and that tried and tested options, with transparent analytics are the safest options for responsible marketers. ‘Don’t be first, be second’ was the buzz-motto proposed by PayPal’s Jon Bishop.

To counter, the team arguing against stated their belief that ‘…keeping up with the latest technical developments is essential to stay relevant in today’s communication landscape.’ A position that is really quite difficult to contend with these days. They used specific examples of businesses and projects that have both succeeded and failed due to their approach to innovation and change (including the late great Kodak). Perhaps most illuminating was Liz Scarff’s case study of her work with Save the Children in which AudioBoo played a key part in securing coverage of her #Blogadesh campaign on the Guardian’s live online coverage. She was challenged on this a number of times on the basis that the project story and content was really behind the success but she remained steadfast, maintaining that the Guardian simply would not have taken on the story in the same way had AudioBoo not been employed. Rob Salmon was particularly entertaining and to be fair had warned us that he was thrown out of the last debate he was involved in (at school) for getting ‘too excitable’. He cited the example of his work with Carling in launching the ‘iPint App’ on iTunes to demonstrate how being first on a platform can lead to newsworthiness and exposure.

All in all it was a lively debate, some very interesting points made by all involved and it was well worth attending.

Where do I stand? Well personally I think the idea of ‘bonfires’ and ‘fireworks’ is useful here. Social media gives us both long-term and short-term opportunities and both are woven in to the most successful strategies. Investing considerable amounts of time and resource into unproven platforms is certainly risky (especially when we’re blind to success metrics) and won’t be for most organisations. On the other hand, as every brand out there starts trying to ‘behave like a publisher’ using the big four platforms there’s the ever-present issue of how to achieve cut-through – how are you going to get noticed if you don’t do something markedly different from your competitors? There are lessons to be taken from both sides of the argument, but ultimately playing it too safe for too long is a surefire way to drive your brand into eventual obscurity.

I very much look forward to the next IAB Social Media event.

@adigoodsell

The Information Commissioners Office has now (with less than 30 days to go) published some guidelines. They state some important points:

• The Directive applies to mobile devices and applications, as well as  “normal” websites; earlier EU/ UK government documents didn’t always explicitly state this, but it was widely assumed
• That the Directive applies to: “how you use cookies and similar technologies for storing information on a user’s equipment” which means future developments like Connected TVs will be covered by this
• That Flash cookies (i.e. Locally Stored Objects) are covered in case of any doubt
• Acknowledges (see our earlier posts) that browsers do not currently have the functionality to a) categorise cookies by purpose and b) offer consumers an easy way to control cookies by these categories (and therefore purpose)
• States that browser settings are currently not therefore suitable to “rely on” for getting consent from consumers, despite the Directive mentioning them
• That adding consent clauses to site Terms and Conditions is acceptable, but consumers have to be alerted to this change – they must know about it to therefore give consent
• That cookies set as a result of choosing to use a particular site feature also require consent (slightly contradicting earlier suggestions that any cookies required for site functionality were exempt). To be explicit: only cookies that are “strictly necessary” are exempt – e.g. a cookie that enables a shopping basket to work
• Further examples of how to gain consent for particular types of cookies might be issued in future by the ICO

Translating the ICO Guidance Into Action

So what do brands actually need to do? Here are our suggestions, replacing our earlier post on the topic – but of course, we also recommend checking with in-house lawyers, and keeping an eye on the ICO site and industry press. As we’ve commented before, the 25th is just the start.

1: Audit your cookies and tags

The first step is the obvious one – make sure you know which cookies your site drops across all of its pages and as a result of on-page functionality being used. We suggest you review the tracking tags on site, too – always a useful housekeeping exercise and a perfect opportunity to remove any that are no longer required, and to consider a tag carrier solution to make this process easier in future.

We can assist Steak clients with this and suggest a tag carrier and attribution solution that we believe is significantly more advanced that the current market leader – and is being  developed with privacy issues in mind. Please email your contact for more info.

It’s worth noting that redundant tags add to page load speeds – something Google started paying more attention to a few years ago – and slower loading pages will always impact negatively upon conversion rates.

2: Categorise your cookies and tags

As the Directive allows greater leeway for cookies that are vital for site functionality, it makes sense to categorise your cookies and treat different categories differently. We suggest adopting the DMA’s categorisation:

“Cookies necessary for the provision of service: In this case, you may continue to use cookies but you should explain to consumers why you are using them. For example, tell consumers who use an online banking service that cookies are there for security purposes and that they cannot use the service without them.

