One firm (BLP) has named its cookie script -
Has anyone else come across other examples of cookie law humour?
One firm (BLP) has named its cookie script -
Has anyone else come across other examples of cookie law humour?
(Added) A version of this blog post has been published by Society for Computers & Law.
The grace period in the UK for complying with the EU cookie law expired towards the end of May 2012. When even UK government sites are behind in complying, how are organisations meeting the challenge - or are they? For instance, KPMG reported on 6 June that, of the 55 major UK organisations whose websites they analysed, 80% were not compliant, which in KPMG's view meant "gaining users’ consent and giving them the option to change cookie settings".
On the basis that top London technology law firms and data protection law experts might be more motivated than most to be seen to be compliant, I investigated their websites - 29 firms in total. I also had a quick look at some data protection regulators' websites.
I have not yet analysed the content of those firms' cookie or privacy policies, just their chosen compliance mechanics, although the adequacy of information given in those policies of course affects compliance.
Embedded at the end of this blog is a table of the results, for ease of reference. However the full webpage, setting out how top London IT law firms are complying with the cookie law, will be more easily usable - the table can be viewed horizontally in full there, and includes further notes on abbreviations, methodology etc.
The following are some key points and lessons learned that may be drawn from the survey results.
Almost all of the firms involved set at least one session cookie immediately on visiting their site, reflecting the dependence of many sites on cookies. This was so even for firms with explicit consent mechanisms.
Lack of clear links to privacy or cookie policies may not necessarily indicate non-compliance.
The firm concerned might have chosen not to set many cookies in the first place, eg only a few session cookies, and so may have decided that it didn't need a cookie notice.
6 firms (ie 21% of those surveyed) used "pop-up" messages. Only 2 of these firms (7%) centred their messages in the middle of the webpage; the other 4 firms (14%) displayed their messages at the bottom of the page. In 2 cases, the message was not even "sticky", ie it did not follow the viewer, but disappeared from view if they scrolled down the page (perhaps an inadvertent coding issue).
9 firms (31%) included "Cookie" or "Cookies" in a link, of which 4 (14% of all firms surveyed) highlighted the link using a different colour, symbol or uppercase. 3 of those firms positioned the Cookies link at the top of their webpages, 2 included the link both at the top and bottom, and the rest at the bottom only. In other words, only 5 firms (17%) had a clear Cookie link at the top of their webpages. One firm had an interesting hybrid solution with a short notice and cookies policy link at the bottom of its webpages, plus a button to disable cookies from the site.
Even firms with "pop-up" messages set session cookies automatically, on arrival at the website.
1 firm simply stated in its message (with a cookie notice link) that clicking elsewhere on the page would be consent, and activated cookies on the visitor so clicking. Its "Cookie Consent Tool", while separated from the notice, did allow users to accept particular cookies in a granular fashion (although only one was listed, ie Google Analytics).
Only 2 firms offered Yes/No options, ie the option to refuse. Selecting the No option resulted in a cookie being set, to record the refusal. One provided a "What happens if I say No?" message, and the option for the visitor to record their preference permanently.
3 firms offered no "No" buttons, but simply displayed one button with "Yes" or similar, so that therefore clicking the button would be consent - ie "OK hide this message", "If you are happy with cookies please click 'Proceed'" (with a Proceed button), and "I consent to cookies from the site" (with a Continue button).
These messages might suggest that cookies would be set only if the visitor clicked Yes or Proceed etc, but in fact cookies other than necessary session cookies (notably Google Analytics and AddThis), could still be set automatically, even before the visitor had consented. Indeed, in one case, all the Proceed button seemed to do was to get rid of the cookie message; cookies were set anyway, whether the visitor clicked the button or not.
Of firms choosing to provide a consent mechanism, in fact only 2 firms correctly stopped all cookie-setting scripts from running unless and until the visitor clicked Yes, Proceed or the like. It is not clear whether this reflects defects in their implementation, or deliberate decisions on their part.
While 1 firm offered a "disable cookies" button, clicking it did not seem to stop Google Analytics from setting cookies nevertheless.
The above therefore indicates that even firms which appeared, from their messages, to prevent cookies being set until the user had consented, nevertheless set non-necessary cookies, so their mechanisms may not work as effectively as might initially seem to be the case.
The above suggests that most of the firms surveyed decided to rely on notification or implied consent only (nearly 80%, more if you count the firms that seemed to use explicit consent mechanisms but set non-necessary cookies anyway!). This may be a sensible pragmatic decision, as recent research by tag management firm Qubit, reportedly based on over 1/2 million user interactions since the grace period ended, has indicated that:
Google Analytics was by far the most popular web analytics service, used by 25 of the firms ie 86% (see the preponderance of yellow highlights in the table).
