Noise or Music?

Definitions & Myths on “Good” Cookies

Categories: GDPR & Privacy / Comments: 4

Cookie myths & GDPR
The Information Commissioners Office (ICO) is the privacy watchdog in the UK. Recently they posted  their interpretation: Cookies – what does ‘good’ look like? And it’s stark reading. That is, they make it quite explicit with one myth – analytics is not defined as necessary or covered under legitimate interest.

From the ICO:
“While we recognise that analytics can provide you with useful information, they are not part of the functionality that the user requests when they use your online service – for example, if you didn’t have analytics running, the user could still be able to access your service. This is why analytics cookies aren’t strictly necessary and so require consent.”

Taken at face value, that means the vast majority of commercial websites are breaking the law..!

The question my antipodean friend Peter O’Neill posted is: How seriously do we need to take this?

Here is my response…

Why this is flawed thinking from the ICO

Firstly, this is a disappointing piece from the ICO. A few years ago I had direct contacts with the ICO and I found their understanding of this very specific and technical subject to be deep and pragmatic – probably one of the most well thought-through approaches in the EU. However, that appears no longer the case. Their blog opinion piece is way too blunt and over simplifies how the commercial web operates.

Even amongst privacy professionals there are differences of opinion and interpretation of the GDPR laws, so we can argue/discuss this type of stuff with the ICO until we are blue in the face. Essentially, this will come down to case law – the law as established by the outcome of former cases. And at that point I am confident the ICO will have to update their approach.

My response to two ICO points:

Myth 1: We can rely on implied consent for the use of cookies.

  • ICO: No you can’t.
  • BC: Yes you can for benign first-party cookies with no personal information. No you can’t for any 3rd party cookies. The ICO not differentiating between 1st and 3rd party cookies is poor in my opinion. For example, even if a 3rd party cookie is defined as essential, I would argue that consent is still required. This is because a visitor dealing with organisation_1 would legitimately assume that they are only dealing with organisation_1 and no other unnamed or hidden third parties. Anything to the contrary needs to be flagged to the visitor as it is not reasonable to ask visitors to think about unknown actors behind the running of a website.

Myth 2: Analytics cookies are strictly necessary so we do not need consent

  • ICOIf you didn’t have analytics running, the user could still be able to access your service. This is why analytics cookies aren’t strictly necessary and so require consent.
  • BC: If you didn’t have benign analytics running in a first party way with no personal information tracked, your business would be dead in the water within 12 months. Your business would be wasting large sums of its advertising budget, wasting storage space, over/under stocking products, unable to react to trends (imagine 5 years ago finding out in December that Black Friday was a growing phenomenon!), wasting time and money generating content no-one is reading, wasting your customer’s expectations by building generic one-size fits all content when they want experiences that match their persona.

The real tracking issue – the FIVE point test

As a privacy advocate I see the main problem the analytics industry faces is not what is right or wrong (most decent people instinctively know this), rather the lack clarity of on how a website/organisation handles user data.

For example, often privacy policies are written in legaleze and combined with general terms of service making them a difficult and laborious read.

When visiting a website, there are FIVE basic privacy questions the site needs to answer:

  1. Your privacy values. Does your organisation value my privacy?
  2. I want to know that my data is always kept anonymous – no smart triangulation or jigsaw techniques to identify me further down the line.
  3. I want to be assured it is seen/used by your organisation only i.e. the company or website I am visiting – not passed around the internet like confetti. Regardless of any “partnership” arrangement, if you do not own company_X I do not want my data shared with them.
  4. If I do identify myself, that should only last for that session e.g. via a purchase or login. That is, I do not wish to be identified if I come back at a later date. For example, knowing I am a customer or second time purchaser should be sufficient information (unless I explicitly agree to being identified).
  5. All of this information should be concisely written in plain English (or applicable language) and almost fit onto a single A4 page if printed.

These are the simple basics that users what to know and expect to be in place – even if they do not read the privacy statement. The basis of my five point test comes from the latest draft of the ePrivacy Regulation – see Articles 8.1d and 8.2c. Thanks to Sergio Maldonado for the PDF link.

