Cookie confusion: web analytics, the ICO and GDPR

The Information Commissioner’s Office, the UK’s information watchdog and enforcer of data protection regulations, has issued new guidance on the use of cookies. Coming over a year after the EU’s General Data Protection Regulations were introduced into UK law, this guidance should have given organisations clarity over how to achieve compliance with the new rules, but a close reading throws up many more questions than answers.

Anyone who’s spent any time looking into the problem of how to ensure their organisation’s processing of personal data is compliant with GDPR will be familiar with how knotty and confusing data protection regulation can get. For many businesses, especially those which are too resource-constrained to hire inexpensive legal guidance, the solution often lies in following what your competitors or similar organisations are doing and hoping for the best.

Partly this is a result of how the regulations are written - by legislators who lack adequate technical expertise and operate under the lobbying influence of large tech firms - partly a result of how the regulations are enforced at national level - reactively by regulators rather than proactively by law enforcement agencies - and partly just because achieving a balance between the rights of individuals and the commercial interests of companies given the current economics of the internet (where so much of the revenue is generated by advertising) is a hard thing to do.

The phrase often misattributed to Otto von Bismarck is apt here: "Laws are like sausages. It's better not to see them being made."

Though, in the case of GDPR, the sausage is pretty ugly too.

So the onus is on regulators - in the UK, the ICO - to come up with clear guidance on how to interpret the regulations. Unfortunately, the state of the regulations at present is such a dog’s dinner that not even the ICO are up to the task.

Take, for example, this from an ICO blog post announcing the new cookie guidance:

“Myth 3: We can use a cookie wall to restrict access to our site until users consent

“Fact: Using a blanket approach such as this is unlikely to represent valid consent. Statements such as ‘by continuing to use this website you are agreeing to cookies’ is not valid consent under the higher GDPR standard. However, we recognise there are some differing opinions as well as practical considerations around the use of partial cookie walls and we will be seeking further submissions and opinions on this point from interested parties.”

As clear as mud.

Of primary concern to most of the organisations we work with, is the question of whether consent is required from the user to set a web analytics cookie in their browser. The prevailing assumption among many marketers (whether valid or not) is that if you need people’s explicit opt in for web analytics then in the vast majority of cases you won’t get it, and your efforts to understand and draw meaningful insights from your web traffic stats will be completely pointless. And since web analytics data is used to inform all sorts of critical business decisions, that’s a big deal.

So, let’s parse the ICO’s latest guidance, take a look at the underlying legislation, and see if we can find a way through the conundrum.

What are web analytics cookies?

First, let’s double check the definition of cookie, as per the ICO:

“A cookie is a small text file that is downloaded onto ‘terminal equipment’ (e.g. a computer or smartphone) when the user accesses a website. It allows the website to recognise that user’s device and store some information about the user’s preferences or past actions.”

A web analytics cookie is one which stores information about the user’s device and behaviour so that website usage statistics can be collected and analysed via web analytics software like Google Analytics. If you require your users to opt into the setting of web analytics cookies on their machine, and none of them do, your web analytics reports will show nothing but zeroes.

Web analytics cookies are a useful lens through which to approach the issue of cookie consent since they often involve the processing of personal data (which, as per GDPR, means any information relating to an identified or identifiable natural person or ‘data subject’) and they are often not strictly necessary (in other words, you could still deliver all the functionality of the app or website if they were not set). Under the existing data protection paradigm, both of these factors increase the likelihood that consent will be required.

What the guidance says about web analytics cookies

The blog post introducing the new cookie guidance is pretty unambiguous on the issue of whether the user’s consent is required to set analytics cookies:

“Myth 2: Analytics cookies are strictly necessary so we do not need consent

“Fact: While we recognise that analytics can provide you with useful information, they are not part of the functionality that the user requests when they use your online service – for example, if you didn’t have analytics running, the user could still be able to access your service. This is why analytics cookies aren’t strictly necessary and so require consent.”

