Cookies are small text files which are stored on an individual’s computer allowing websites to recognise a user from previous visits and deliver particular messages to them.
Cookies are used almost universally on the internet not just to target advertising and marketing but also to recognise past behaviour and then to channel a user to a particular section of a website. For example, if you are an IFA visiting a provider website, cookies left on your machine from previous visits are likely to route you to the intermediary part of the website rather than the consumer site.
Many internet firms say cookies help the smooth running of the internet on an anonymous basis but the EU has decided there is a substantial risk to individuals’ privacy.
The specific regulations are included in the EU directive, the Privacy and Electronic Communications Regulations 2003. These were updated in 2009, became law in the UK last May, and come into force on May 26 this year. The regulations will be policed by the Information Commissioner’s Office.
In general there will be two types of cookies – those deemed necessary to something the website user has asked to do and those deemed not strictly necessary, which will require a website to obtain consent from the user to use them.
Cookies used for security on bank accounts will be allowed but those used in analysing web traffic, for advertising or personalising websites to a particular visitor will require user consent.
This is going to be a big headache for online advertising and certainly targeted online advertising because websites will be expected to ask users for permission for ads specifically targeted at them.
It could also have implications for advisers. First, IFAs’ client-facing sites may have incorporated cookies to direct those clients to a particular area of their website. Cookies may also be used where a website pulls in information from other sources, for example, a Twitter feed, a news feed or perhaps a graph of the latest stockmarket performance.
The regulations could also stymie some analytic software which monitors traffic to a website.
For bigger intermediaries which use extensive internet marketing, it could bring problems where they are buying targeted marketing and advertising.
It could disrupt IFAs using provider websites and is yet another cost for insurers, fund managers and lenders.
More generally, it could disrupt some comparison site links to providers, although IFAs may be a lot more relaxed about such disruption.
The price for not complying with these regulations can range from an enforcement notice to a fine of up to £500,000 but a breach has to have led to “substantial damage or distress” to attract a big fine.
As with all new regulations, the ICO itself is getting up to speed with the regulations. For example, the ICO’s messages on cookies used for analytics is a little confused, with it saying it may not prioritise this type of cookie for enforcement despite the fact they appear not to meet the “strictly necessary” definition.
You might use a pop-up window with a yes or no choice which has to be clicked before the user can proceed but this risks a high bounce rate of people leaving your website altogether.
Alternatively, you could use a warning banner with a request message, which does not have to be clicked but it is important to get the wording correct and to give the message enough prominence to meet the regulations.
When it comes to third-party content, both the website owner and the third party are responsible for obtaining permission or avoiding using cookies without consent.
Third-party content can include banner advertising systems, social media buttons, YouTube videos, analytics packages and some other embedded widgets. All these connections may have big implications for advisers and other financial firms, depending on how extensively they use them.
Those third parties may already be working on cookie-less services. YouTube has videos you can embed without cookies, for example, while some other content providers offer guidance but others are still working on their approaches.
In terms of what advisers and providers should do, we suggest they need to audit their websites and assess their marketing and advertising strategy for cookie use to check for compliance.
We understand that advisers are facing a host of regulations. The last thing adviser business owners want is another set of regulations. It is unlikely that advisers will be first in the firing line when the ICO comes to enforce its new rules but it would be prudent to make sure you do not fall foul of them any way, in particular if the web is an important part of your marketing and customer relationship management.
A full report on the new regulations, including examples of how you can ask consent for using cookies, can be downloaded from www.space01.co.uk