Useful but intrusive cookies: These cookies are useful to your organisation but are particularly intrusive from the consumer’s point of view. An example of this type would be third-party cookies which track a user’s use of the internet as they move from website to website. You will need to get consent for the use of such cookies and ensure that website visitors are fully aware of how the cookie will work in simple terms which they can understand.

Helpful non-intrusive cookies: Cookies which fall into this category would include cookies which track anonymously how visitors move through your organisation’s web pages. You will need to get consent for the use of such cookies in your privacy policy.

Obsolete cookies: There is no point in asking for consumers’ consent to the use of cookies if they are irrelevant. The audit provides a good opportunity to remove the use of such cookies from your website and will ensure compliance with the requirement in the Data Protection Act 1998 that personal data should not be kept for longer than is necessary.”

The ICO advice builds on this, and makes clear that cookies should be obsessed for how intrusive they are, and suggests one way to do this is to imagine them on a sliding scale – including 3rd party cookies.

3: Update Privacy Policies and Site Terms and Conditions

We strongly suggest brands add text to the existing privacy policy pages linked to from the site footer, or via a new footer link “Cookies” depending on in-house style. This should cover the different types of cookie as categorised above and clearly specify what they are used for and link to any 3^rd party information as relevant- the ICO documents states: “You must think also about giving people more details about what you do – perhaps a list of cookies used with a description of how they work – so that users can make an informed choose about what they will allow.” Remember that you should also provide links to any opt-out mechanisms that exist, too.

4. Decide how to tell consumers – and plan site changes

The ICO have (finally) been clear – brands need to tell consumers that they are using cookies and alert them to any update to Privacy Policies or site Terms and Conditions after the 25^th of May, including linking to information about the policies of third party cookies.

The ICO document discusses two options for informing consumers:

Splash pages or pop-ups which the ICO discount as possibly irritating, and they seem to miss that many browsers block most pop-ups as standard, anyway.

Text in the footer or header which highlights/scrolls when a cookie needs to be set – this could be a good option, or incredibly ugly – and the ICO seem to have missed that most consumers rarely see the footer of a site, as it’s below the fold.

Sites also need to make clear if any site functionality drops a cookie – e.g. ticking a “remember me” box when logging in.

This area is challenging – brands will need to alert consumers without scaring them, or ruining the aesthetic of their websites. No doubt we’ll see some good and some terrible attempts at this in the comings weeks; our initial suggestions are:

Consider a header “accordion”

This is something Amazon already do well – if you visit the.com site from the UK, a content “accordion” suggests you visit the .co.uk; Yahoo! do the same. It’s not hard to imagine these adapted to state something like: “This website uses cookies; under new EU law, we need your consent to use them – please click here” linked to the relevant information / opt out to gain consent (or not). Obviously this needs legal sign-off; but the mechanism is worth considering.

This could be set to only appear on first visit to the site after the 25^th (using a cookie, ironically) and then re-enabled for subsequent changes. This of course only applies if the user doesn’t need to give consent on every visit – but if that becomes requried, the industry is going to have wider issues to worry about, anyway.

The current usage of this technology by Amazon and Yahoo! is shown below:

Add text to functionality options

Where ever a site user takes action (click, ticks a box etc.) and enables site functionality that drops a cookie, add text telling them – e.g. “By ticking “remember me” you will set a cookie on your computer. Read more here” (linked to Ts and Cs/Privacy Policy as relevant). This of couse won’t be the easiest thing to integrate into site designs – another option might be a small piece of text “Uses Cookies – Hover for Info” which uses a hover-over tool tip to provide info and a link.

4: Monitor the Press

This will be the most important thing after the 25^th May – as further DCMS/ICO guidelines may be published and the attempts to enhance browser functionality succeed or fail, brands will need to adjust their cookie usage / site text accordingly.

We’ll post further posts and update this one as relevant.

UPDATE: we’ve posted a revised set of steps following the ICO’s guidance notes here – please read these instead.

In part one we outlined the EU Directive affecting cookies and some of the controversy and interpretations surrounding it; below we discuss the practical steps we suggest brands should take before the 25th May, drawn from our own reading and briefing notes from the IAB UK, DMA, IPA and other sources:

1: Audit your cookies and tags

The first step is the obvious one – make sure you know which cookies your site drops across all of its pages and as a result of on-page functionality being used. We suggest you review the tracking tags on site, too – always a useful housekeeping exercise and a perfect opportunity to remove any that are no longer required, and to consider a tag carrier solution to make this process easier in future.

