This article is more than 1 year old

A month to go on Cookie Law: Will Google Analytics get a free pass?

Slippery ICO can't be pinned in privacy mud-wrestle

Analysis Website operators in Blighty have been continuously perplexed by the upcoming enforcement of the EU's cookie law on 26 May.

The Information Commissioner's Office granted affected firms a year-long breather to get themselves up to scratch back in 2011, but the clock is now ticking and the law – however watered down it might have become – is to be applied next month.

The ePrivacy Directive makes it clear that the storing and slurping of data on an individual web surfer's computer is only lawful "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information ... about the purposes of the processing".

Furthermore, that consent needs to be granted explicitly and must be unambiguous.

Last year, the new European Union rules were almost universally ignored by its 27 member states. As we reported at the time, just two countries implemented the whole package of telecoms reforms on the 26 May deadline.

Every other country failed to fully notify the EU that it would be transposing those rules into their own law.

Here in the UK, the government bullishly confirmed that it would give website operators a full year to prepare for the regulation before action would be taken by the ICO, the body tasked with enforcing the directive.

Now, just weeks before that becomes a reality, communications minister Ed Vaizey has met with key internet players at the launch of the ICC guidelines on the law to discuss the finer detail about what the rules mean for retail and advertising outfits that are concerned about having to explicitly ask before installing a cookie on a user's machine.

The Tory-led Coalition has always been clear that it wanted to place the onus on browser settings so that an individual could make an informed decision about being tracked by advertisers online.

A mechanism, dubbed Do Not Track, is being developed by browser-makers to achieve this.

But heated discussions about what that standard should look like continue to play out on both sides of the Atlantic and it's clear that an agreed specification for DNT won't be in place by the end of next month.

EU digital agenda commissioner Neelie Kroes has tried to hurry the debate along in a frankly face-saving exercise to get DNT approved by browser-makers given the thousand-yard stare many member states appear to have employed when looking at the rules as they apply to cookies.

Vaizey boldly proclaimed earlier this week that the UK government should be viewed by its European neighbours as an "example of effective implementation" of the regulation. He said that despite the ICO's frankly lax response to web analytics - a business in which Google is of course king.

Vaizey said earlier this week that he wished that web analytics fell into the so-called "strictly necessary category" on the ICO's guidelines on the legislation.

"[W]e need to understand that consent is not black and white. Both the ICO and I have said on several occasions that there is a sliding scale of intrusiveness which should inform the level of effort you go to," the minister said.

"Obviously something like analytics or feature based cookies are pretty low on that scale and I know that the ICO will take that into account. Of course that doesn’t mean that you don’t need to go to any effort at all but something which tracks how many users visit a page is hardly the priority here."

The Register asked the ICO to explain exactly what Vaizey's comments meant when it comes to enforcing the cookie law in Britain.

It gave us this meaty statement:

The Regulations do not distinguish between cookies used for analytical activities and those used for other purposes. We do not consider analytical cookies fall within the ‘strictly necessary’ exception criteria. This means in theory websites need to tell people about analytical cookies and gain their consent.

In practice we would expect you to provide clear information to users about analytical cookies and take what steps you can to seek their agreement. This is likely to involve making the argument to show users why these cookies are useful. Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals.

Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action. The ICO will also be issuing further guidance shortly which will provide further details on analytics cookies reiterating that they are covered by the new changes. We will also give our view on the applicability of implied consent for these and other cookies.

So there you have it. Ad brokers such as Google that slurp data from user's machines for the sake of web analytics are not considered a priority for the ICO when it comes to policing these new rules, which is interesting in light of French data information watchdog CNIL's current probe of Mountain View's recent tweak to its privacy policy.

Specifically, CNIL asked Google to explain if it "combines information gathered through Google Analytics with information related to users (authenticated, non-authenticated or passive) gathered through other services, notably to provide tailored content".

The deadline for an answer from Google is due today.

We put this to the ICO and asked how closely it was considering this investigation in relation to enforcing the cookie law. It said:

Any organisation that processes people's personal data must be open and upfront about how this information will be used and for what purpose. The ICO and the other European Data Protection Authorities, represented on the Article 29 Working Party, are aware that Google has recently changed their privacy policy and have made efforts to communicate these changes to their customers.

At the request of the Article 29 Working Party the French Data Protection Authority, the Commission Nationale de l’information et des liberties (CNIL), is currently speaking with Google on behalf of all the European supervisory authorities to ensure that these changes, and the manner in which they have been communicated, comply with the requirements of European Data Protection law.

It is nevertheless important that people read the information organisations provide them with before agreeing.

More about

TIP US OFF

Send us news


Other stories you might like