And the guidance itself expands further on the definition of ‘strictly necessary’:

“It is important to remember that what is ‘strictly necessary’ should be assessed from the point of view of the user or subscriber, not your own. So, for example, whilst you might regard advertising cookies as ‘strictly necessary’ because they bring in revenue that funds your service, they are not ‘strictly necessary’ from the user or subscriber’s perspective.”

For most websites, removing the Google Analytics code snippet wouldn’t affect the user’s experience in any way and so, according to the ICO, you definitely need to obtain consent before you set them on a user’s device.

But what are we talking about when we talk about consent? As the ICO’s ‘Myth 3’ from the introduction makes clear, what exactly you need to spell out to the user in order to obtain their consent, and the precise methods allowed for obtaining it, are open to interpretation.

What the PECR says about consent

The PECR, or Privacy and Electronic Communications (EC Directive) Regulations 2003 is the law which brings UK law in line with the EU’s privacy and electronic communications directive of 2002. It covers consent for things like email marketing and cookies. You may have noticed that the directive is now 17 years old, and if you suspect that it’s not the last word on electronic privacy law you’d be right. But more on that later.

The important thing to note is that the ICO is currently enforcing this law, in conjunction with The Data Protection Act 2018, which enshrines the General Data Protection Regulation in British law. That’s what the ICO guidance is interpreting and, in its guide to PECR, has this to say about consent:

“To be valid, consent must be freely given, specific and informed. It must involve some form of unambiguous positive action – for example, ticking a box or clicking a link – and the person must fully understand that they are giving you consent. You cannot show consent if you only provide information about cookies as part of a privacy policy that is hard to find, difficult to understand, or rarely read. Similarly, you cannot set non-essential cookies on your website’s homepage before the user has consented to them.  

“Consent does not necessarily have to be explicit consent. However, consent must be given by a clear positive action. You need to be confident that your users fully understand that their actions will result in specific cookies being set, and have taken a clear and deliberate action to give consent. This must be more than simply continuing to use the website. To ensure that consent is freely given, users should have the means to enable or disable non-essential cookies, and you should make this easy to do.

“You should take particular care to ensure clear and specific consent for more privacy-intrusive cookies, such as those collecting sensitive personal data such as health details, or used for behavioural tracking. The ICO will take a risk-based approach to enforcement in this area, in line with our regulatory action policy.”

From that, we can determine that to set analytics cookies on a user’s device, we need to get the user to click something that says they give their consent - but how much information do we need to provide about the cookie, the information it stores, and its purpose?

Again, from the ICO’s guide to PECR:

“PECR do not set out exactly what information you must provide or how to provide it – this is up to you. The only requirement is that it must be “clear and comprehensive” information about your purposes. You must explain the way the cookies (or other similar technologies) work and what you use them for, and the explanation must be clear and easily available. Users must be able to understand the potential consequences of allowing the cookies. You may need to make sure the language and level of detail are appropriate for your intended audience.

This is similar to the transparency requirements of the GDPR (privacy notices).”

And further down the rabbit hole we go. Do the GDPR transparency requirements provide any further clarification?

What GDPR says about consent

The key transparency requirement from GDPR that I think the ICO is referring to is the individual’s ‘right to be informed’. The ICO’s guidance on this right sets out a long list of things you need to tell people whose personal data you collect and use, which it summarises as “your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’.”

It seems pretty clear that you couldn’t practically put all of this information on a landing page pop-up or modal which asks for consent to set cookies. And, to prove this, that’s the approach that the ICO take on their own website. Their ‘Our use of cookies’ module, which appears the first time you land on the site and then minimises to a small icon once your preferences are saved (by clicking) references only necessary cookies and analytics cookies, and has this by way of information about the latter:

“We'd like to set Google Analytics cookies to help us to improve our website by collecting and reporting information on how you use it. For more information on how these cookies work please see our 'Cookies page'. The cookies collect information in an anonymous form.”