We can assist Steak clients with this and suggest a tag carrier and attribution solution that we believe is significantly more advanced that the current market leader – and is being  developed with privacy issues in mind. Please email your contact for more info.

It’s worth noting that redundant tags add to page load speeds – something Google started paying more attention to a few years ago – and slower loading pages will always impact negatively upon conversion rates.

2: Categorise your cookies and tags

As the Directive allows greater leeway for cookies that are vital for site functionality, it makes sense to categorise your cookies and treat different categories differently. We suggest adopting the DMA’s categorisation:

“Cookies necessary for the provision of service: In this case, you may continue to use cookies but you should explain to consumers why you are using them. For example, tell consumers who use an online banking service that cookies are there for security purposes and that they cannot use the service without them.

Useful but intrusive cookies: These cookies are useful to your organisation but are particularly intrusive from the consumer’s point of view. An example of this type would be third-party cookies which track a user’s use of the internet as they move from website to website. You will need to get consent for the use of such cookies and ensure that website visitors are fully aware of how the cookie will work in simple terms which they can understand.

Helpful non-intrusive cookies: Cookies which fall into this category would include cookies which track anonymously how visitors move through your organisation’s web pages. You will need to get consent for the use of such cookies in your privacy policy.

Obsolete cookies: There is no point in asking for consumers’ consent to the use of cookies if they are irrelevant. The audit provides a good opportunity to remove the use of such cookies from your website and will ensure compliance with the requirement in the Data Protection Act 1998 that personal data should not be kept for longer than is necessary.”

3: Update Privacy Policies and Consider Site Ts and Cs

Until the full DCMS guidelines are published (sometime after the 25th May – see part one), knowing exactly how the DCMS and ICO will require websites to gain consent for dropping cookies is impossible. At the very least, we strongly suggest brands add text to the existing privacy policy pages linked to from the site footer, or via a new footer link “Cookies” depending on in-house style. This should cover the different types of cookie as categorised above.

We also strongly suggest talking to in-house lawyers at this stage, but especially on the point of consent. It may be that site Terms and Conditions will become the place to request consent in the DCMS guidelines. The theory is that by using the site the visitor accepts the site Ts and Cs (a standard mechanism now) and the Ts and Cs can be amended to include giving consent as a result of using the site. That may be a change worth making sooner rather than later.

4: Monitor the Press

This will be the most important thing after the 25^th May – as detailed DCMS/ICO guidelines are published and the attempts to enhance browser functionality succeed or fail, brands will need to adjust their cookie usage / site text accordingly.

We’ll add further blog posts as this develops.

UPDATE 6/5: Some government guidelines might be published before the 25th according to some sources; however how much time brands will then have to act is unclear; we still suggest following the steps above.

Fast forward to 2011, and on May 25th the five Directives are required to become national law across the EU – including the section relating to cookies. This has led to a lot of press coverage in the mainstream and digital industry press, with dire predictions of the death of web analytics, digital marketing, behavioural marketing and even sophisticated websites themselves.

This is nonsense – here at Steak we want to be very clear about that. To borrow a phrase from a well-known British sitcom – “Don’t panic!”.

As noted by the IAB UK in their briefing note to members, the ICO unfortunately fuelled this atmosphere with a press release entitled “’UK businesses must wake up’ to new EU law on cookies, Information Commissioner warns” despite the body of their release acknowledging the work the IAB and other industry groups have been doing to work with the ICO to turn theory into practical guidelines for business – work that will continue past the 25^th of May.

Further confusion was created when The Head of the ICO used the phrase ”explicit consent” in a Radio 4 Today Show interview: the IAB have subsequently received confirmation from the ICO that he was wrong to use this language – brands do not need to start asking consumers explicitly every time a cookie is dropped on their device.

The 25^th is not D-Day for Cookies

The DCMS (Department for Culture, Media and Sport) have been quite frank: the technical guidelines that lay out how brands should actually implement the directive into practical steps on their websites will not be complete for the 25^th May.

In addition, the Information Commissioner Christopher Graham said: “I cannot bark at the industry at the moment because I have not got the regulations.”

He did however add “My message is that this is not your ‘get out of jail free’ card” and continued to state that complaints would be judged against what brands had done to prepare for the 25^th.

The reality is that the 25^th May is not D-Day for cookies: rather it’s a milestone in a longer process that will result in guidelines from the DCMS that brands will need to follow; but they are expected to take some steps beforehand. Nobody in government has clarified exactly what they are – brands have been left to make their own interpretations.

The Browser Will Be Key?

