This latest privacy post form me comes after a great deal of deliberation. It follows discussions with the UK’s privacy protection agency (ICO - principally David Evans), peers at events e.g. eMetrics Summit, and with reference to the latest and much improved ICO guidance document (PDF).

Background on the EU Privacy Law…

As you may be aware, in May 2011 a new EU privacy directive came into force – officially known as Privacy and Electronic Communications Regulations (PECR), though often referred to as the “EU cookie law” as it implies that setting website cookies without a visitors consent would be illegal in all 27 EU member countries.

As you can image, that caused quite a furore in the digital industry, where cookies have become almost as fundamental as HTML and JavaScript. At the time, I wrote about my understanding and views on the matter – specifically in relation to Google Analytics. All this happened last year and throughout 2011 there has been a lot of discussion on the matter. In fact, the ICO (the UK’s privacy protection agency) allowed a one year grace period of not enforcing the law to get things in order – that expired on May 26th 2012.

Distilling the discussions that have been going on, it comes down to two fundamental points:

  1. The PECR is now law (in fact since May 25th 2011) in all 27 EU member states – and is here to stay.
  2. Its aim is to protect the privacy of individuals on the web from people and organisations that collect personal information about them, or use  ”behavioural targeting” techniques to profile a visitor across the web.

In principal, this is a good and much needed law. The difficultly comes in wording the guidelines in a technology-agnostic way and one that deters privacy abuse while protecting the legitimate need of website owners to know what is going on with their website i.e. at a basic level, how many visitors. My previous post on this subject clarifies the main points of what this law represents.

To summarise my previous comments, this law is about:

Behavioural targeting and the abuse of private information is what this law is about. Benign, anonymous, aggregate reports – such as that provided by Google Analytics is not the target of this law.

Note, although my comments are from a UK perspective, they are applicable to all EU member countries (its the same law!). Even outside the EU, goverments are looking closely at what happens here to establish similar legitimate privacy laws. Therefore, understanding this is important for knowing the direction web privacy is inevitably going…

 

wa-users

What this means for Web Analytics users

Contrary to what has been reported (and even enacted on some sites), you do not need to seek explicit consent to set an anonymous, benign first party cookie.

I must emphasize my use of anonymous and benign first party cookie parts. Anonymous means just that. It does not include an anonymised uniqueID that can be tied back to an individual via your CMS system! The use of a first party cookie means that the website the visitor is actually viewing is the website that sets the cookie – not another website or advertiser. In others words, the setting of the cookie(s) is completely controlled by your organisation and that process is transparent to the visitor – and readily available i.e. not buried deep in a privacy policy that is difficult to find or comprehend.

My view on this is taken from the section entitled “Implied consent as a basis for compliance…” (page 6) of the ICO guidance document (PDF – v3 May 2012). Specifically:

“While explicit consent might allow for regulatory certainty and might be the most appropriate way to comply in some circumstances this does not mean that implied consent cannot be compliant.”

As I discuss in the background section, this law is not about benign first party tracking techniques.

If cookies are not completely anonymous and are not first party (set by your own website domain), you need explicit consent from each visitor.

 

google-analytics-icon

What about Google Analytics users…?

The good news is, that by default Google Analytics does not collect personally identifiable information (PII) and uses only 1st-party cookies. In addition, all reported data is aggregate. That means it is grouped data and not that of individuals. Following the guidelines of the ICO, this means explicit consent is not required if you only use Google Analytics.

However, five common pitfalls to avoid:

1. Even if only Google Analytics is in place, it is possible to capture PII inadvertently with Google Analytics – all URL information is captured by GA. Therefore, ensure you have checked your data for any PII. For example check your Content > Pages reports and Content > Events reports for captured usernames or email addresses. Remove any such tracking. Collecting PII is also against the Google Analytics Terms of Service. The most common method is to use a re-write filter to remove the personal information.

2. Often there are other tools or scripts in place that set cookies that may not be anonymous or first party. These should be assessed separately to GA – see the next section, “What if I use 3rd-party networks…?”

3. Site owners must have a best practice privacy policy in place and be easily accessible – read my explanation and anatomy of a privacy policy in detail.

