Definitions & Myths on “Good” Cookies

The Information Commissioners Office (ICO) is the privacy watchdog in the UK. Recently they posted  their interpretation: “Cookies – what does ‘good’ look like?” (ICOs original post now removed, though see this equivalent article). And it’s stark reading. That is, they make it quite explicit with one myth – analytics is not defined as necessary or covered under legitimate interest.

From the ICO:
“While we recognise that analytics can provide you with useful information, they are not part of the functionality that the user requests when they use your online service – for example, if you didn’t have analytics running, the user could still be able to access your service. This is why analytics cookies aren’t strictly necessary and so require consent.”

Taken at face value, that means the vast majority of commercial websites are breaking the law..!

The question my antipodean friend Peter O’Neill posted is: How seriously do we need to take this?

Here is my response…

Why this is flawed thinking from the ICO

Firstly, this is a disappointing piece from the ICO. A few years ago I had direct contacts with the ICO and I found their understanding of this very specific and technical subject to be deep and pragmatic – probably one of the most well thought-through approaches in the EU. However, that appears no longer the case. Their blog opinion piece is way too blunt and over simplifies how the commercial web operates.

Even amongst privacy professionals there are differences of opinion and interpretation of the GDPR laws, so we can argue/discuss this type of stuff with the ICO until we are blue in the face. Essentially, this will come down to case law – the law as established by the outcome of former cases. And at that point I am confident the ICO will have to update their approach.

My response to two ICO points:

Myth 1: We can rely on implied consent for the use of cookies.

  • ICO: No you can’t.
  • BC: Yes you can for benign first-party cookies with no personal information. Though note the emphasis on benign – essentially meaning strictly aggregate data with no personal attributes. More detail on this here: Gaining Consent: What Is PII versus Personal Data?
  • BC: No you can’t for any 3rd party cookies. The ICO not differentiating between 1st and 3rd party cookies is poor in my opinion. For example, even if a 3rd party cookie is defined as essential, I would argue that consent is still required. This is because a visitor dealing with organisation_1 would legitimately assume that they are only dealing with organisation_1 and no other unnamed or hidden third parties. Anything to the contrary needs to be flagged to the visitor as it is not reasonable to ask visitors to think about unknown actors behind the running of a website.

Myth 2: Analytics cookies are strictly necessary so we do not need consent

  • ICOIf you didn’t have analytics running, the user could still be able to access your service. This is why analytics cookies aren’t strictly necessary and so require consent.
  • BC: If you didn’t have benign analytics running in a first party way with no personal information tracked, your business would be dead in the water within 12 months. Your business would be wasting large sums of its advertising budget, wasting storage space, over/under stocking products, unable to react to trends (imagine finding out in December that the last Friday in November – Black Friday – is an important sales opportunity!), wasting time and money generating content no-one is reading, wasting your customer’s expectations by building generic one-size fits all content, when they want experiences that match their persona.

See my consent whitepaper on the best practice approach for doing this while maintaining a high opt-in rate.

The real tracking issue – the FIVE point test

As a privacy advocate I see the main problem the analytics industry faces is not what is right or wrong (most decent people instinctively know this), rather the lack clarity of on how a website/organisation handles user data. For example, often privacy policies are written in legalese and combined with general terms of service making them a difficult and laborious read.

When visiting a website, there are FIVE basic privacy questions wants to feel confident about:

  1. Your privacy values. I am interested in my privacy, not cookies!
  2. I want to know that my data is always kept anonymous – no smart triangulation or jigsaw techniques to identify me further down the line.
  3. I want to be assured it is seen/used by your organisation only i.e. the company or website I am visiting – not passed around the internet like confetti. Regardless of any “partnership” arrangement, if you do not own company_X I do not want my data shared with them.
  4. If I do identify myself, that should only last for that session e.g. via a purchase or login. That is, I do not wish to be identified if I come back at a later date. For example, knowing I am a customer or second time purchaser should be sufficient information (unless I explicitly agree to being identified).
  5. All of this information should be concisely written in plain English (or applicable language) and almost fit onto a single A4 page if printed.

These are the simple basics that users what to know and expect to be in place – even if they do not read the privacy statement. The basis of my five point test comes from the latest draft of the ePrivacy Regulation – see Articles 8.1d and 8.2c. Thanks to Sergio Maldonado for the PDF link.

If your site meets these criteria, then you are doing nothing other than benign, first-party tracking – no explicit consent required. (Remember this is not legal advice).

If your website cannot meet the criteria I list – that’s very common and not necessarily a bad thing –  simply turn off ALL tracking (not just Google Analytics), and ask your visitors for consent before you turn any tracking on.

Summary – Build privacy into your web DNA

Of course we need GDPR, and because of it we now have a legal framework in the EU for punishing bad actors. However, poorly thought-through articles of this latest type from the ICO, that try to classify the vast majority of decent website owners as devious villains and pseudo criminals, doesn’t move us forward in protecting citizens rights. Rather it sends us backwards – because the approach is flawed in so many ways it results in people being unable to take it seriously.

What I/we wish to achieve in the analytics industry, is to get to a place where best practice privacy is simply built into the DNA of every website build – and not treated as a way of dodging the ICO police force. Remember ICO is not the law. They interpret the rules just like everyone else. So far they have been very good, but their latest post on cookies is flawed, so my advice is to not follow it to the letter – its part of the wider discussion that will be settled by case law.

BTW, if you are interested in what I am building in this space – a forensic GA data auditing tool with an emphasis on GDPR compliance – visit verified-data.com.

Looking for a keynote speaker, or wish to hire Brian…?

