A month to go on Cookie Law: Will Google Analytics get a free pass?

Slippery ICO can't be pinned in privacy mud-wrestle

Analysis Website operators in Blighty have been continuously perplexed by the upcoming enforcement of the EU's cookie law on 26 May.

The Information Commissioner's Office granted affected firms a year-long breather to get themselves up to scratch back in 2011, but the clock is now ticking and the law – however watered down it might have become – is to be applied next month.

The ePrivacy Directive makes it clear that the storing and slurping of data on an individual web surfer's computer is only lawful "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information ... about the purposes of the processing".

Furthermore, that consent needs to be granted explicitly and must be unambiguous.

Last year, the new European Union rules were almost universally ignored by its 27 member states. As we reported at the time, just two countries implemented the whole package of telecoms reforms on the 26 May deadline.

Every other country failed to fully notify the EU that it would be transposing those rules into their own law.

Here in the UK, the government bullishly confirmed that it would give website operators a full year to prepare for the regulation before action would be taken by the ICO, the body tasked with enforcing the directive.

Now, just weeks before that becomes a reality, communications minister Ed Vaizey has met with key internet players at the launch of the ICC guidelines on the law to discuss the finer detail about what the rules mean for retail and advertising outfits that are concerned about having to explicitly ask before installing a cookie on a user's machine.

The Tory-led Coalition has always been clear that it wanted to place the onus on browser settings so that an individual could make an informed decision about being tracked by advertisers online.

A mechanism, dubbed Do Not Track, is being developed by browser-makers to achieve this.

But heated discussions about what that standard should look like continue to play out on both sides of the Atlantic and it's clear that an agreed specification for DNT won't be in place by the end of next month.

EU digital agenda commissioner Neelie Kroes has tried to hurry the debate along in a frankly face-saving exercise to get DNT approved by browser-makers given the thousand-yard stare many member states appear to have employed when looking at the rules as they apply to cookies.

Vaizey boldly proclaimed earlier this week that the UK government should be viewed by its European neighbours as an "example of effective implementation" of the regulation. He said that despite the ICO's frankly lax response to web analytics - a business in which Google is of course king.

Vaizey said earlier this week that he wished that web analytics fell into the so-called "strictly necessary category" on the ICO's guidelines on the legislation.

"[W]e need to understand that consent is not black and white. Both the ICO and I have said on several occasions that there is a sliding scale of intrusiveness which should inform the level of effort you go to," the minister said.

"Obviously something like analytics or feature based cookies are pretty low on that scale and I know that the ICO will take that into account. Of course that doesn’t mean that you don’t need to go to any effort at all but something which tracks how many users visit a page is hardly the priority here."

The Register asked the ICO to explain exactly what Vaizey's comments meant when it comes to enforcing the cookie law in Britain.

It gave us this meaty statement:

The Regulations do not distinguish between cookies used for analytical activities and those used for other purposes. We do not consider analytical cookies fall within the ‘strictly necessary’ exception criteria. This means in theory websites need to tell people about analytical cookies and gain their consent.

In practice we would expect you to provide clear information to users about analytical cookies and take what steps you can to seek their agreement. This is likely to involve making the argument to show users why these cookies are useful. Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals.

Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action. The ICO will also be issuing further guidance shortly which will provide further details on analytics cookies reiterating that they are covered by the new changes. We will also give our view on the applicability of implied consent for these and other cookies.

So there you have it. Ad brokers such as Google that slurp data from user's machines for the sake of web analytics are not considered a priority for the ICO when it comes to policing these new rules, which is interesting in light of French data information watchdog CNIL's current probe of Mountain View's recent tweak to its privacy policy.

Specifically, CNIL asked Google to explain if it "combines information gathered through Google Analytics with information related to users (authenticated, non-authenticated or passive) gathered through other services, notably to provide tailored content".

The deadline for an answer from Google is due today.

We put this to the ICO and asked how closely it was considering this investigation in relation to enforcing the cookie law. It said:

Any organisation that processes people's personal data must be open and upfront about how this information will be used and for what purpose. The ICO and the other European Data Protection Authorities, represented on the Article 29 Working Party, are aware that Google has recently changed their privacy policy and have made efforts to communicate these changes to their customers.

At the request of the Article 29 Working Party the French Data Protection Authority, the Commission Nationale de l’information et des liberties (CNIL), is currently speaking with Google on behalf of all the European supervisory authorities to ensure that these changes, and the manner in which they have been communicated, comply with the requirements of European Data Protection law.

It is nevertheless important that people read the information organisations provide them with before agreeing.

Other stories you might like

  • FTC urged to probe Apple, Google for enabling ‘intense system of surveillance’
    Ad tracking poses a privacy and security risk in post-Roe America, lawmakers warn

    Democrat lawmakers want the FTC to investigate Apple and Google's online ad trackers, which they say amount to unfair and deceptive business practices and pose a privacy and security risk to people using the tech giants' mobile devices.

    US Senators Ron Wyden (D-OR), Elizabeth Warren (D-MA), and Cory Booker (D-NJ) and House Representative Sara Jacobs (D-CA) requested on Friday that the watchdog launch a probe into Apple and Google, hours before the US Supreme Court overturned Roe v. Wade, clearing the way for individual states to ban access to abortions. 

    In the days leading up to the court's action, some of these same lawmakers had also introduced data privacy bills, including a proposal that would make it illegal for data brokers to sell sensitive location and health information of individuals' medical treatment.

    Continue reading
  • Brave Search leaves beta, offers Goggles for filtering, personalizing results
    Freedom or echo chamber?

    Brave Software, maker of a privacy-oriented browser, on Wednesday said its surging search service has exited beta testing while its Goggles search personalization system has entered beta testing.

    Brave Search, which debuted a year ago, has received 2.5 billion search queries since then, apparently, and based on current monthly totals is expected to handle twice as many over the next year. The search service is available in the Brave browser and in other browsers by visiting search.brave.com.

    "Since launching one year ago, Brave Search has prioritized independence and innovation in order to give users the privacy they deserve," wrote Josep Pujol, chief of search at Brave. "The web is changing, and our incredible growth shows that there is demand for a new player that puts users first."

    Continue reading
  • California's attempt to protect kids online could end adults' internet anonymity
    Websites may be forced to verify ages of visitors unless changes made

    California lawmakers met in Sacramento today to discuss, among other things, proposed legislation to protect children online. The bill, AB2273, known as The California Age-Appropriate Design Code Act, would require websites to verify the ages of visitors.

    Critics of the legislation contend this requirement threatens the privacy of adults and the ability to use the internet anonymously, in California and likely elsewhere, because of the role the Golden State's tech companies play on the internet.

    "First, the bill pretextually claims to protect children, but it will change the Internet for everyone," said Eric Goldman, Santa Clara University School of Law professor, in a blog post. "In order to determine who is a child, websites and apps will have to authenticate the age of ALL consumers before they can use the service. No one wants this."

    Continue reading

Biting the hand that feeds IT © 1998–2022