Websites are cookie monsters. They just love to set cookies to maintain login status, navigation around the site, and—the stalker—for tracking purposes. By now, global and EU companies alike should be aware of the EU Cookie Directive and what the law states.


Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information… about the purposes of the processing.

The Realization

NetApp takes data privacy very seriously. We highly value and respect our customers privacy, and we handle their information with extreme care.  But with that in mind, we also need to know how to market to our customers. When we initially heard about the EU Cookie Directive, at least a year before it went into effect, we were uneasy about it. Our first questions were around reporting. Many of you probably had similar questions. What impact would this law have on our reporting? Without Eloqua cookies or other reporting cookies, how much information about our users’ behavior would we lose? The UK Information Commissioner’s Office (ICO) showed that 90% of their visitors did not accept cookies. After seeing the ICO’s results, we pondered how to minimize this impact on NetApp.



Like many companies, we waited for a while to see how the law would change or be enforced.   But, as we got closer to May 25, 2012, we realized that we needed to get started. With close guidance from our lawyer, we kicked off a project that would address this directive and still allow us to do business. As part of the Marketing Automation team, our first thoughts were about Eloqua; however, the law states “all cookies,” and we very quickly realized that this is a bigger issue.  We needed to research our sites before we could determine the best approach.

  • We worked with our Web development team and asked them to research NetApp’s cookies:
    1. How many cookies do we have, and what are they used for?
    2. What type of cookies are they?
    3. How intrusive are the cookies?
    4. Could the site function without cookies?
  • We looked at how other companies were handling this directive; at the time, there wasn’t a lot of information about this.
  • We looked at our reports to see what percentage of our visitors will be affect by this law.

Our Approach


Our objectives when implementing the directive in our site were first to fully comply with the law and second to find a solution so that users would want to consent to cookies to being placed on their machines.  The best way to find out what users will do is by testing.  We worked with many teams across NetApp, including branding, design, usability experts, editorial, Web development, and our lawyer to come up with four different solutions to test. Our hypothesis was that either a banner or a popup would work best for our site. Within those two presentations, we created an opt-in and an opt-out scenario, creating a total of four presentations. Also, the law affects EU citizens, so we decided that our target audience for testing would be anyone who comes to our US or UK site from an EU domain. Using Adobe Test and Target, we displayed to each user one of the four cookie consent messages and reported on the acceptance.



Since the law affects only EU citizens, our solution means that anyone with an EU domain who  goes to our US site or to one of our EU sites sees the winning cookie consent message. Our testing showed that the popup with an implied consent had a 60% acceptance rate, which was 187% greater than the runner-up solution.



Our advice is to create a strong working relationship with your corporate and compliance lawyers. Help them to understand the business goals so that they can direct you to on how to comply with the law but still get the reporting and functionality needed to run your business. If it weren’t for the respect and trust that we have with our lawyer, I don’t think the project would have gone as smoothly as it did.


Second, educate executives on the law and be honest about the impact it might have on the business,  both from a reporting perspective and from a legal perspective—that is, what could happen if the issue not addressed.


Third, work with the different countries that are affected by this law to make sure that they understand it and are comfortable with your solution. They need to buy into it as well.