The EU Cookie Law in Travel, Tourism & Hospitality: How the Cookies Crumbled

Posted July 19, 2012

In Smart Talking Digital, Smart Talking With..., Travel, Uncategorized

What’s a cookie and why should you care? Essentially, it’s a form of website tracking, be it monitoring browsing behavior, purchasing patterns or your activity on the wider web.

The grace period for compliance with the EU cookie law (ePrivacy Directive) ended on the 26th of May 2012 and if you own or operate a website that employs the use of cookies, then the directive stipulates that you must (amongst other things);

Tell your website visitors that cookies exist on your site.
Explain what the cookies are doing.
Obtain consent from your website visitors to store cookies on the device they’re browsing your site with.

The directive is open to intepretation and the approaches to compliance vary. Some have opted for a pop up message to ask you to opt-in to cookies before you browse a website, others have added a small reference to cookies within their footer navigation. The safest approach is to comply fully with the directive with a full opt-in process. However, this is a worry for many site owners reliant on tracking to fully evaluate their online marketing activity.

The determining factor on which approach to take seems to be the interpretation of ‘obtain consent’. The emerging common approaches can be categorised as ‘explicit consent’ or ‘implied consent’.

Explicit consent is probably the safest approach – to have a visitor to your site explicitly state that they accept you tracking their activity on your website through the use of a pop up, small message on your homepage, checkbox etc.

Implied consent is the approach many have taken – referencing cookies (either with a small message on the site homepage or a link within a sub navigation etc) and that continued use of a website authorises the tracking of visitor activity.

Whilst statistics on cookie consent are emerging, many believe that having a prominent warning on your site that data is being tracked isn’t going to aid conversion or encourage browsing.

The travel, tourism and hospitality response to the cookie law

So how should you adapt your site to comply with the EU cookie law? Should you opt for explicit or implied consent? Unfortunately there’s no definitive answer. It varies by both the type of data being tracked and the subsequent use of the data. Understandably it seems that overly intrusive or unethical use of data will be top of the ICO‘s hit list.

It’s useful to evaluate the current approaches by some of the major players in travel, tourism and hospitality.

Expedia seem to have opted for the implied consent route. There’s no reference to cookies on their homepage with their privacy policy references one of the objectives of using cookies as “…to help customise your user experience”.

Booking.com take a similar approach with a small reference to cookies within their privacy policy.

Lastminute.com feature a link to information on their use of cookies at the very top of the site, giving it clear prominence. They give an expansive definition of cookies and their use within Lastminute.com

Hilton appear to have opted for the implied consent route too, with no homepage reference to cookies on their homepage but an explanation of their use of both anonymous cookies and personal information including how they share data across their many brands within their global privacy policy.

Marriott take a similar approach to Hilton with no homepage reference to cookies other than information within their privacy policy.

VisitScotland go a little further than the ‘standard’ implied consent route by presenting a bar along the top of their site stating “VisitScotland uses cookies to enhance your experience on our website. By using our website you consent to our use of cookies.” Like BA they also give extensive details of what they track and why.

British Airways could be considered as adopting the explicit consent route. Their ‘global gateway‘ page specifically states that by continuing you “agree to the … use of cookies while using the website”. They also give extensive information on exactly what they track and why.

Hotels.com, Travelocity, Kayak, Skyscanner, Travelrepublic, Timeout, VisitLondon, VisitWales and the Northern Ireland Tourist Board also use approaches that could be interpreted as implied consent.

It’s clear that many have opted for the implied consent route. That doesn’t neccessarily mean that it complies fully with the ICO guidelines, but it does set a precedent for other sites and perhaps, your site.

But what does the ICO have to say on the matter? In a recent interview with popular online marketing blog, Econsultancy, Dave Evans of the ICO stated “…if sites make it clear that they are using cookies, and continued use of the site means that you are accepting this, then this is a valid approach.”

Your interpretation of ‘make it clear’ may be to have a cookies page featured in your sites navigation at the foot of the page, or it may be to include a visual message once (or repeatedly) when a user visits the site.

So you’ve decided that you want to feature a cookies page on your site. What should you include on that page?

“This depends. The main point to get across is why cookies are being used, for analytics or whatever, I think most web users just want to be reassured that nothing untoward is going on. This is more important than listing the different types of cookies in detail.” Dave Evans, ICO.

Interpreting this, it would seem you needn’t labour at length about the exact purpose of every cookie. Simply reassure your websites visitors of your approach, why you track their behaviour and what benefit this provides them. You may be tracking their data to provide a better service or product offering; tell them.

I’m not interested in cookies. I’m going to ignore all of this.

The ICO seems to be taking a fair approach to compliance, provided you make an effort to comply in some form. They seem quite sympathetic in their enforcing of these new guidelines. Add a cookies page to your site, make it navigable from a homepage, or ideally throughout the site and it appears you should be compliant; provided you’re not doing anything untoward with the data you’re obtaining.

Ignore the Privacy and Electronic Communications Regulations and you could end up worse off than if you made a few simple changes to your site. When challenged by Econsultancy on the outcome of a site ignoring the regulations, ICO’s Dave Evans concluded “Waiting for that letter from the ICO is not a good idea. The solution we agree with you may not be as good as one you could have volunteered yourself.”