Definitions & Myths on “Good” Cookies
The Information Commissioners Office (ICO) is the privacy watchdog in the UK. Recently they posted their interpretation: Cookies – what does ‘good’ look like? And it’s stark reading. That is, they make it quite explicit with one myth – analytics is not defined as necessary or covered under legitimate interest.
From the ICO:
“While we recognise that analytics can provide you with useful information, they are not part of the functionality that the user requests when they use your online service – for example, if you didn’t have analytics running, the user could still be able to access your service. This is why analytics cookies aren’t strictly necessary and so require consent.”
Taken at face value, that means the vast majority of commercial websites are breaking the law..!
The question my antipodean friend Peter O’Neill posted is: How seriously do we need to take this?
Here is my response…
Why this is flawed thinking from the ICO
Firstly, this is a disappointing piece from the ICO. A few years ago I had direct contacts with the ICO and I found their understanding of this very specific and technical subject to be deep and pragmatic – probably one of the most well thought-through approaches in the EU. However, that appears no longer the case. Their blog opinion piece is way too blunt and over simplifies how the commercial web operates.
Even amongst privacy professionals there are differences of opinion and interpretation of the GDPR laws, so we can argue/discuss this type of stuff with the ICO until we are blue in the face. Essentially, this will come down to case law – the law as established by the outcome of former cases. And at that point I am confident the ICO will have to update their approach.
My response to two ICO points:
- ICO: No you can’t.
- BC: Yes you can for benign first-party cookies with no personal information. No you can’t for any 3rd party cookies. The ICO not differentiating between 1st and 3rd party cookies is poor in my opinion. For example, even if a 3rd party cookie is defined as essential, I would argue that consent is still required. This is because a visitor dealing with organisation_1 would legitimately assume that they are only dealing with organisation_1 and no other unnamed or hidden third parties. Anything to the contrary needs to be flagged to the visitor as it is not reasonable to ask visitors to think about unknown actors behind the running of a website.
Myth 2: Analytics cookies are strictly necessary so we do not need consent
- ICO: If you didn’t have analytics running, the user could still be able to access your service. This is why analytics cookies aren’t strictly necessary and so require consent.
- BC: If you didn’t have benign analytics running in a first party way with no personal information tracked, your business would be dead in the water within 12 months. Your business would be wasting large sums of its advertising budget, wasting storage space, over/under stocking products, unable to react to trends (imagine 5 years ago finding out in December that Black Friday was a growing phenomenon!), wasting time and money generating content no-one is reading, wasting your customer’s expectations by building generic one-size fits all content when they want experiences that match their persona.
The real tracking issue – the FIVE point test
As a privacy advocate I see the main problem the analytics industry faces is not what is right or wrong (most decent people instinctively know this), rather the lack clarity of on how a website/organisation handles user data.
For example, often privacy policies are written in legaleze and combined with general terms of service making them a difficult and laborious read.
When visiting a website, there are FIVE basic privacy questions the site needs to answer:
- Your privacy values. Does your organisation value my privacy?
- I want to know that my data is always kept anonymous – no smart triangulation or jigsaw techniques to identify me further down the line.
- I want to be assured it is seen/used by your organisation only i.e. the company or website I am visiting – not passed around the internet like confetti. Regardless of any “partnership” arrangement, if you do not own company_X I do not want my data shared with them.
- If I do identify myself, that should only last for that session e.g. via a purchase or login. That is, I do not wish to be identified if I come back at a later date. For example, knowing I am a customer or second time purchaser should be sufficient information (unless I explicitly agree to being identified).
- All of this information should be concisely written in plain English (or applicable language) and almost fit onto a single A4 page if printed.
These are the simple basics that users what to know and expect to be in place – even if they do not read the privacy statement. The basis of my five point test comes from the latest draft of the ePrivacy Regulation – see Articles 8.1d and 8.2c. Thanks to Sergio Maldonado for the PDF link.
If your site meets these criteria, then you are doing nothing other than benign, first-party tracking – no explicit consent required. (You can read my full privacy approach here. Remember this is not legal advice).
If your website cannot meet the criteria I list – that’s very common and not necessarily a bad thing, then simply turn off ALL tracking (not just Google Analytics), and ask your visitors for consent before you turn any tracking on.
Summary – Build privacy into your web DNA
Of course we need GDPR, and because of it we now have a legal framework in the EU for punishing bad actors. However, poorly thought-through articles of this latest type from the ICO, that try to classify the vast majority of decent website owners as devious villains and pseudo criminals, doesn’t move us forward in protecting citizens rights. Rather it sends us backwards – because the approach is flawed in so many ways it results in people being unable to take it seriously.
What I/we wish to achieve in the analytics industry, is to get to a place where best practice privacy is simply built into the DNA of every website build – and not treated as a way of dodging the ICO police force. Remember ICO is not the law. They interpret the rules just like everyone else. So far they have been very good, but their latest post on cookies is flawed, so my advice is to not follow it to the letter – its part of the wider discussion that will be settled by case law.
BTW, if you are interested in what I am building in this space – a forensic GA data auditing tool with an emphasis on GDPR compliance – visit verified-data.com.