This week, the UK’s Information Commissioner’s Office (ICO), published the Guidance on the rules on use of cookies and similar technologies (link to pdf). The ICO is the UK’s authority “set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.”
According to the document:
The rules in this area are essentially designed to protect the privacy of internet users – even where the information being collected about them is not directly personally identifiable. The changes to the Directive in 2009 were prompted in part by concerns about online tracking of individuals and the use of spyware. These are not rules designed to restrict the use of particular technologies as such, they are intended to prevent information being stored on people’s computers, and used to recognise them via the device they are using, without their knowledge and agreement.
In the announcement post, Information Commissioner Christopher Graham, calm website owners with the following statement”
“But, come 26 May next year, when our 12 month grace period ends, there will not be a wave of knee-jerk formal enforcement actions taken against those who are not yet compliant but are trying to get there.”
The Law
A person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment-
is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
has given his or her consent.
There is an exception to the requirement to provide information about cookies and obtain consent where the use of the cookie is:
for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.
Guidance on the rules on use of cookies and similar technologies
The guidance document is well written and they use simple language to explain the reasons behind the law as well as a clear explanation of what a cookie is. They also provide the results of a research conducted by PriceWaterhouseCoopers LLP that analyzed consumer understanding and management of internet cookies and the potential impact of the EU Electronic Communications Framework (link to pdf); basically, the results show that consumers have a very limited understanding of cookies and how to manage them.
In the document you will also find practical advice for complying. For example, here is a screenshot of how you can ask for the permission of your users to use cookies on the site:
Google Analytics Users
According to the Guidance on the rules on use of cookies and similar technologies:
You will often collect information about how people access and use your site. This work is often done ‘in the background’ and not at the request of the user. A first party analytic cookie might not appear to be as intrusive as others that might track a user across multiple sites but you still need consent.
This means that Google Analytics users, even the ones that do not collect any additional data besides the standard code, will have to ask for user permission in order to track visitors. This sounds quite extreme and hard to enforce.
The Winners and The Losers
In a recent interview with Vicky Brock, owner of Highland Business Research (a UK based consultancy) and member of the Board of Directors of the Web Analytics Association, she discusses Google Analytics and Privacy Laws in Europe. According to her (starting at min 08:35) the law is extremely complicated, and instead of aiming at doing good, it aims at limiting the technology, which cannot not work.
It gets worse when a website is used across countries in Europe, with each country dealing with with the law in its own unique way. Vicky also notes that there is a problem as to which law should a website follow: is it according to its offices or according to the user location.
According to Vicky:
“It doesn’t help my data be any more private; in fact it encourages creative people to come up with technology that just scours around the issue. In addition, only the people that follow the rules will suffer.”
The biggest consequence of this privacy law is that European websites will find themselves in an extreme uncompetitive position as they have a limited tracking capability. It might also incentivate good companies to become sneakier as they have to be craftier to get the data.
If you manage a website and are not sure whether you need to take further action based on it, I warmly recommend you read it, here is a link to the pdf. I also recommend reading through this Econsultancy analysis, it discusses some interesting points such as third party cookies, mobile phones, and other grey areas.
Comments