If you are an organisation wishing to hire me and my team, please view the Contact page. I am based in Sweden and advise organisations in Europe as well as North America.

You May Also Like…

8 Comments

  1. Henry

    Just as an additional remark:

    While third-party cookie-using analytics are hampered by the consent rules, it’s not clear the same goes for *server-side* analytics. Going server-side, the primary source of the cookie obligation (e-Privacy Directive) does not arguably apply, since this doesn’t involve saving cookies (or other data) on the terminal device. To the extent personal data is collected and GDPR applies, privacy-aware audience measurement should go easily under the legitimate interests basis. So, no consent required, although you have to upfront about the data collection in the privacy notice.

    Reply
  2. Henry

    While I agree that the current laws are suboptimal in many ways, I think it’s unfair to criticize ICO for flaws which are inherent in the regulatory framework, namely the e-Privacy Directive (as transposed in different EU countries) and the GDPR. Also, it seems the author still hasn’t quite grasped how this framework works. It’s pretty plainly explained in the ICO’s blog post:

    “Cookies can seem a complex issue. The rules on their use are in the Privacy and Electronic Communications Regulations (PECR), not the GDPR. However, some of PECR’s key concepts now come from the GDPR – such as the standard of consent.”

    The Directive and PECR don’t actually stipulate anything about personal data with respect to cookies. They’re just simply about the right to save data to the user’s terminal equipment. This means that if the cookie’s “non-essential” (i.e. not subject to either of the exceptions), consent must be obtained. With regard to the definition of consent, the text refers to the Data Protection Directive, which must now be construed as a reference to the GDPR. Before GDPR, different EU countries may have in practice had different standards for consent under the Directive. Now, it should be clear that the standard comes from GDPR.

    Now, as for the author’s critique, it would be fine de lege ferenda, i.e., as suggestions for future legislation (e.g. for the e-Privacy Regulation being still negotiated). But as long as we abide by the Directive, it’s useless to make distinctions between first and third party cookies etc. There are no such distinctions in the Directive, and the provision being as clear as it is, no amount of EU case law will help. Actually, on the contrary, if you look at the Planet49 decision, the ICO is right on the mark.

    Reply
    • Brian Clifton

      Thanks for joining the conversation Henry. The problem with the definitions in this area is that boils down to what is meant by “strictly necessary” or “essential”…

      For example, it is strictly necessary for me to count how many visitors come to my website so that I can pick the right hosting package. It is also strictly necessary for me to know what those said visitors are doing on my website so I can plan for the future and write better articles, build better products etc.

      However, in order to do those things it is not strictly necessary to pass this data to third-parties that I have no control over, or for me to profile individual visitors… Hence the way I have differentiated when consent should be used.

      Reply
  3. Darryn

    Great approach Brian! I agree there is a heavy-handed feel to the guidance that fails to recognise the commercial online realities. That being said, your closing statement (“simply turn off ALL tracking and ask your visitors for consent before you turn any tracking on.”) belies the true horror for adtech and marketing with GDPR and ePR. I’d be interested in how you see the ‘turning on’ being executed compliantly.

    Reply
    • Brian Clifton

      Hello Daryn – I eat my own dogfood on this (take my own advice), and I should one day describe it in detail. However, here is a summary…

      Using this site as an example, I use benign 1st party Google Analytics tracking by default with a pop-up consent banner that does not block people from viewing content if they do not wish to take action (btw, thats an important GDP point).

      – If a visitor consents, the banner plugin saves a cookie and I enable 3rd-party tracking tools such as the Google Ad network for remarketing.

      – If there is no visitor consent, there is no cookie and so no third-party tracking.

      I do this because I pass my five point test. BTW, all this is controlled using GTM.

      If I could not pass my test, then tracking would need to be disabled until the consent cookie exists.

      Hope that help.

      Reply
  4. Dermot

    The problem that this article doesn’t seem to address is that analytics cookies use personal data as a default. That is because the GDPR definition of personal data has been extended to include cookie ID’s, IP addresses & other unique identifiers. As a result because analytics cookies contain personal data then by default explicit consent is required for their use. That is irrespective of the fact that the data collected in used in a very benign way (i.e. reporting & analysis).

    I believe the core issue here is that the definition of personal data is flawed. Cookie ID’s, IP addresses etc. identify a device not the user (in the same way a car registration identifies a car not the driver).

    Reply
    • Brian Clifton

      Hello Dermot – A cookie in itself is not personal information. For example, if I store your consent to my privacy policy as “true”, there is nothing in the cookie that allows me to identify who you are. Of course a bad actor can add personal information – but that is the purpose of data governance. GDPR law makes it clear that the legal owner of the website is responsible for data governance i.e. the Data Controller in GDPR terms. That means having a governance process in place to catch such issues, and that is technology agnostic (as is GDPR).

      I agree with you in what actually constitutes personal information is a grey area. I describe this in a separate article: https://brianclifton.com/blog/2018/05/21/gdpr-request-consent-before-tracking/

      Even using your analogy has problems. IP addresses often do not identify the device of a user. Rather the routers, firewalls, proxy servers in front of them…

      Reply
    • Henry

      “As a result because analytics cookies contain personal data then by default explicit consent is required for their use.”

      False. Consent is *not* the only legal basis for processing personal data. Actually, you should avoid it if you can in lieu of other bases like contract, legal obligation or legitimate interests. Why consent is required has actually nothing to do with personal data – it’s required by the e-Privacy Directive which EU nation states have each implemented as local law (in UK, it’s PECR). The Directive requires the user’s consent to save data to her terminal device, except for the “sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user” (i.e. the ‘communication’ and ‘strictly necessary exceptions’.

      Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Share This