A month to go on Cookie Law: Will Google Analytics get a free pass?

Slippery ICO can't be pinned in privacy mud-wrestle

Remote control for virtualized desktops

Analysis Website operators in Blighty have been continuously perplexed by the upcoming enforcement of the EU's cookie law on 26 May.

The Information Commissioner's Office granted affected firms a year-long breather to get themselves up to scratch back in 2011, but the clock is now ticking and the law – however watered down it might have become – is to be applied next month.

The ePrivacy Directive makes it clear that the storing and slurping of data on an individual web surfer's computer is only lawful "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information ... about the purposes of the processing".

Furthermore, that consent needs to be granted explicitly and must be unambiguous.

Last year, the new European Union rules were almost universally ignored by its 27 member states. As we reported at the time, just two countries implemented the whole package of telecoms reforms on the 26 May deadline.

Every other country failed to fully notify the EU that it would be transposing those rules into their own law.

Here in the UK, the government bullishly confirmed that it would give website operators a full year to prepare for the regulation before action would be taken by the ICO, the body tasked with enforcing the directive.

Now, just weeks before that becomes a reality, communications minister Ed Vaizey has met with key internet players at the launch of the ICC guidelines on the law to discuss the finer detail about what the rules mean for retail and advertising outfits that are concerned about having to explicitly ask before installing a cookie on a user's machine.

The Tory-led Coalition has always been clear that it wanted to place the onus on browser settings so that an individual could make an informed decision about being tracked by advertisers online.

A mechanism, dubbed Do Not Track, is being developed by browser-makers to achieve this.

But heated discussions about what that standard should look like continue to play out on both sides of the Atlantic and it's clear that an agreed specification for DNT won't be in place by the end of next month.

EU digital agenda commissioner Neelie Kroes has tried to hurry the debate along in a frankly face-saving exercise to get DNT approved by browser-makers given the thousand-yard stare many member states appear to have employed when looking at the rules as they apply to cookies.

Vaizey boldly proclaimed earlier this week that the UK government should be viewed by its European neighbours as an "example of effective implementation" of the regulation. He said that despite the ICO's frankly lax response to web analytics - a business in which Google is of course king.

Vaizey said earlier this week that he wished that web analytics fell into the so-called "strictly necessary category" on the ICO's guidelines on the legislation.

"[W]e need to understand that consent is not black and white. Both the ICO and I have said on several occasions that there is a sliding scale of intrusiveness which should inform the level of effort you go to," the minister said.

"Obviously something like analytics or feature based cookies are pretty low on that scale and I know that the ICO will take that into account. Of course that doesn’t mean that you don’t need to go to any effort at all but something which tracks how many users visit a page is hardly the priority here."

The Register asked the ICO to explain exactly what Vaizey's comments meant when it comes to enforcing the cookie law in Britain.

It gave us this meaty statement:

The Regulations do not distinguish between cookies used for analytical activities and those used for other purposes. We do not consider analytical cookies fall within the ‘strictly necessary’ exception criteria. This means in theory websites need to tell people about analytical cookies and gain their consent.

In practice we would expect you to provide clear information to users about analytical cookies and take what steps you can to seek their agreement. This is likely to involve making the argument to show users why these cookies are useful. Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals.

Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action. The ICO will also be issuing further guidance shortly which will provide further details on analytics cookies reiterating that they are covered by the new changes. We will also give our view on the applicability of implied consent for these and other cookies.

So there you have it. Ad brokers such as Google that slurp data from user's machines for the sake of web analytics are not considered a priority for the ICO when it comes to policing these new rules, which is interesting in light of French data information watchdog CNIL's current probe of Mountain View's recent tweak to its privacy policy.

Specifically, CNIL asked Google to explain if it "combines information gathered through Google Analytics with information related to users (authenticated, non-authenticated or passive) gathered through other services, notably to provide tailored content".

The deadline for an answer from Google is due today.

We put this to the ICO and asked how closely it was considering this investigation in relation to enforcing the cookie law. It said:

Any organisation that processes people's personal data must be open and upfront about how this information will be used and for what purpose. The ICO and the other European Data Protection Authorities, represented on the Article 29 Working Party, are aware that Google has recently changed their privacy policy and have made efforts to communicate these changes to their customers.

At the request of the Article 29 Working Party the French Data Protection Authority, the Commission Nationale de l’information et des liberties (CNIL), is currently speaking with Google on behalf of all the European supervisory authorities to ensure that these changes, and the manner in which they have been communicated, comply with the requirements of European Data Protection law.

It is nevertheless important that people read the information organisations provide them with before agreeing.

Beginner's guide to SSL certificates

More from The Register

next story
YOU are the threat: True confessions of real-life sysadmins
Who will save the systems from the men and women who save the systems from you?
Broadband sellers in the UK are UP TO no good, says Which?
Speedy network claims only apply to 10% of customers
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
Virgin Media struck dumb by NATIONWIDE packet loss balls-up
Turning it off and on again fixes glitch 12 HOURS LATER
Ofcom snatches 700MHz off digital telly, hands it to mobile data providers
Hungry mobe'n'slab-waving Blighty swallows spectrum
Fujitsu CTO: We'll be 3D-printing tech execs in 15 years
Fleshy techie disses network neutrality, helmet-less motorcyclists
Facebook, working on Facebook at Work, works on Facebook. At Work
You don't want your cat or drunk pics at the office
prev story


Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Reducing the cost and complexity of web vulnerability management
How using vulnerability assessments to identify exploitable weaknesses and take corrective action can reduce the risk of hackers finding your site and attacking it.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.