Association of online publishers Helping media owners build better digital business

The difference between consent and opt-in

This is the latest in a series of articles by Evidon on the upcoming ePrivacy Directive - read the last one 'what's on the slate for 2012'. Evidon is appearing at our sold out Privacy Directive event on 18 April.

Colin O'MalleyBy Colin O'Malley, Chief Strategy Officer, Evidon A quick quiz: For all non-essential cookies and related tracking, the ePrivacy Directive requires you to obtain: a)    An opt-in b)    Consent c)     An opt-out Marketers are used to speaking in terms of opt-out or opt-in, and I’ve been in dozens of conversations in the last few months where executives, trying to get a handle on the new legal standard, try to frame the ePrivacy Directive in these terms.  This logic is dangerous, as it forces you to choose between two untenable extremes.  The current opt-out model, whereby the especially motivated consumer can discover information about tracking and opt-out, is clearly non-compliant.  An opt-in model would be hugely disruptive to the web experience, forcing a manual action on the part of the user before each tracking company could be activated.  For an example of what opt-in would accomplish for the industry, see the IAB EU demo site. The correct answer to our quiz, ‘consent,’ represents a middle ground, and smart companies can build valid consent experiences with minimal disruption. Background Lifted straight from the text of the amended ePrivacy Directive: Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information. Directive 2009/136/EC Consent is a clear indication of the user’s wishes, having been provided with clear and comprehensive information. This is the lens a regulator will use to assess your compliance, and the availability of a buried opt-out option obviously falls short of this standard. A classic example would be the site that attempts to add language to their privacy policy to gather consent.  The majority of visitors will never see the link to the policy in the footer of the page, and those who find and click on the link would have to sift through dozens of paragraphs of legal text before locating the consent language.  The inaction of users who either miss the link entirely, or who read other portions of the privacy policy and move on, does not indicate anything that is useful from a compliance standpoint. It is useful here to reflect on the priorities of the Commission and regulators, including the Information Commissioner’s Office (ICO) here in the UK.  These folks do not think in opt-in/opt-out terms.  They are concerned that the data collection taking place on the web has the potential to violate the privacy rights of citizens. And they suspect that the explosion of commercial entities involved, and the complexity of their business models, has taken place without the consumer understanding what is happening or what is at stake.  They therefore conclude that the onus is on industry to proactively educate the user about these practices, and to prove that consumers understand and accept them. The Flexibility of Consent If it sounds to you like consent can be obtained in many ways, you’re exactly right, and this a great advantage of ‘consent’ over ‘opt-in’. If you can demonstrate that information about tracking activities is clearly posted in a manner that any reasonable consumer would see and understand, you can argue that their decision to proceed using your site is evidence of their consent, even if they take no specific action to tick an extra box (this is commonly known as ‘implied consent’). The ICO has embraced this flexibility by releasing compliance guidelines like their most recent Guidance on the rules on use of cookies and similar technologies, which are suggestive and accept a range of options.  The Information Commissioner himself has issued statements that endorse models of consent that are less interruptive.  In his half term report on cookies compliance, Commissioner Graham, said you might have confidence you are compliant if users: Know that some things are more likely than not going to happen when they arrive at your site and that if they want to make choices about those things they know where to go and what to do. In other words, the regulators are using more common sense than many are giving them credit for.  I’ve spoken to at least six regulators across Europe who have specifically cautioned against going as far as opt-in, including regulators contributing to the most conservative voice in the debate, the Article 29 Working Party. This means that you don’t need to disable all tracking by default.  You don’t need to offer a tick box for consent that over 90% of your visitors will decline.  The commercial impact of either path would obviously be disastrous.  Online marketing, which has increasingly become reliant on advanced data synchronised with cookies and related technologies, would be set back at least ten years.  Take a deep breath, as none of that is necessary. What this Means for You: 1. Accept the need for consent.It is now the law, and if you are based in the UK, the ICO will start enforcing in six weeks, on May 26th of 2012. 2. Drop the opt-in/opt-out comparisons.If someone says you can get away with opt-out, they don’t understand the law.  If they say you need an opt-in, they are going further than the regulators themselves. Go just far enough and stop there.  Consent is your friend. 3. Don’t ask for the regulators to further clarify.The ICO has released two compliance reference documents and CNIL has released one.  They aren’t yet prescriptive, and we are very fortunate for that.  Marketers understand their audience much better than regulators. The worst outcome would be prescriptive interfaces dictated by the regulators.  Just ask your friends in the tobacco, alcohol, or pharmaceutical industries. 4. Time to build consent into your site.There is a place for creativity here, along with your own vision for how to communicate to your visitors in a manner that is clear and adds to their experience.  Just remember that you will want to be able to argue that any reasonable consumer will have encountered your consent interface, and that it includes specific information about the companies involved in tracking and the types of activities they engage in.  You will also need a credible way to enable visitors to withdraw consent from any non-essential tracking. As the grace period before enforcement in the UK comes to a close, the reality of the law is coming into focus.  Know what is on your site, and then build your consent process, either by yourself or through a partner that understands the operational complexities and can deliver a solution that makes you compliant without making massive commercial sacrifices.

Evidon is speaking at our EU Privacy Directive Forum event on 18 April. More from Evidon EU Privacy Directive – what’s on the slate for 2012 Preparing for the EU Privacy Directive Why the cookie audit rush?

Join the AOP group on LinkedIn - open for all Members to join
Subscribe to AOP's e-newsletter.