Caveat emptor – the new burden of proof for cookie consent

A recent European Court of Justice clarification focusing specifically on the implementation of the Cookie Directive has presented our clients with a significant new challenge.

Just when everyone hoped they were starting to get their ducks in a row around GDPR!

The clarification (Planet 49 vs ECJ, 1st October 2019) affects opt-ins, personal data, the specificity of consent and the details that should be provided about cookies, as well as the coherence of information provided to website visitors.

The new burden of proof

Importantly it implies, caveat actor, a requirement for the asker to ensure an outcome of understanding rather than placing responsibility on the consenter, caveat emptor, to do what they must to achieve comprehension. 

In other words, it places a burden of proof on the company to ensure that the site visitor understands what they are being asked to consent to.

Businesses can't any longer just throw legal text at their customers in the belief that it's their problem to work out what is meant.

We think it is timely for all companies affected by GDPR, the Cookie Directive and other data-based regulation start doing two key things:

1. Invest in innovating the right solution for your business
   Wait for someone else to come up with the solution and you might not avoid a hard stare (or worse) from the ICO. But the first cookie-cutter solution to respond to the clarification may not suit your visitors or your business – one size doesn't always fit all and your consent rates could suffer.
   
2. Put people first – design for inclusion
   We also think it's time that you took your vulnerable customers as the benchmark for design, not as outliers with 'difficult to meet needs'. 

The cookie-cutter solutions that no longer cut it

The market has become saturated with theoretically compliant 3rd-party cookie consent services known as Consent Management Platforms (CMPs). If it's your job to manage a large digital estate, the ease and scalability they promise is a large part of their appeal.

However, these cookie-cutter solutions are based on a set of assumptions about ‘standard’ customer needs and capabilities. These are assumptions that – as experience designers – we know are highly unlikely to stand up to the scrutiny of primary customer research, which would surely reveal a gap between customer outcomes and the regulator’s intent.

The compliance gap

Unsurprisingly, given the recency of the ECJ clarification, we are not yet aware of any that meet the new burden of proof or the increasing needs of the customer, the regulator and the business. All that we’ve seen appear based on a legalistic, purely text-based, interpretations of consent. 

This is evident in the attention that has been given to GDPR Article 13, which covers what information websites should provide and the lack paid to Article 12, which describes how they should communicate it. The latter requires organisations to:

It’s hard to see much evidence that the plug ’n’ play vendors have so far taken anything other than a selective, tick-box approach to compliance.

They will be busy responding to the ECJ clarification of course. But the clarified requirement for meaningful consent would seem to make purely-legalistic approaches untenable. It’s hard to see how any will be able to offer a complete solution that meets the new burden of proof.

The commercial doubt

There is probably justifiable concern in your company that the potential loss of cookie-based data will damage your business. 

The ECJ clarification specifies that almost all cookie-based data must be consented, and not just that relating to personal information. This covers tracking, marketing and analytics cookies; excluding only those cookies upon which operation of the website or the provision of the service is dependent.

Your company has got to be seen to be seeking to comply rapidly with regulation, but this must be done in a way that does not harm the business. 

But the lack of adequate cookie consent solutions means that you need to take an innovative approach that achieves commerciality and compliance simultaneously, and that goes to the heart of the Cookie Directive and the need to ensure informed consent.

Make it better for everyone

A specific challenge to the traditional legalistic interpretation of privacy legislation is provided by the importance placed on distinguishing between the capabilities of differing 'consenter' audiences. GDPR Article 12 draws attention to the specific challenges involved in gaining meaningful consent from children. 

Consistent with this and with current FCA priorities, we believe it would be prudent for all companies to assume that 'vulnerable' adults will be considered as important a focus for meaningful consent as children for both ICO and FCA.

We've been down this road before. When the Disability Discrimination Act (DDA) specified that accessibility and inclusion were important online, there was much moaning and groaning that this would restrict the freedom with which businesses could design their digital real estate.

Well yes, it is true, there are restrictions – you can't invoke epilepsy, make your site invisible to the visually impaired or present information in a way that restricts access by 50% of the population. But not only because the DDA (or its successor the Equalities Act) mandates it, you'd also be commercially mad to do so – that's a big hunk of trade! 

But as soon as the whingeing stopped and the UX teams got to work, we discovered that there are many ways to design really attractive, accessible sites for everybody. 

And so it must be with GDPR and the Cookie Directive.

So let's all just get on with designing consents that actually tell everyone what the deal is, and create best-practice standards for cookie consent that mean we don't have to keep coming back to this issue.

Make a statement of intent

A lean, transparent, managed approach to innovation is needed to define a solution that is traceably compliant and that allows different approaches to be evaluated for their adequacy (across customer, commercials and regulator). 

We are starting to apply our service-based design methodology, Evidence Based Compliance (EBC) to the problem in the knowledge that it will provide an effective and proven approach to define and deliver the best outcomes for all parts of the business and the customer.

EBC has been effectively applied across Financial Services, it is well described and validated through successful engagement. We believe the requirements EBC has met in the financial sector are identical to those needed to ensure that your company can provide an effective compliant and commercial response to the Cookie Directive – and importantly, be seen to do so.

How it works

EBC provides a commercial and compliance 'wrapper' around a user-centred design process. It embodies our strong belief that compliance should be a process, not a point of view. It engages design teams with mixed stakeholders (commercial, compliance, digital and others) who collectively develop, through design, a compliant and commercially attractive solution. 

Sound slow? Its not, it's so much faster than engaging a specialist legal company (it increased RAC’s conversion rate in just 6 weeks) and at the end you get a working solution, not a point of view.

Because this is Evidence Based Compliance, the solution will be traceably linked to the requirements of the Cookie Directive and those of your commercial teams. 

With EBC your response to the Cookie Directive will evidence how meaningful consent has been sought as a design goal by your business and how the spirit – as well as the letter – of the Directive has been met and proven through testing for real comprehension with your target audience. 

Job done, caveat actor delivered.