The much-maligned new EU cookie law isn’t just about cookies. Actually, the text of the regulation doesn’t even mention cookies by name. Instead, its focus is on making people more aware of how their information is used online, and helping people control their privacy.
Essentially it means people now have to actively opt-in before their information is used or their behaviour is tracked in many ways.
The new regulation also applies to other technologies that involve you placing and accessing information on someone’s computer. For instance, the new rules apply to the tiny ‘web beacons’ (actually small image files) used to track when a marketing email is opened.
Some criticism has been levelled at the Information Commissioner’s Office (ICO) for not issuing clear guidance. But actually, to understand what’s expected of companies, we need to step back from the nuts and bolts and look at what the law is trying to achieve.
One that front, the ICO’s message has been consistent: businesses need to be open and transparent, because the law is intended to protect privacy and promote openness.
Plenty has already been said about how the new law affects website cookies. (Read the IT Donut guide, if you need help). So I’m going to look at what happens if your business sends marketing messages by email.
If your company falls into that category, you probably track how people interact with your messages. Crucially, you probably have a tool that lets you see how many people open the emails you send.
Just as with cookies, you need to ask a key question about this ‘open tracking’: what’s its purpose? Just as all cookies aren’t equal, neither is all open tracking.
If you’re using open tracking to report an overall open rate for your entire email campaign, I don’t see how this can come under the new law. It’s just a broad way of tracking how people are interacting with your emails.
Would your email subscribers be surprised to know that you work to get emails delivered and monitor success by checking if the emails are read? I think not. And that’s why I think tracking mechanisms used in this way would fall outside the law.
But here’s a different theoretical case. Say a travel company spots that someone opens emails related to family holidays, then sells that information to a company which then targets them with adverts for child investment products.
This sort of open tracking would certainly fall within the regulations as it clearly involves the privacy of the individual. (I’m just using this example to make the point clear - I don’t actually think anyone does anything even close to this with open tracking!)
Having said that, the new law is about openness and transparency. So to be safe, it’s a good idea to keep your email subscribers informed about the tracking you use.
It should be relatively easy to ask new subscribers to opt-in to tracking and cookies. You have to get permission to send them emails anyway, so when you do so just add information about the tracking too.
We work hard to avoid cluttering up your inbox by using technology to understand what we should send you. Read how here.
Then, no matter whether you think open tracking is or isn’t covered by the regulations, you’ll know you’re covered. And your customers will be better informed too.
With new subscribers taken care of, think about what to do your current subscriber base. You need to ask two questions: how do you use open tracking and what would your subscribers reasonably expect you to be doing?
Again, it’s about openness and transparency. You can make current subscribers aware of your use of tracking. Add information about it to your email header. Use the same language you use for new subscribers and keep the information there until it’s reasonable to assume everyone’s seen it. Then you can move it to your email footer.
In any case, if you have worked to promote openness and transparency you will be in a much better position with the ICO than if you have simply ignored this issue. In short:
Finally, don’t panic. While the ICO can impose fines of up to £500k, they’re only likely to do so in exceptional circumstances. It needs to be a serious, deliberate contravention of the law that causes substantial damage or distress. Quite simply, I find it hard to envisage a situation where email open tracking could do that.