4. If any PII is captured, explicit consent must be requested. This can be as simple as the visitor completing a purchase or a subscription. That is, visitors are completely aware they are handing over their PII and agree to do so by making their purchase (I agree that this is not strictly speaking ‘explicit’ consent. However, the action of completing a purchase is so obvious to the visitor that it goes way beyond implied consent). If the collection of PII is not so obvious, consent must be asked for.

5. If PII is captured by consent, it must not be used to backfill data i.e. to track the visitor prior to their point of consent. Although disallowing a retrospective backfill is not currently described in the ICO guidance document (PDF), I expect this to come into place soon.

 

What if I use 3rd-party Networks…?

This is probably the most trickiest part of compliance because so many websites embed 3rd-party content…

Ad Networks, such as Google’s DoubleClick and AdSense use 3rd-party cookies that track individuals. Plugins, such as Disqus, AddThis, ShareThis, LivePerson Chat are also common site plugins that use 3rd-party cookies, as is embedding YouTube content and feedback surveys from vendors such as Kampyle and KISSmetrics. That means, if you are a visitor to a site that has embedded one or more of these, your individual browser behaviour is being tracked around the web – anonymously in the examples given.

Disqus - scary privacy implications

Example: The Disqus pop-up. Scary privacy implications…!

There are many more examples. In fact, the use of 3rd-party cookies is so prolific its hard not to come across them! For example, social plugin buttons such as tweet me, follow me, Like, Google plus, LinkedIn, often set 3rd-party cookies (who isn’t trying to exploit the power of social these days?) Also certification logos, such as those provided by Security Metrics to certify PCI compliance, set a 3rd-party cookie.

Based on ICO guidance, if you have embedded any of the above 3rd-party networks/plugins into your site, explicit consent must be sort. This is because they are not first-party techniques and so there are privacy implications for visitors. That is, having their behaviour profiled across different unrelated websites across the web requires explicit consent.

What is not very clear at this time, is who is responsible for the obtaining consent to set the 3rd-party cookies – the 3rd-party network, the website hosting the content that the visitor is viewing, or both. According to ICO guidelines, “The person setting the cookies is primarily responsible” (page 13). However that is impractical for 3rd-parties who do not have any direct relationship with the visitor – for example, AddThis claim its plugin buttons are hosted on 14 million websites. And consider that the visitor may not even be aware there is a 3rd-party involved. Hence, my view is that this is the responsibility of the website hosting the content.

To discover which advertisers use behaviour targeting i.e. set 3rd-party cookies on websites, the Network Advertising Initiative has an industry sponsored Opt Out of Behavioral Advertising list. The list is provided and updated voluntary by advertisers and is not a complete list of all organisations that set 3rd-party cookies, or perform behavioural targeting.

What about mobile content?

The law applies equally to mobile websites. Mobile apps can be considered differently as explicit consent is already required by the user in order to install the app. Therefore additional consent is not applicable.

The bottom line…Audit your privacy!

Any web analytics tool or script can be used to breach a visitor’s privacy. Therefore audit your website(s) to demonstrably show what cookies (and any other storage mechanisms) are being set.

Follow these 6 steps:

  1. Know what tracking methods (tools and scripts) are in place in addition to Google Analytics (audit your website).
  2. For each tool/script in place that tracks a visitor, you must assess if the data collected is anonymous and first party. If “yes” to both criteria, no explicit consent is required.
  3. If “no” to the above criteria, you will need to provide a consent mechanism. The ICO guidance document has some good and non-obtrusive examples to illustrate this.
  4. During an audit, I often find numerous legacy and redundant scripts on pages that are no longer used by the website owners, but are still setting and collecting data. Unless you are using these, remove them to save the headache of managing the privacy implications.
  5. If Google Analytics is in use, confirm no PII is collected. If no PII is collected, no explicit consent is required for Google Analytics tracking.
  6. Ensure you have a best practice privacy policy in an easy to find place – written for the user, not for the legal team!

In Summary

This update from me is to confirm that using Google Analytics on your website (being anonymous, aggregate reports) is absolutely OK – both in the spirit of the EU privacy law and in practice. However, it is the prevalence of 3rd-party tools and 3rd-party embedded content that require careful consideration. That is exactly what this law is intended for.

Some reference material for further reading

  • ICO - the latest guidance information form the ICO. Also PDF download
  • GDS - excellent blog post form the Cabinet Office (UK government)
  • Econsultancy - good discussion document that hopefully led in part to the ICO substantially improving it recommendations (specifically about implied consent)