A month to go on Cookie Law: Will Google Analytics get a free pass?
Slippery ICO can't be pinned in privacy mud-wrestle
By Kelly Fiveash • In Networks • At 15:00 GMT 5th April 2012
Website operators in Blighty have been continuously perplexed by the upcoming enforcement of the EU's cookie law on 26 May.
The Information Commissioner's Office granted affected firms a year-long breather to get themselves up to scratch back in 2011, but the clock is now ticking and the law – however watered down it might have become – is to be applied next month.
The ePrivacy Directive makes it clear that the storing and slurping of data on an individual web surfer's computer is only lawful "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information ... about the purposes of the processing".
Furthermore, that consent needs to be granted explicitly and must be unambiguous.
Last year, the new European Union rules were almost universally ignored by its 27 member states. As we reported at the time, just two countries implemented the whole package of telecoms reforms on the 26 May deadline.
Every other country failed to fully notify the EU that it would be transposing those rules into their own law.
Here in the UK, the government bullishly confirmed that it would give website operators a full year to prepare for the regulation before action would be taken by the ICO, the body tasked with enforcing the directive.
Now, just weeks before that becomes a reality, communications minister Ed Vaizey has met with key internet players at the launch of the ICC guidelines on the law to discuss the finer detail about what the rules mean for retail and advertising outfits that are concerned about having to explicitly ask before installing a cookie on a user's machine.
The Tory-led Coalition has always been clear that it wanted to place the onus on browser settings so that an individual could make an informed decision about being tracked by advertisers online.
A mechanism, dubbed Do Not Track, is being developed by browser-makers to achieve this.
But heated discussions about what that standard should look like continue to play out on both sides of the Atlantic and it's clear that an agreed specification for DNT won't be in place by the end of next month.
EU digital agenda commissioner Neelie Kroes has tried to hurry the debate along in a frankly face-saving exercise to get DNT approved by browser-makers given the thousand-yard stare many member states appear to have employed when looking at the rules as they apply to cookies.
Vaizey boldly proclaimed earlier this week that the UK government should be viewed by its European neighbours as an "example of effective implementation" of the regulation. He said that despite the ICO's frankly lax response to web analytics - a business in which Google is of course king.
Vaizey said earlier this week that he wished that web analytics fell into the so-called "strictly necessary category" on the ICO's guidelines on the legislation.
"[W]e need to understand that consent is not black and white. Both the ICO and I have said on several occasions that there is a sliding scale of intrusiveness which should inform the level of effort you go to," the minister said.
"Obviously something like analytics or feature based cookies are pretty low on that scale and I know that the ICO will take that into account. Of course that doesn’t mean that you don’t need to go to any effort at all but something which tracks how many users visit a page is hardly the priority here."
The Register asked the ICO to explain exactly what Vaizey's comments meant when it comes to enforcing the cookie law in Britain.
It gave us this meaty statement:
The Regulations do not distinguish between cookies used for analytical activities and those used for other purposes. We do not consider analytical cookies fall within the ‘strictly necessary’ exception criteria. This means in theory websites need to tell people about analytical cookies and gain their consent.
In practice we would expect you to provide clear information to users about analytical cookies and take what steps you can to seek their agreement. This is likely to involve making the argument to show users why these cookies are useful. Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals.
Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action. The ICO will also be issuing further guidance shortly which will provide further details on analytics cookies reiterating that they are covered by the new changes. We will also give our view on the applicability of implied consent for these and other cookies.
Specifically, CNIL asked Google to explain if it "combines information gathered through Google Analytics with information related to users (authenticated, non-authenticated or passive) gathered through other services, notably to provide tailored content".
The deadline for an answer from Google is due today.
We put this to the ICO and asked how closely it was considering this investigation in relation to enforcing the cookie law. It said:
At the request of the Article 29 Working Party the French Data Protection Authority, the Commission Nationale de l’information et des liberties (CNIL), is currently speaking with Google on behalf of all the European supervisory authorities to ensure that these changes, and the manner in which they have been communicated, comply with the requirements of European Data Protection law.
It is nevertheless important that people read the information organisations provide them with before agreeing.
Tracking the trackers
For the UK government, browser settings – courtesy of DNT tech – are the main answer to the cookie problem.
To that end, we asked the obvious players to comment on their relationship with Vaizey and his crew towards working on such a solution.
Microsoft, which has questioned the workability of DNT and has recently touted an alternative, offered up this statement:
Mozilla's global privacy and public policy wonk Alex Fowler told us that the open-source browser-maker was beavering away at DNT as part of its "mission to improve the web for people everywhere and not directly in response to new regulatory efforts, nor to facilitate compliance with laws like the e-Privacy Directive."
He added: "That said, we believe these browser capabilities will be useful to publishers and advertisers to address some of these provisions and we are excited about how they may drive improved consumer trust and transparency for these important stakeholders."
Fowler also said that the development of DNT was "in the early stages" but that, even so, "rapid adoption" of the tech among browser-makers, advertisers and publishers was starting to happen.
Meanwhile, there are companies out there developing apps that also address the issue of agreeing to be tracked online. Oxford-based Baycloud Systems, for example, has created one such application called CookieQ that inserts a cookie consent button on any web page.
The firm's technical director, Mike O'Neill, has questioned the Cabinet Office's use of Google Analytics in its GOV.UK project - which is a replacement website to Directgov.
"I think the technically meaningless 'intrusive' adjective is being used by the ICO to give them opaque discretion on when to pursue anybody. Since no one knows what it means, nobody can accuse them of being soft in particular situations – like in the GOV.UK case," he told El Reg.
"A cookie is simply a mechanism for encoding a number and used for whatever purpose the software developer wishes. This purpose cannot be simply put into a small number of simple categories, every instance of its use will be different," he continued.
"There may be some general indications that you could use to establish purpose, ie, a cookie whose name component starts with __utm is probably a Google Analytics cookie, but the only thing that can be said with certainty is whether the cookie encodes a value which is different for each visitor. If it is, then the reason needs to be explained, ie: if it's being used to track people and especially if it's being used to do this across multiple sites."
O'Neill agreed that his comments might be viewed as "technical nitpicking" before saying that this also demonstrated only too well "the extent of misunderstanding that is still out there."
Naturally, The Reg sought the views of Google on this matter, which many of its competitors were only too happy to talk about.
A spokeswoman at the internet giant simply said: "Thank you for getting in touch. I’m afraid we’ve no comment on this." ®