Depressed to think it, but surely the only conclusion we can reach is: “stop doing web analytics”…?

On 5 Jul 2019, 14:52 +0100, Jeremy Ottevanger <[log in to unmask]>, wrote:

Hi Phil,

Two things. Firstly, for better or worse it isn't here about what is captured and stored within GA itself. It's about "processing", and that includes storage, and that includes within cookies. And those cookies are not only stored (on the client's device) but also transmitted (another form of processing) with each request to the source domain. Secondly "personal" data means any that can be associated with an individual, alone or in combination. So any kind of identifier is covered, even if the data itself doesn't include a name. It does seem a bit sketchy to me, because there's not a one-fits-all way to say what combination of data points that are not a name could be used to identify a real person, but ICO says:

"what identifies an individual could be as simple as a name or a number or could include other identifiers such as an IP address or a cookie identifier, or other factors."

[https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/what-is-personal-data/]

They add some qualification to this:

"If you cannot directly identify an individual from that information, then you need to consider whether the individual is still identifiable. You should take into account the information you are processing together with all the means reasonably likely to be used by either you or any other person to identify that individual."

so it seems like a judgement call in the end, but in the case of GA we are also having to make that judgement on behalf of Google, who will possess that suite of data points you mention. We had a previous exchange about ethics and Google, and what were our responsibilities given that Google could in theory tie together data from GA with their registered user data. It seems like they do this (via Doubleclick) if you turn on ad features, but even if they don't otherwise then we as site owners have to take their word for that.

Other salient points from that guidance:

• an individual is not a name: "An individual is ‘identified’ or ‘identifiable’ if you can distinguish them from other individuals.". In other words it really doesn't matter if you actually tie it to a "natural person", it's about recognising that there is a single entiry beyond the screen, who you can for example target ads at.
• in addition to being tied to an identifi(ed|able) individual, the information must "relate" to that individual, in other words concern them in some way. Is the data about them in some way? An identifier isn't "about" an individual, but probably a record of the websites they have visited is. It's also about how the data will be processed and the effect of that processing, which is the bit I find most confusing! But if in doubt take care.

Anyway in short, IP etc are probably deemed enough to identify an "individual" even if it was never a named person.

Cheers, Jeremy

 

 

Dr Jeremy Ottevanger

Director, Sesamoid Consulting Limited

t: +44(0)1787 475 487

m: +44(0)7865 887 887

e: [log in to unmask]

w: https://sesamoidconsulting.co.uk/

twitter: @jottevanger

LinkedIn: www.linkedin.com/in/jeremy-ottevanger

On 05/07/2019 13:53, Phil George wrote:

The crux of this for me is the ‘personal data’ bit. In the case of GA, there isn’t anything that is personally identifiable being captured is there? You get an IP address, location, perhaps the devices OS and version etc, but nothing you could identify that individual by and so surely that makes GA compliant?

 

Phil George​ Head of IT T:  02392 891370 Ext:  2044 M:  07803 210019     W:  www.nmrn.org.uk

<image439412.jpg>

This summer marks the start of a new era for HMS Warrior. Step back in time to  ​1863, ​when the great ship set sail on a round‑Britain tour, showcasing to the people  ​how public money had been spent on the biggest, fastest & most powerful ship on  ​the seas. The new interpretation marks the culmination of a £4.2 million conservation project made possible by a £3.2 million grant from the National Lottery Heritage Fund.

Our email disclaimer is online.

From: Museums Computer Group [mailto:[log in to unmask]] On Behalf Of Jeremy Ottevanger
Sent: 05 July 2019 13:21
To: [log in to unmask]
Subject: Re: Opt in for Google Analytics

 

Thanks Jim.

That's very interesting, likewise the subsequent discussion which reveals the usual terror arising from complexity combined with ambiguity combined with the threat of legal enforcement! Which of course is why it's useful to have advice from ICO. However...

Section 21 of the ePrivacy Regulation* says:

"Exceptions to the obligation to obtain consent to make use of the processing and storage capabilities of terminal equipment or to access information stored in terminal equipment should be limited to situations that involve no, or only very limited, intrusion of privacy. For instance, consent should not be requested for authorizing the technical storage or access which is strictly necessary and proportionate for the legitimate purpose of enabling the use of a specific service explicitly requested by the end-user. This may include the storing of cookies for the duration of a single established session on a website to keep track of the end-user’s input when filling in online forms over several pages. Cookies can also be a legitimate and useful tool, for example, in measuring web traffic to a website. Information society providers that engage in configuration checking to provide the service in compliance with the enduser's settings and the mere logging of the fact that the end-user’s device is unable to receive content requested by the end-user should not constitute access to such a device or use of the device processing capabilities" [My emphasis]

