Published: 30 July 2019

The ICO, cookies and why we all might be in for some tough times ahead

On 3 July, the ICO published their new guidance on the use of cookies and similar technologies.

The guidance was accompanied by a handy myth-busting blog – which promises to provide “more clarity and certainty about how you can use cookies in your online service”.

Which it does helpfully. But it doesn’t really prepare you for the reality of the fire that could be about to rain down on your working life…

What is it?

In brief, the ICO sum up the guidance like this:

You must tell people if you set cookies, and clearly explain what the cookies do and why. You must also get the user’s consent. Consent must be actively and clearly given.

There is an exception for cookies that are essential to provide an online service at someone’s request (eg to remember what’s in their online basket, or to ensure security in online banking).

Now, I’m obviously all for the public knowing how their data is used, and believe everyone should be more data-aware in this day and age. I also believe GDPR has solidified and unified practice to give people confidence in how the commodity that is their data is used and looked after. And this is a good thing.

But the potential for all this cookie guidance to negatively impact our work in the sector (and beyond) is huge. There is a lot for digital teams, marketers and analytics specialists to get their heads around, and quickly.

On the surface of it this is an absolute game changer – and not in a good way – arriving at a time when as a sector we’re talking more and more about measuring our digital impact and delivering quality services for those we strive to support, all of which is still a struggle for many.

Who’s talking about this?

Either people don’t know about it, are working out what to do or are afraid of speaking up publicly. I’m a little worried about what I perceive as a lack of awareness about all this.

I want this blog to be a conversation starter because I foresee this having significant impact on our ability to deliver effective, measurable digital services.

Pop ups

As a user of the internet you’ll be familiar with those cookie notice pop-ups that, well, pop up on every website you ever visit.

They’re annoying. But they’ve become part and parcel of the user experience on any website these days.

They’ve become so common-place and expected that people now just ignore them. People come to a website for information – and they will ignore or blindly accept a cookie policy pop-up so they can get on with their business. We’ve all been there…

Except now, we need to pay more attention. And we need users to pay more attention.

Which is a problem.

Essential vs not

The ICO guidance states consent is not required for “strictly necessary” cookies. These are defined as those essential to providing a service the user expects, eg; when storing an item in a basket on your site, providing security to ensure broader compliance and helping with load-balancing to ensure pages load quickly for the user.

All well and good, I hear you cry. But what’s classed as “non-essential”?

This, dear reader, is where things get tricky – and where I think we are going to experience some serious, serious issues.

In a nutshell, it means no analytics cookies and no tracking pixels on your site unless the user has opted in to them first.

You absolutely cannot have any of these turned on at all when someone lands on your site – you have to rely on users turning them on themselves.

They have to be set to off by default. And this will require a user to read – and not ignore – your cookie policy pop-up notice and take an action, all before they get to what they came to your site for in the first place. It’s a UX nightmare.

Including all this information in your privacy or general cookie policy is also not enough. As the ICO state: “You cannot show consent if you only provide information about cookies as part of a privacy policy that is hard to find, difficult to understand, or rarely read”. Being able to show consent is the key here.

Oh my.

What this means is that your pop-up cookies policy will need to explain which cookies you use as “essentials” but then also list out the “non-essential” ones, explain what they are, how you use them and ask users to turn each of them on separately.

At the moment, you probably have quite a few of these too – so it could be a lengthy list. But we know people ignore cookie policies, generally. So how are we ever going to expect someone to voluntarily turn these things on when they visit a site? I doubt public knowledge of cookies and their importance is wide-spread either.

And so begin the questions…

If people don’t turn on these cookies, how are we going to know what they do on our sites and how will we determine what’s working, what’s not, what we can improve and what we can do to make the experience better for those we strive to support?

For example, if we can’t remarket to those who have visited our site, how are we going to drive acquisition to increase income or drive much needed change?

And how will we measure the impact of cross-channel attribution models to determine the effectiveness of our marketing?

See? It’s a game changer. And whilst I do like to sometimes be over-dramatic, I think here it’s called for.

All the technical developments that have evolved over the years that we have put in place to help us do our jobs better are in danger of becoming obsolete. There will be solutions to help us out and monitor completely anonymous data – but they need to be discovered, implemented and understood – before we can even think about “what does good look like now?” in terms of reporting and benchmarking.

The risk?

You might think this won’t be very high up on the ICO’s list of things they’re looking out for, but perhaps not.

Sure they’re busy fining BA £183million. But thanks to Facebook, personal data is high on everyone’s agenda.

Back in November, the ICO issued a warning to the Washington Post about their use of cookies, and they also state on their site that “cookie compliance will be an increasing regulatory priority for the ICO in the future” so presumably they will be hot on this stuff over the coming months.

I worry that waiting to see how others deal with this is risky. I also worry that those responsible for compliance within organisations will instruct ICO guidance to be put in place without taking into account the impact on digital delivery and effectiveness, which will then severely hamper the charity’s ability to deliver. This creates an unimaginable risk to our income and charitable purpose, in many cases.

We need to find a balance and work out what to do, looking at alternatives or how best to ensure we can continue to measure activity and market effectively.

What can you do right now?

Firstly, you need to find those responsible for compliance and data within your charity and talk to them about the impact this will have on the work of your whole organisation.

You also need to document any decisions or assessments as a matter of importance too.

Reminding yourself what cookies and tracking technology operate on your site is helpful, as is classifying them as essential and not.

A cookie audit should be something you can carry out pretty quickly, and a search for “what cookies are on my site” is a good-as-any place to start. There are many free/paid for tools to help you out.

You’d do well to also start thinking about and documenting the impact to your charity of not being able to effectively track website performance via Google Analytics or what would happen if you can’t use Facebook Pixels anymore…

The beginnings of a conversation

It sounds all doom and gloom – but initially, it is going to cause us to pause and consider how we work in future. There will of course be solutions, more guidance, and best practice models to come I am sure – however at the moment it’s hard to see past the immediate negative impact this is going to have.

Anonymised data will of course come into play and provides some added assurances, but will require work to instigate when no doubt everyone is already busy.

For now, this is big news that you have to pay attention to. How will you deal with it?


Further reading

AllAboutCookies.org is a good place to go for introductory information about cookies and what they do.

A good blog to read from Silktide: Sick of cookie banners and pop-ups? They’re all changing, again.

ICO’s guidance on cookies and similar technologies.

ICO’s blog on Cookies – what does good look like?


Anonymous, Mystery UK charity

The comms insider is an anonymous comms professional working at a UK charity. S/he wishes to remain incognito so as to be able to write frankly about his/her experiences and opinions.