Only 4 firms (14%) didn't use it, apparently using their own solutions or IBM-owned unica.com, the second most popular analytics/marketing service (which some other firms used in addition to Google Analytics).
Google Analytics scripts set cookies as standard, and technically Google Analytics cookies are first party rather than third party cookies, although it is not clear whether regulators view them as first or third.
I have not yet checked what information the firms concerned have provided in their cookie policies regarding their use of Google Analytics, and in particular to what extent they have disabled sharing of their analytics data with Google. In my view that would be an important disclosure to make.
A few firms had blogs or sub-sites hosted by a third party service.
Free external blogging platforms often set several cookies, and it is generally impossible for the blogger to control what cookies are set. This is only within the control of the platform, who may provide bloggers with such control if they wish (but invariably they don't). The blogger's only choice is as to which platform to use, and personally I feel that the main responsibility for compliance here ought to be on the blogging platform rather than the blogger.
These externally-created scripts often set cookies. However, firms did not necessarily prevent such scripts from running until the visitor had consented - even firms that displayed a specific cookie message.
While I have not checked the content of all these firms' cookie or privacy policies yet, I would hazard a guess that not all firms will have disclosed the setting of these social media cookies.
Yet these cookies can potentially be as privacy-invasive as behavioural advertising cookies are generally considered to be. Recall for example the debacle regarding the NHS's insertion of Facebook Like code on their site, enabling Facebook to track people across sites.
Again, this raises the issue of responsibility for third party scripts which a site or blog includes on its own webpage. Personally, I believe the main responsibility should lie with the third party service that produces the script and controls the script's functions, including the cookies it sets and reads. This is particularly so in the case of individual bloggers or SMEs with little IT expertise, who would not be in a position to evaluate the purpose or effect of the third party script that the third party markets only as a tool to help the blog or site add sharing buttons that make it quicker and easier for visitors to share or publicise the site.
From the site's viewpoint, it is possible to include social sharing buttons without running the service's scripts (and setting their cookies). A couple of the firms surveyed in fact did so.
As for other third party web services, several firms included Google Maps or Google Custom Search on their sites. The Google code may allow Google to set cookies.
Again, have these firms prevented the Google scripts from running until the visitor has consented (if choosing to offer an explicit consent mechanism)? Can they implement these third party services in a way that doesn't set Google cookies? (at least one of the firms involved had, but others hadn't). Firms using Google services need to consider this issue, but it seems not all have.
Consistency matters. If a site chooses to include a cookie message, or pause setting of cookies until consent is given, it needs to check that all its pages and sub-sites include it.
As flagged above, this wasn't always the case, eg a firm's sub-site might set Google, Google Analytics or AddThis cookies without any cookie message, and indeed even if the visitor had clicked No to refuse consent!
While I didn't go into this level of detail in the table, HR and PR/marketing departments' pages, in particular, seemed to be the main sub-sites that set cookies without messages or consenting button clicks, particularly through including social media sharing buttons.
We don't yet know what view the ICO will take of these various mechanisms and their effectiveness (or not), but I await with great interest reports on the responses to the ICO's letters to various organisations on their cookie law compliance (see the list of organisations and link to letter).
Note that in Firefox, a google.com "PREF" cookie, which Google says is meant to save language preferences and the like, will from time to time suddenly be set, even if you have only a blank tab open.
It's not set by any website you happen to be visiting - it's Google who's setting these cookies. They are saved even if you don't have any webpage open!
In Firefox 13, even after deleting all cookies, turning off Firefox's New Tab page and disabling Safe Browsing, I found that this cookie kept re-appearing. So the previous fix of disabling Safe Browsing in order to stop this cookie no longer works in Firefox 13, from my testing yesterday.
As for the Chrome browser, although a few months ago Chrome did not automatically set this cookie, the Attacat Cookie Tool kept reporting Google cookies ("NID" and "PREF") even when only a blank tab was open and no cookies were visible via Chrome's settings page! So perhaps it's now impossible to prevent these cookies in Chrome too. (This could be an issue with Attacat's tool, though; I'll report it to them.)
However, it seems Internet Explorer doesn't get any PREF cookies, for now. I haven't tested it in Opera yet.
So - should there be a cookie law notice & consent for the PREF cookie? And who should be responsible for that?
Many sites use Google Analytics for their web metrics / analytics, because it's useful and free. Even the UK data protection regulator, the ICO, uses Google Analytics.
You can see that this code references a "ga.js" script from google-analytics.com, a Google website.
