Growth occurs as a series of jolts: your first kiss, your first drink, your first pay packet. As the technology industry matures, it's no different. But just as in real life, some people aren't too good at dealing with change.
For the best part of two years now, parts of the online media industry have been complaining about EU Directive 2009/136/EC, which requires users to consent before web sites harvest data from them.
After the government's year-long pause on enforcement, in the wake of a highly successful industry-led campaign for common sense enforcement, implementation is now only days away. In the UK, the new rules kick in on Saturday 26th May.
Yet the moaning continues. Some still view the Directive as an infernal doomsday machine that will "kill online sales" and " kill the internet". Robert Bond of the law firm Speechly Bircham describes the effects as "far-reaching and incredibly onerous" for "all UK companies." Simon Davis of Privacy International argues that proper enforcement would "destroy the entire industry".
Those with something to gain have been spreading fear and loathing. KPMG, a firm that never knowingly underestimates the threats confronting its clients, recently announced that 95 percent of British businesses and public sector organisations are "not compliant" and may therefore face fines of up to £500,000.
Separately, QuBit, a London-based data consultancy, estimates ("worst case scenario") that the EU Directive could "cost" the British economy £10bn.
Let's not delve into the debatable maths underpinning QuBit's alarmism. Instead, let's remind ourselves of what Directive 2009/136/EC actually says: "Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information."
Consent? As any teenager will tell you, much depends on how you ask the question. If regulators ever expected web site owners to implement an opt-in regime like this, they don't now. Colin O'Malley, chief strategy officer at Evidon, the US-based data and privacy company,
says he has spoken with regulators in six European nations, including some of the most conservative members of the dreaded Article 29 Working Party. All of them, he says, "have specifically cautioned against going as far as opt-in".
Here's where the wiggle room opens up. Much depends on language and design. In May 2011, for example, the Information Commission's Office started seeking consent from users of its own web site. When users clicked through for the first time, an overlay told users that the site "would like to store information on your computer".
The aggressive tone was compounded by apparent bad faith. ("One of the cookies we use. . . has already been set".) Next, the ICO's overlay held a metaphorical gun to its users' heads, telling them that "parts of the site will not work. . . [if] you delete and block all cookies".
Unsurprisingly, the result was a 90 percent decline in measured traffic. Ever since, opponents of the directive have argued that the end of the world is nigh.
It isn't. Instead, we're starting to see some clever and subtle implementations. If you click through to BT's customer site, for example, the first thing you'll see is a cleverly-worded overlay which suggests that "this website" is set to "allow all cookies". (The language isn't threatening; moreover, it encourages the notion that this has nothing to do with you, the user).
The overlay goes on to explain that this has been done in order to offer "the very best experience"(You're worth it, no?). It goes on to say that if you click the "no, thanks" button below, you will "consent" to "allow all cookies". (The "no thanks" button instinctively appeals to the vast majority of users who don't want to be sold something; it also encourages non-technical users accustomed to things going wrong to vote for continuity).
Expect to see many more corporates adopting a similar approach.
This week, for example, FT.com took the plunge, with an overlay strategy that resembles BT's.
We need to wait and see how many users refuse cookies at BT and FT.com. My guess is that the number will be a lot less than 90 percent, and that it will decrease over time. As users encounter more sites with lookalike overlays, they'll become accustomed to taking path of least resistance. Along the way, they may start to understand cookies and privacy better. They may actually start to feel confident about privacy protection.
Still unconvinced? Then examine the guidance published by Whitehall's own IT bosses for anyone running a public sector web site. In total, the advice runs to four pages. It doesn't feel like a user manual for coping with the end of the world. Alternatively, take a look at the current guidelines from the Information Commissioners Office, which strongly hint that "formal action" will be reserved for anyone who "refuses to take steps to comply" or who has been "involved in a particularly privacy-intrusive use of cookies".
Of course, there are perfectly understandable reasons why parts of the online industry hate the directive with such a passion. The first involves the cost of what the ICO describes as "new sites and systems and upgrades". This, as one commenter pointed out, is an industry in which it's already difficult to make money. Well, yes: and at least some of this difficulty is attributable to hot VC money, which has unleashed a torrent of me-too revenue-lite ad tech start-ups. If regulation helps consolidation on its way, the results may not be entirely negative.
Awkwardly, the directive forces the online ad industry to think about users, as well as data. (As the Government Digital Service puts it: "It's not about cookies, it's about privacy.")
Like everyone else, online ad folk would much prefer to be handed a series of binary policy decisions ("you can do this, but not that"). Instead, they're been given some guidelines and asked to think seriously about privacy. In the long term, this should strengthen respect for privacy inside the industry. However, for those who prefer not to think, the challenge is problematic.
Ad tech people are an inward-looking tribe: they need to get off their backsides and educate the public about why metrics matter.
According to the IAB's own research, 89 percent of British surfers say they want to be able to control their own privacy online. Yet only 37 percent understand what a cookie is. Squaring this circle will take years of education and innovation. The directive is pushing the industry in this direction. Again, this is no bad thing.
Without an effort of this kind, the online industry will face a backlash eventually. As Simon Davis of Privacy International argues, users can rapidly become "angry customers when they find out they have not been told the truth". On this point, he's right.
Anyone in the UK online industry who still dreams of Ayn Rand-style freedoms needs to wake up, and quickly. Online accounts for 28 percent of Britain's advertising market. That's more than the 26 percent that flows into the heavily-regulated broadcast sector, more than the 23 percent that flows into newspapers, currently the focus of scrutiny by Lord Leveson.
Leveson is regulation in action. For those in the spotlight, the experience is nasty, brutish and prolonged. Measures like the EU Directive will avert the need for an equivalent of a Leveson Inquiry for the online ad industry in three, five or 10 years' time. For this reason alone, the online ad industry should embrace Britain's new cookie law with open arms.
This article was originally published by WIRED UK
