In fact, the building blocks already exist. Phase 1 would be doing this using existing tools, with a Phase 2 doubtless rolling these capabilities into the browsers themselves.
1 - Vendors currently have opt-out cookies. They will need to use opt-in ones too - these will be the important ones showing a user as having accepted the vendors' cookie(s). For a proper solution, a version number would be required so the vendor can be sure to ask the user again if the cookies they're using changes in future (which it will).
2a - Option 1 - Alert on the cookies. Webpages are going to have to do this, and it will mean checking for the new opt-in set of cookies such as adnetwork1_v2_optin=yes. Probably this would be done by a call to the various vendors working with the website, or could be done by the site themselves (but this would mean a plethora of new opt-in cookies to cover each website-vendor pairing). The reference for this alert for me is something like ghostery. Clearly it would need to be more advanced than this - ideally allowing more info and yes/no within this bubble itself - but that would be the user flow.
2b - Option 2 - Require the cookies. A model which works perfectly well right now for adult and alcohol sites is the invincible-barrier-with-easily-opened-door technique. Try and get to guinness.com, for example, and you'll get an interstitial page that can only be passed by entering a date 18 years or more in the past and clicking enter. Porn sites just have a button saying "I'm over 18, let me in" (so I'm told). This would be a perfectly reasonable technique for sites in future for all cookies - list the cookies, their vendors and purpose in a scrollable window (one of those ones which requires you to have scrolled to the end) and have a big "I accept" button next to it.
3 - Retain Opt-ins. The snag with using cookies is of course when people delete them, you have to go through this rigmarole all over again. The reference solution is the "Keep My Opt-Outs" plugin available on Chrome. It uses a list of the 'good guy' cookies which provide the existing opt-out status and in the event the user deletes their cookies, this plugin kicks in and retains the useful ones that it knows about. This would work perfectly well for the opt-in case too, and the 'good guy' list could be built up of IAB/DAA signatories.
The Need to Simplify. The above solution would work perfectly well for the UK and even proposed Netherlands implementations of the EU directive. The one thing it requires and which is somewhat out of control is the need for ALL cookies to be referenced on a web site greeting a user. The website owner won't know - indeed, even the networks they work with may not know, as the value chain extends down and down. This is potentially fine provided over time all players come out of the woodwork and become official, but it's the murkiest area right now and I can see it resisting having the light shone on it.
The Need for a Browser Solution. As noted above, the right place to do all this is in the browser, and indeed, that's where the building blocks can already be found. I'm afraid the swift action to comply with the law that Chris Graham desires is unlikely to happen until the major EU markets have decided what that law is. The fact that this hasn't happened yet makes the EU law-setters confused and foolish and that gives confidence to those who might be fingered by the ICO in the mean time.
No comments:
Post a Comment