There is a toggle button next to this, defaulted to off. I certainly had no interest in toggling it on when I visited. But overkill is what you’d expect from the regulators themselves, isn’t it? Is this granular level of consent-seeking really necessary when all we’re talking about is web analytics cookies? Without naming names (and please don’t take anything you read in this blog post as advice), I’ve seen lots of websites which take the approach of asking users either to give consent for the recommended cookie settings (which presumably include web analytics) or to turn off all optional cookies. A bit of nifty UX design applied to this approach can ensure that your web analytics data comes from a sufficiently large sample of your audience to be useful.

But, is it even necessary to go this far when the only non-strictly necessary cookies you want to set are web analytics cookies? As mentioned above, the PECR is an old piece of legislation - a square peg which the ICO are trying to make compatible with the much-newer GDPR’s round hole. In the works is a new set of regulations from the EU to replace the 2002 ePrivacy Directive (the ‘cookies law’) and, eventually, render the PECR redundant.

What the coming ePR is likely to say

The new ePrivacy Regulation was due to come into force at the same time as GDPR but, due to the contentiousness of issues like this one, and the intense lobbying activity taking place around it from the likes of Google, Facebook et al, it’s still being debated. But one of the key points proposed by the European Commission in January 2017 was:

“Simpler rules on cookies: the cookie provision, which has resulted in an overload of consent requests for internet users, will be streamlined. The new rule will be more user-friendly as browser settings will provide for an easy way to accept or refuse tracking cookies and other identifiers. The proposal also clarifies that no consent is needed for non-privacy intrusive cookies improving internet experience (e.g. to remember shopping cart history) or cookies used by a website to count the number of visitors.”

It seems that the latest draft of the ePR has dropped the requirement for consent to be managed through browsers but does introduce a new exception for cookies which are used only for analytics. Dr Justine Scerri Herrera of Michael Kyprianou & Co. explains:

“The current version of ePR prohibits the use of cookies, unless:

• GDPR compliant consent has been given by the user;
• The cookies are non-Privacy intrusive (purely analytic);
• It is necessary for transmitting an electronic communication;
• The cookies are there to improve browsing experience (shopping carts etc.);
• For a user-requested service;
• It is necessary for establishing or maintaining a network connection;
• Necessary for security, fraud prevention or to detect technical faults; or
• There is cause to locate the device because an emergency number has been dialled.”

While Albert Holl of USoft interprets the drafted legislation as favourable to the big marketing platforms:

“To better protect us from this carelessness, while keeping things manageable for online marketing companies at the same time, the ePR makes a distinction between intrusive and non-intrusive cookies. Hence, organizations no longer need explicit consent for certain types of cookies such as functional cookies that are used to increase the performance of websites. To many of us, this will be a blessing as it frees us of annoying cookie walls. However, consent is mandatory for the use of so-called tracking and social media cookies. Analytical cookies, in turn, can be used freely as long as the data do not leave the organization and cannot be used to identify users.”

It certainly seems as though the lobbying expenditure of the tech giants has not been made in vain.

What do you need to do to comply?

Strict compliance along the lines of the ICO’s guidance would require any business setting web analytics cookies to ask for consent up front. Though it’s instructive to note that of the many websites of legal firms I visited during researching this article, nearly all of them set Google Analytics cookies regardless of whether I’d accepted their cookies policy.

Again, I’m not giving legal advice here, but the current legislative situation is a mess, with so much confusion around these issues that I can’t imagine the ICO starting a big enforcement drive before the ePR comes into force, which will probably be some time this year. With legal limbo prevailing, it may be wise to ask yourself whether compliance is your goal, or merely minimising the chance of incurring a penalty. It may also be worth remembering that the laws governing the use of cookies and consent in PECR came into force in 2003. All that GDPR added was stricter requirements about the information you had to give the user to ensure that consent was ‘informed’. So if you’ve always set web analytics cookies without getting the user’s specific consent, you’ve never been in compliance with the EU’s cookie laws.

A partial explanation for Brexit enthusiasm which I’ve heard more than once is that the rigid-minded British have never understood that a lot of EU regulation is sort of optional. Having just visited the websites of the top three newspapers in Germany and France to find that none of them obtained my consent before placing a huge number of cookies on my device, analytics included, I’m starting to give the theory some credence.