Confusion reigns, despite the fact that the ICO (the Information Commissioner's Office - the agency who will be responsible for enforcing the law) issued guidance on the new law in December, and that the Government Digital Service (GDS) have said how they are intending to comply. In fact, a lot of the confusion seems to come from two government agencies saying two seemingly different things.
The Privacy & Electronic Communications Regulations were intending to increase the control website users had over their information. The new European e-Privacy Directive contained in the regulations states that unless they are 'strictly necessary' for the functioning of our website, all cookies have to be consented to by the end-user. Last December, the ICO made it pretty clear in their guidance that analytics were not 'strictly necessary'. “Cookies used for analytical purposes,” they intoned, would be “unlikely to fall within the exception.”
Which seems pretty clear. Until the Government Digital Service disagreed. In a blog post titled “It's not about cookies, it's about privacy” the GDS said that they had decided that analytics cookies were minimally intrusive. They cited the ICO guidance that they would be “unlikely (There's that word again. Get used to it.) to prioritise first-party cookies used only for analytical purposes in any consideration of regulatory action.”
The GDS also go further. They say that analytics are 'integral' to the services websites offer, and go further, in the blog post, calling them 'fundamental'. Which neatly dances around the ICO having decided that they're not 'strictly necessary' whilst all the time implying that, strictly, they are quite necessary.
The GDS, then, encourages website-owners to undergo and publish a cookie audit. This seems to chime nicely with the ICO's insistence that companies are to be seen to be trying to become compliant, even if they are not compliant just yet.
Questions swim around with regard to 'implied consent', whether users can be made aware that by using a website they implicitly give consent to have cookies stored by their browser. The GDS calls this the 'preferred method of compliance' before tucking away the information that the ICO doesn't consider it compliant at all, because people don't know enough about cookies to be able to give implicit consent to something they don't understand.
Despite these not-entirely-congruent messages, a consensus seems to be coalescing around a couple of courses of action. These are courses of action that it seems 'unlikely' (See?) will become the subject of ICO investigation.
Econsultancy are doing something similar to the GDS, and it involves the following steps:
- Make yourself familiar with the guidance. It's free, online, and contains actual examples of the sorts of things the ICO would like to see you doing.
- Undertake a privacy and cookie audit.
- Make it clear when and where you use cookies in a document that's prominently displayed on your website.
- Update your Privacy Policy, and display it prominently.
This seems to be the bare minimum that the ICO could accept, although it remains unclear whether it is what it will accept. Many are taking comfort in the GDS's stance. Others, like BT, have adopted an scalable opting in and out of cookies, and it's clear that this will get you closer to compliance.
However, as Ashley Friedlein points out, on a strict reading of the EU Cookie Law, even inviting users to opt out might not be strictly compliant. The only system that is would be entirely opt-in. And, as he points out, the only website he's found that runs a systems like that for analytics cookies is... the ICO's.
So, it looks like a mixture of fudging, broad interpretations of terms, and a reframing so that the Directive is about best practice in privacy generally, has allowed us to find some minimally-intrusive answers, and paths to compliance that might not prove utterly ruinous.
After the regulations were announced, the ICO commissioned a report from PricewaterhouseCoopers into what consumers understood about cookies. The short answer is that they don't. And until they do understand what information companies collect and how they use it, we can expect this to be an ongoing struggle.
Analytics are vital to developing businesses online. Understanding how your users interact with your site, how they find it, and what they do once they get there is of fundamental importance. It might not be strictly necessary for doing business online, but it is strictly necessary for doing it well and successfully.
All consumers are distrustful of impersonal systems making judgements about them. We don't like to think that algorithms know us better than we know ourselves. That's why when a wine merchant or butcher recommends something to us that they think we'll like, we're much more receptive than when Tesco Clubcard offers fall through the door. In one instance we feel valued, in the other exploited, and the only difference is the fact that we know a human made the judgement in one case, and that a computer did in the other.
In his book, Thinking, Fast And Slow, Daniel Kahneman devotes a whole chapter to why people think that human judgements are better than those made by formulas when, in many instances, the reverse is true. People distrust the collection of data, because it contradicts their innate belief that predictions made about them by data will be less good than predictions made about them by people.
The ICO say, if people really understood cookies, then they could imply consent, but until they do, they can't. The real worry is that when people actually do understand cookies, they will be even more reluctant to consent.
Still, for the moment, we seem to have found a workable answer. Or rather, we haven't. But we might, if the ICO believes the same things as the GDS. Which they are unlikely to not think. Probably. Maybe. Perhaps.
