Thanks Jim.
That's very
interesting, likewise the subsequent discussion which reveals
the usual terror arising from complexity combined with ambiguity
combined with the threat of legal enforcement! Which of course
is why it's useful to have advice from ICO. However...
Section 21 of the ePrivacy Regulation* says:
"Exceptions to the
obligation to obtain consent to make use of the processing and
storage capabilities of terminal equipment or to access
information stored in terminal equipment should be limited to
situations that involve no, or only very limited, intrusion of
privacy. For instance, consent should not be requested for
authorizing the technical storage or access which is strictly
necessary and proportionate for the legitimate purpose of
enabling the use of a specific service explicitly requested by
the end-user. This may include the storing of cookies for the
duration of a single established session on a website to keep
track of the end-user’s input when filling in online forms over
several pages. Cookies can also be a legitimate and
useful tool, for example, in measuring web traffic to a
website. Information society providers that engage
in configuration checking to provide the service in compliance
with the enduser's settings and the mere logging of the fact
that the end-user’s device is unable to receive content
requested by the end-user should not constitute access to such a
device or use of the device processing capabilities" [My
emphasis]
My read of this clause (albeit one I picked up from people without the authority of ICO) is that at least first party cookies used in the pursuit of measuring web traffic are considered to be "legitimate" and can be used without consent. Actually that "first party" limitation is what I've picked up from other people's interpretations, though it's not explicit in that section. But as I've said before, I do wonder whether this becomes muddied when it is a third party collecting the data through the use of a first party cookie! On this the regs are silent. Also, note that you could configure GA so that it captured data that is sensitive, or you could turn on the demographic features in GA that enriches your stats by effectively exploiting other cookies that Google sets elsewhere (via Doubleclick). Both of these seem to me to cross a threshold where consent would surely be required - but even then, the indirect use of cookies set elsewhere is not the same as setting them yourself.
There is a big caveat, which is that the
ePR is not yet formally adopted, and in the interim ICO are
evidently leaning on the ePrivacy Directive from 2002
(implemented in the UK as PECR). But that leaves us in an
awkward limbo because the ePD predates GDPR and is intended to
be updated by the ePR so that the two are consistent. But
whilst awaiting this ICO seem to be updating their own
guidance on the basis of GDPR's stronger consent requirements,
but interpreted through the lens of the to-be-replaced PECR. I
suppose it's inevitable, but it seems a bit unnecessary. The
ePR may come into force this year, and if not then in the next
year or two, so for ICO to publish a new interpretation of
PECR-post-GDPR right now seems weird.
I do actually think
it's good practice to get consent before setting analytics
cookies, but I agree that it could be quite a hit for many
people. That said there's space for judgement here, not to
mention ethics. We recently used the same control as ICO use
(Cookie Control from Civic) on a site I work on. It is wired
into Google Tag Manager to ensure that most cookies are only set
after consent is given - but not GA. In the end we baulked at
having that switched off on landing for the same reasons
everyone else is concerned about. However CC lets you have two
buttons: "review cookie settings", which in our case opens the
panel that you see on the ICO site; and "Accept recommended
settings". If someone clicks the latter then a pre-configured
set of cookies are permitted and in some cases some javascript
will run immediately. You could do this for GA too. I think most
people click "Accept recommended" so you'd probably lose very
little doing it this way.
I think it's worth repeating that GDPR and its attendant regulations etc are not about cookies per se. They are about personal data. You CAN use cookies without consent or indeed without even a legitimate interest if they are not "personal data". In that case they are outside the scope of GDPR. The trouble is that lots of cookies have an element of tracking in them, in that they hold some sort of an identifier. This includes (some) cookies concerned with web stats. For such cookies you need one or other of the legal bases that GDPR allows. ICO are suggesting that this means consent because web stats are not "strictly required", whilst the draft ePR suggests that this may not be the case when that comes into force; but don't take away the lesson that assume this means you need consent for all cookies. You don't. You need to know what you set (or enable to be set), what they do and why, and you need to be able to make a fair claim on one or other of the legal bases of which consent is one.
Conversely, it's not
only cookies you need to worry about. There are other ways in
which you could be "processing" personal data without using
cookies, and that may well apply to some other means of doing
web stats that people have mentioned. Sorry.
* see http://ec.europa.eu/newsroom/dae/document.cfm?doc_id=41241
Dr Jeremy Ottevanger Director, Sesamoid Consulting Limited t: +44(0)1787 475 487 m: +44(0)7865 887 887 e: [log in to unmask] w: https://sesamoidconsulting.co.uk/ twitter: @jottevanger LinkedIn: www.linkedin.com/in/jeremy-ottevanger
[log in to unmask]">Hi All
I spotted this from the ico yesterday with clarification about what they expect in terms of GDPR related opt in.
The cookie notice they’ve put on their website as an example of best practice has users having to opt in for Google Analytics. Who’d opt in for that?
I can’t think that I’ve seen anyone being as tight on GDPR permissions as they seem to be asking for here:https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/blog-cookies-what-does-good-look-like
Jim
-
MuseumNext
To unsubscribe from the MCG list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=MCG&A=1
To unsubscribe from the MCG list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=MCG&A=1