If your site meets these criteria, then you are doing nothing other than benign, first-party tracking – no explicit consent required. (You can read my full privacy approach here. Remember this is not legal advice).

If your website cannot meet the criteria I list – that’s very common and not necessarily a bad thing, then simply turn off ALL tracking (not just Google Analytics), and ask your visitors for consent before you turn any tracking on.

Summary – Build privacy into your web DNA

Of course we need GDPR, and because of it we now have a legal framework in the EU for punishing bad actors. However, poorly thought-through articles of this latest type from the ICO, that try to classify the vast majority of decent website owners as devious villains and pseudo criminals, doesn’t move us forward in protecting citizens rights. Rather it sends us backwards – because the approach is flawed in so many ways it results in people being unable to take it seriously.

What I/we wish to achieve in the analytics industry, is to get to a place where best practice privacy is simply built into the DNA of every website build – and not treated as a way of dodging the ICO police force. Remember ICO is not the law. They interpret the rules just like everyone else. So far they have been very good, but their latest post on cookies is flawed, so my advice is to not follow it to the letter – its part of the wider discussion that will be settled by case law.

BTW, if you are interested in what I am building in this space – a forensic GA data auditing tool with an emphasis on GDPR compliance – visit verified-data.com.

Share Button

Comments (most recent first)

  1. Darryn says:

    Great approach Brian! I agree there is a heavy-handed feel to the guidance that fails to recognise the commercial online realities. That being said, your closing statement (“simply turn off ALL tracking and ask your visitors for consent before you turn any tracking on.”) belies the true horror for adtech and marketing with GDPR and ePR. I’d be interested in how you see the ‘turning on’ being executed compliantly.

    • Hello Daryn – I eat my own dogfood on this (take my own advice), and I should one day describe it in detail. However, here is a summary…

      Using this site as an example, I use benign 1st party Google Analytics tracking by default with a pop-up consent banner that does not block people from viewing content if they do not wish to take action (btw, thats an important GDP point).

      – If a visitor consents, the banner plugin saves a cookie and I enable 3rd-party tracking tools such as the Google Ad network for remarketing.

      – If there is no visitor consent, there is no cookie and so no third-party tracking.

      I do this because I pass my five point test. BTW, all this is controlled using GTM.

      If I could not pass my test, then tracking would need to be disabled until the consent cookie exists.

      Hope that help.

  2. Dermot says:

    The problem that this article doesn’t seem to address is that analytics cookies use personal data as a default. That is because the GDPR definition of personal data has been extended to include cookie ID’s, IP addresses & other unique identifiers. As a result because analytics cookies contain personal data then by default explicit consent is required for their use. That is irrespective of the fact that the data collected in used in a very benign way (i.e. reporting & analysis).

    I believe the core issue here is that the definition of personal data is flawed. Cookie ID’s, IP addresses etc. identify a device not the user (in the same way a car registration identifies a car not the driver).

    • Hello Dermot – A cookie in itself is not personal information. For example, if I store your consent to my privacy policy as “true”, there is nothing in the cookie that allows me to identify who you are. Of course a bad actor can add personal information – but that is the purpose of data governance. GDPR law makes it clear that the legal owner of the website is responsible for data governance i.e. the Data Controller in GDPR terms. That means having a governance process in place to catch such issues, and that is technology agnostic (as is GDPR).

      I agree with you in what actually constitutes personal information is a grey area. I describe this in a separate article: https://brianclifton.com/blog/2018/05/21/gdpr-request-consent-before-tracking/

      Even using your analogy has problems. IP addresses often do not identify the device of a user. Rather the routers, firewalls, proxy servers in front of them…

Leave a Reply to Brian Clifton Cancel reply

Your email address will not be published. Required fields are marked *

Anti-spam question (required):

This site uses Akismet to reduce spam. Learn how your comment data is processed.

© Brian Clifton 2019
Best practice privacy statement