Something that was missed in some of the early coverage of the 25th May was the preamble to the Directive. The IAB Europe stated in November 2009 that:

“For cookies, the legislation’s preamble specifically says that the control settings in a web browser such as Firefox, Internet Explorer, Chrome, Opera or Safari are sufficient to comply with the consent requirement in the legislation.”

The implication the IAB Europe was drawing in 2009 was clear: consumers are consenting to cookies by enabling them in their browser (and have always been able to block them overall or for individual sites, although this is time consuming not easy for the non-technical). It should be noted that some law blogs have questioned this interpretation, as the preamble was originally a part of a draft of the Directive and was rejected; and preambles have in the past been given less legal importance than the actual Directives themselves.

Thinking around browser settings has advanced since 2009, with the ICO and DCMS “pursuing” enhanced browser settings which “which will give website visitors more information as to how the website uses cookies. This will also give people understandable choices regarding any cookies being placed on their computers” according to the UK DMA (Direct Marketing Association). The DCMS guidelines published on the 20^th of April support this approach – it’s important to note that, overall, consent via browser settings is the mechanism supported by the UK government.

No browser updates have been made that introduce easier-to-use functionality for cookie control, nor has any browser manufacturer clearly stated they will do so specifically because of the Directive for the 25^th of May. It remains to be seen if the aspirations of UK government bodies will become reality with the global companies involved; and other EU governments have taken harsher stances – as Lewis Silkin note, the UK may face EU legal action in future.

Not All Cookies Are Born Equal

One significant point to note is that the Directive allows for the use of cookies in a way that makes sites function on an opt-out basis. To quote the DMA again: “This will mean website owners will not need consent from the user to place cookies on their computers where the use of the cookies is strictly necessary for a service provided by the website owner at the request of the user. This will cover, for example, the use of cookies in shopping baskets on e-commerce websites and security cookies on online banking websites.”

So brands do not need to worry that they will need to significantly re-engineer their online functionality as a result of the Directive and subsequent DCMS guidelines.

Behavioural Advertising and Cookies

Behavioural advertising will attract a lot of attention with regards to cookies and the Directive – there’s been plenty of previous coverage around the privacy implications. The IAB and industry bodies have been working directly with Brussels on this, and the EU has broadly supported the industry’s approach, including the consumer education websites linked to at the bottom of this article as well as an easily recognisable Internet icon, privacy policy notices, a single consumer control page, and a self-regulatory compliance and enforcement mechanism. This approach is still under development.

In part two of this blog post, we layout the steps Steak and industry bodies suggest brands need to take before May 25^th. UPDATE 16/5: we’ve posted a revised set of steps here following the ICO’s publication of guidelines.

UPDATE 6/5: Some government guidelines might be published before the 25th according to some sources; however how much time brands will then have to act is unclear; we still suggest following the steps in our second blog post.

Useful Links

ICO: Confidentiality of Communications Guide (Cookies)

DMA Newsletter Guidance on Cookies

Lewis Silkin on the DCMS and Cookies

All About Cookies from the IAB

Your Online Choices: IAB Guide to Behavioural and Cookies for Consumers

There were also great contributions from other speakers from a good cross section of the industry, and the turnout was fantastic, so thanks go out to everyone involved.

You can download a copy of the new IAB Video Handbook, which contains a case study from us, here. And if you want any information about our experience of online video, do get in touch.

This is part of wider changes to the code of self regulation for the advertising industry (called the “CAP Code”), which is administered by the ASA (Advertising Standards Authority). The CAP Code will be extended to website content and mobile advertising in September, 2010.

To fund this, a levy will be collected against paid search spend from 1st May 2010 at 0.1%. The levy will be collected by agencies. In addition, Google has agreed to contribute seed capital to this fund for the first two years in recognition of the volume of direct spend handled by the search engine; they had previously refused to collect the levy via their systems. The ISBA, representing advertisers, wrote to advertisers in January 2010 informing them of the change.

This follows a 18 months consultation between industry organisations including the IAB (representing the digital industry), the IPA (representing agencies) and ISBA (respecting advertisers). The extension of the CAP Code was agreed upon as part of the industry’s continuing efforts to ensure self regulation is successful, up-to-date and to avoid any future government legislation. Steak is a member of both the IPA and IAB and sits on their search councils, and has played a part in this consultation.

Please note that FSA regulation is unaffected by the extension of the CAP Code.

Background reading and announcements:

CAP Code and The ASA
IAB
ISBA
ASBOF
The IPA

If you are a Steak client and have any questions, please contact your Account Director.