JISCMail - MCG Archives

Thanks Jim.

That's very interesting, likewise the subsequent discussion which 
reveals the usual terror arising from complexity combined with ambiguity 
combined with the threat of legal enforcement! Which of course is why 
it's useful to have advice from ICO. However...

Section 21 of the ePrivacy Regulation* says:

"Exceptions to the obligation to obtain consent to make use of the 
processing and storage capabilities of terminal equipment or to access 
information stored in terminal equipment should be limited to situations 
that involve no, or only very limited, intrusion of privacy. For 
instance, consent should not be requested for authorizing the technical 
storage or access which is strictly necessary and proportionate for the 
legitimate purpose of enabling the use of a specific service explicitly 
requested by the end-user. This may include the storing of cookies for 
the duration of a single established session on a website to keep track 
of the end-user’s input when filling in online forms over several pages. 
_*Cookies can also be a legitimate and useful tool, for example, in 
measuring web traffic to a website. *_Information society providers that 
engage in configuration checking to provide the service in compliance 
with the enduser's settings and the mere logging of the fact that the 
end-user’s device is unable to receive content requested by the end-user 
should not constitute access to such a device or use of the device 
processing capabilities" [My emphasis]

My read of this clause (albeit one I picked up from people without the 
authority of ICO) is that at least /first party /cookies used in the 
pursuit of measuring web traffic are considered to be "legitimate" and 
can be used without consent. Actually that "first party" limitation is 
what I've picked up from other people's interpretations, though it's not 
explicit in that section. But as I've said before, I do wonder whether 
this becomes muddied when it is a third party collecting the data 
through the use of a first party cookie! On this the regs are silent. 
Also, note that you /could /configure GA so that it captured data that 
is sensitive, or you could turn on the demographic features in GA that 
enriches your stats by effectively exploiting other cookies that Google 
sets elsewhere (via Doubleclick). Both of these seem to me to cross a 
threshold where consent would surely be required - but even then, the 
indirect use of cookies set elsewhere is not the same as setting them 
yourself.

There is a big caveat, which is that the ePR is not yet formally 
adopted, and in the interim ICO are evidently leaning on the ePrivacy 
/Directive/ from 2002 (implemented in the UK as PECR). But that leaves 
us in an awkward limbo because the ePD predates GDPR and is intended to 
be updated by the ePR so that the two are consistent. But whilst 
awaiting this ICO seem to be updating their own guidance on the basis of 
GDPR's stronger consent requirements, but interpreted through the lens 
of the to-be-replaced PECR. I suppose it's inevitable, but it seems a 
bit unnecessary. The ePR may come into force this year, and if not then 
in the next year or two, so for ICO to publish a new interpretation of 
PECR-post-GDPR right now seems weird.

I do actually think it's good practice to get consent before setting 
analytics cookies, but I agree that it could be quite a hit for many 
people. That said there's space for judgement here, not to mention 
ethics. We recently used the same control as ICO use (Cookie Control 
from Civic) on a site I work on. It is wired into Google Tag Manager to 
ensure that most cookies are only set after consent is given - but not 
GA. In the end we baulked at having that switched off on landing for the 
same reasons everyone else is concerned about. However CC lets you have 
two buttons: "review cookie settings", which in our case opens the panel 
that you see on the ICO site; and "Accept recommended settings". If 
someone clicks the latter then a pre-configured set of cookies are 
permitted and in some cases some javascript will run immediately. You 
could do this for GA too. I think most people click "Accept recommended" 
so you'd probably lose very little doing it this way.

I think it's worth repeating that GDPR and its attendant regulations etc 
are not about cookies per se. They are about personal data. You CAN use 
cookies without consent or indeed without even a legitimate interest if 
they are not "personal data". In that case they are outside the scope of 
GDPR. The trouble is that lots of cookies have an element of tracking in 
them, in that they hold some sort of an identifier. This includes (some) 
cookies concerned with web stats. For such cookies you need one or other 
of the legal bases that GDPR allows. ICO are suggesting that this means 
consent because web stats are not "strictly required", whilst the draft 
ePR suggests that this may not be the case when that comes into force; 
but don't take away the lesson that assume this means you need consent 
for all cookies. You don't. You need to know what you set (or enable to 
be set), what they do and why, and you need to be able to make a fair 
claim on one or other of the legal bases of which consent is one.

Conversely, it's not only cookies you need to worry about. There are 
other ways in which you could be "processing" personal data without 
using cookies, and that may well apply to some other means of doing web 
stats that people have mentioned. Sorry.

Cheers, Jeremy


* see http://ec.europa.eu/newsroom/dae/document.cfm?doc_id=41241

**https://privacylawblog.fieldfisher.com/2019/the-future-of-the-eprivacy-regulation-and-the-impact-of-brexit-on-its-application-in-uk

Dr Jeremy Ottevanger
Director, Sesamoid Consulting Limited

t: +44(0)1787 475 487
m: +44(0)7865 887 887
e: [log in to unmask]
w: https://sesamoidconsulting.co.uk/
twitter: @jottevanger
LinkedIn: www.linkedin.com/in/jeremy-ottevanger

On 05/07/2019 07:26, Jim Richardson - MuseumNext wrote:
> Hi All
>
> I spotted this from the ico yesterday with clarification about what 
> they expect in terms of GDPR related opt in.
>
> The cookie notice they’ve put on their website as an example of best 
> practice has users having to opt in for Google Analytics. Who’d opt in 
> for that?
>
> I can’t think that I’ve seen anyone being as tight on GDPR permissions 
> as they seem to be asking for here:
>
> https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/blog-cookies-what-does-good-look-like 
>
>
> Jim
>
> -
>
> MuseumNext
> www.museumnext.com <http://www.museumnext.com>
>
>
> ------------------------------------------------------------------------
>
> To unsubscribe from the MCG list, click the following link:
> https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=MCG&A=1
>

****************************************************************
       website:  http://museumscomputergroup.org.uk/
       Twitter:  http://www.twitter.com/ukmcg
      Facebook:  http://www.facebook.com/museumscomputergroup
 [un]subscribe:  http://museumscomputergroup.org.uk/email-list/
****************************************************************