As the May 26th Cookie Law compliance deadline fast approaches many companies are starting to panic a little at the prospect of unleashing something so potentially disruptive on their customers. Indeed, simply putting a prompt to consent on your website without warning will likely loose you a few customers. But this doesn’t have to be a “rip the plaster off quickly to get the pain over with” endeavour, in fact it may well benefit you to do the opposite. The ICO acknowledges the fact that having a fully functional solution up and running on May 27th may prove a challenge even with the greatest will in the world. A phased approach is perfectly valid assuming you can produce serious plans for following through on this.
So in that spirit, here’s my guide for a graduated approach to cookie compliance. The idea is that you guide your existing users into expressing their consent with more gentle methods before unleashing the more intrusive ones. You don’t necessarily need to implement all these steps, and perhaps a slightly different treatment of the same approach will work better for your business, but adhering to the spirit should minimise the impact to your business while staying on the right side of the ICO.
1) Audit your cookie usage and make a hitlist of cookies you don’t absolutely need
Make sure you know exactly what cookies you’re using, what they’re used for and what use they are to your business. There are various tools and services out there to help you with this.
Any cookies you don’t need should be removed before implementing any compliance solution – you really don’t want to bother your customers about cookies that you don’t use or don’t really need. Deliver this list to your tech team and have them remove the offending cookies.
3) Contact your users and tell them what’s happening
It’s now time to start informing your users as to what you intend to do. This is your opportunity to educate them on the purpose of the much maligned cookie and state your case as to why you use them. Forewarned is forearmed, so when users turn up at your site and are given the opportunity to state a consent preference they’ll already know what it’s all about and won’t be baffled into any rash action.
You could do this by way of an email campaign, or perhaps part of an existing newsletter or on your company blog or all of these. Perhaps your site has internal messaging system that you could use. The idea is to make the user feel like you are coming to them proactively rather than just springing the whole thing on them. Collect data on open rates and clickthroughs to the landing pages which contain your messaging and use this to gauge interest.
You may also want to consider briefing your customer service teams so that they are fluent in the rudiments the cookie law and your approach to it. Use this an opportunity to gauge sentiment about the issue.
4) Implement a solution that allows users to opt-out of cookies without explicitly prompting for consent
Construct a page or area of your site where you can direct people where they can adjust their consent preference. This could be in the user’s profile settings or a simple stand alone page that drops a cookie to remember their preference. At this stage you can default this to ‘opt-in’. If you’re planting a cookie to remember a user’s consent preference then make sure you tell then that this is what you’re going.
5) Use on-site messaging to bring user’s attention to your changing policy
6) Implement a option to consent at account sign-up
Take this opportunity to use this softer consent prompt for new users signing up for your service. This way you get their preference early in the customer’s lifecycle with minimal intrusion. Most internet users will have been presented with something similar in the past to opt-in or out of email marketing, so this will be a familiar action to them.
7) Place an on-site icon that directs users to a page where they can read about cookies and state their consent preference
Short of displaying an intrusive option to consent banner or lightbox, employ the more subtle option of using an icon that users can click through on to adjust their preferences or find out more information. This can either be built into the structure of your page or as a ‘floating’ icon that sits in the corner. See CookieQ and Cookie Control for examples of how this can be done.
8) Record and analyse statistics relating to consent preference
All this so far has been about easing you users into the brave new cookie compliant world. You’ve not been shoving it down their throat, but are they actually paying attention? Whatever you do next needs to sensitive to how the users have reacted to what you have done so far. There are a few areas you can take a look at to understand how the users are reacting to the changes so far.
i) Survey data – this will be a vital source of information to understand user sentiment and any practical considerations. Even better if you can put some specific cookie related questions in there.
ii) Opt-in/out volumes – when the customer chooses their consent preference you should be able to register this server side. What we want is the rough volume of your user base that opted in, out or failed to set a preference (yet). The opt-out volumes help us gain a feel for the potential impact of the changes on our ability to measure our customer behaviour, but it’s the ‘no preference set’ group that is most interesting at this point. This tells us how hard we need to go with the next phase. If most users have expressed a preference then we can probably get away with a pretty gentle approach to gaining consent from the rest. If people really haven’t been going for it then we’ll need to be a bit more brutal. If at this stage you can segment these groups by new/existing/signed-up users then even better. Understanding how the different groups are behaving will give us a vital indication as to how to engage them further on.
You should set up goals or events in your web analytics to track this. Remember, you’re not claiming to be fully compliant at this point and you’re implying consent until a user specifically opts-out, so it’s valid to still be measuring them at this point until they explicitly opt-out.
9) Implement clear prompt to consent only for new users or those who have not yet stated a preference
10) Full compliance!
Having done all of that you should be most, if not all of the way to being cookie law compliant. Having eased your users into it you have ensured that they are neither surprised or confused, and hopefully got them to opt-in.
You could take up to 6 months to complete this phased roll out. Although the list is broadly sequential, items 2 – 7 can be run simultaneously to save time. This middle section really needs to run long enough to get a feel for how things stand with your users and to achieve maximum awareness and consent uptake with your existing user base.
There are probably many different ways of implementing the graduated approach, but the key point is, you don’t have to rip the plaster off all at once, as that’s unlikely to help anyone, least of all your customers.