My read of this clause (albeit one I picked up from people without the authority of ICO) is that at least first party cookies used in the pursuit of measuring web traffic are considered to be "legitimate" and can be used without consent. Actually that "first party" limitation is what I've picked up from other people's interpretations, though it's not explicit in that section. But as I've said before, I do wonder whether this becomes muddied when it is a third party collecting the data through the use of a first party cookie! On this the regs are silent. Also, note that you could configure GA so that it captured data that is sensitive, or you could turn on the demographic features in GA that enriches your stats by effectively exploiting other cookies that Google sets elsewhere (via Doubleclick). Both of these seem to me to cross a threshold where consent would surely be required - but even then, the indirect use of cookies set elsewhere is not the same as setting them yourself.

There is a big caveat, which is that the ePR is not yet formally adopted, and in the interim ICO are evidently leaning on the ePrivacy Directive from 2002 (implemented in the UK as PECR). But that leaves us in an awkward limbo because the ePD predates GDPR and is intended to be updated by the ePR so that the two are consistent. But whilst awaiting this ICO seem to be updating their own guidance on the basis of GDPR's stronger consent requirements, but interpreted through the lens of the to-be-replaced PECR. I suppose it's inevitable, but it seems a bit unnecessary. The ePR may come into force this year, and if not then in the next year or two, so for ICO to publish a new interpretation of PECR-post-GDPR right now seems weird.

I do actually think it's good practice to get consent before setting analytics cookies, but I agree that it could be quite a hit for many people. That said there's space for judgement here, not to mention ethics. We recently used the same control as ICO use (Cookie Control from Civic) on a site I work on. It is wired into Google Tag Manager to ensure that most cookies are only set after consent is given - but not GA. In the end we baulked at having that switched off on landing for the same reasons everyone else is concerned about. However CC lets you have two buttons: "review cookie settings", which in our case opens the panel that you see on the ICO site; and "Accept recommended settings". If someone clicks the latter then a pre-configured set of cookies are permitted and in some cases some javascript will run immediately. You could do this for GA too. I think most people click "Accept recommended" so you'd probably lose very little doing it this way.

I think it's worth repeating that GDPR and its attendant regulations etc are not about cookies per se. They are about personal data. You CAN use cookies without consent or indeed without even a legitimate interest if they are not "personal data". In that case they are outside the scope of GDPR. The trouble is that lots of cookies have an element of tracking in them, in that they hold some sort of an identifier. This includes (some) cookies concerned with web stats. For such cookies you need one or other of the legal bases that GDPR allows. ICO are suggesting that this means consent because web stats are not "strictly required", whilst the draft ePR suggests that this may not be the case when that comes into force; but don't take away the lesson that assume this means you need consent for all cookies. You don't. You need to know what you set (or enable to be set), what they do and why, and you need to be able to make a fair claim on one or other of the legal bases of which consent is one.

Conversely, it's not only cookies you need to worry about. There are other ways in which you could be "processing" personal data without using cookies, and that may well apply to some other means of doing web stats that people have mentioned. Sorry.

Cheers, Jeremy

 

* see http://ec.europa.eu/newsroom/dae/document.cfm?doc_id=41241

**https://privacylawblog.fieldfisher.com/2019/the-future-of-the-eprivacy-regulation-and-the-impact-of-brexit-on-its-application-in-uk

Dr Jeremy Ottevanger

Director, Sesamoid Consulting Limited

t: +44(0)1787 475 487

m: +44(0)7865 887 887

e: [log in to unmask]

w: https://sesamoidconsulting.co.uk/

twitter: @jottevanger

LinkedIn: www.linkedin.com/in/jeremy-ottevanger

On 05/07/2019 07:26, Jim Richardson - MuseumNext wrote:

Hi All

 

I spotted this from the ico yesterday with clarification about what they expect in terms of GDPR related opt in.

 

The cookie notice they’ve put on their website as an example of best practice has users having to opt in for Google Analytics. Who’d opt in for that? 

 

I can’t think that I’ve seen anyone being as tight on GDPR permissions as they seem to be asking for here:

 

https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/blog-cookies-what-does-good-look-like

 

Jim

 

-

 

MuseumNext

www.museumnext.com

 

 

---

To unsubscribe from the MCG list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=MCG&A=1

 

---

To unsubscribe from the MCG list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=MCG&A=1

 

---

To unsubscribe from the MCG list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=MCG&A=1

 

---

To unsubscribe from the MCG list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=MCG&A=1