When someone visits your site, containing your Analytics code, their browser downloads and runs that code. That code in turn tells it to fetch and run the ga.js script from Google's google-analytics.com site.
That ga.js script will then read/set/update Analytics cookies via the visitor's browser.
That depends on your definition.
EU privacy regulators the Article 29 Working Party (A29WP) say (my emphasis):
This matters because first party cookies are considered less invasive than third party cookies, for cookie law purposes, so that eg fewer hoops may need to be gone through in order to show that you've obtained user consent to those cookies. Generally, third party cookies are considered to pose greater privacy risks than first party.
But, from a technical viewpoint, actually "Google Analytics uses first-party cookies". This because, strictly speaking, Google Analytics cookies are effectively set by your website's domain, not Google's. Technically, whether or not legally, Google Analytics cookies are first party.
For example, below is a screenshot showing the cookies set via Google Analytics once you've accepted cookies on the ICO website. The first four, beginning _utm, are all Google Analytics cookies, but you'll see that they're associated with ico.gov.uk rather than google.com or google-analytics.com. (Here are some explanations on how Google Analytics cookies are first party not third.)
Now for some further statements from the A29WP:
So the big question is, for cookie law purposes, are Google Analytics cookies considered first party, or are they "first party cookies with the analysis performed by another party" or third party analytics, which regulators will come down harder on?
Let's check the ICO guidance:
That doesn't necessarily clarify the position, as arguably Google "sets a cookie through [a Google Analytics user's] website".
What's more, the ICO goes on to say:
Given the ubiquity of Analytics cookies, it would be helpful if regulators would confirm whether, for cookie law purposes, they're treated as first party or third party, and who's considered to be the person setting the cookie - the person who included the Analytics code on their website, or Google, who actually wrote, hosts and generally controls that code and what it does?
It's not just Analytics scripts - lots of services offer scripts or other code for website owners to insert into their webpages. It's the service who controls that code, not the site owner. Lots of site owners are individuals, eg bloggers or SMEs, with little technical expertise. They wouldn't know how to dissect the service's script if they tried.
Their only choice is as to whether to use the script, which third party services may market heavily as helping to promote individual sites - or not. But individual sites may not have the technical or legal expertise to make that decision properly. I have in mind here AddThis, ShareThis, Twitter, Facebook and other services that offer social media "buttons" to sites and blogs - code that can be inserted to show the button, and do whatever else the third party service wants it to do.
I also, with respect, take issue with "In practice it is obviously considerably more difficult for a third party who has no direct interface with the user to achieve this." (In this case, I'm using "third party" to refer to the service that provided the script or other code.)
It's not. It's the third party who wrote the script it offers to sites. The script is its direct interface. It has the practical and technical ability to tweak its script to, eg, pop up a request to the website user to accept cookies set by its script, identifying itself so the user knows who is responsible for the script.
As for "Third parties setting cookies, or providing a product that requires the setting of cookies, may wish to consider putting a contractual obligation into agreements with web publishers to satisfy themselves that appropriate steps will be taken to provide information about the third party cookies and obtain consent" - that's even worse. Given what I've pointed out, that sentence seems to me to be the wrong way round, and very unfair on SMEs and bloggers. I feel it should be for Google and similar services to change their scripts so that information is given and consent requested - it's easy for them to do, and they ought to take at least some of the responsibility. Why aren't they doing something?
This is the kicker, to me. Rather than "first party" or "third party" distinctions, surely what matters more is how someone other than the site owner could potentially use that data, ie what can the third party services, that provide scripts to sites, do with the data they gather via their scripts? To what extent can they use the data for their own purposes, and not just the site's?
The A29WP do touch upon third party analysis or use of first party cookies and "third party analytics", but it should be remembered that the cookie law extends to non-personal data as well as personal data, and that its terms don't confine its scope to "controllers" (joint or not), or even "processors". As I've pointed out above, it is the analytics provider who creates and controls and code used by sites, so it would make sense for it to bear more responsibility than sites or blogs who may not have much technical knowledge.
This blog shows that, in practice, Google Analytics data is shared with Google as standard - sharing is ticked by default, and site owners must take active action to disable sharing data with Google, ie not exactly privacy by design or privacy by default! And it seems quite a long-winded, difficult and involved process to stop Google Analytics data sharing (scroll down the page for instructions).
I've disabled sharing Google Analytics data with Google as far as I can for my main site (indeed I've not even added working Analytics code to that site yet). But for users of Blogger.com it's just not possible to prevent the sharing, as no settings are provided to do that. Also, Blogger Stats (which uses Analytics) is "fully integrated with Blogger; you don't need to do anything to enable it for your blog" - put another way, analytics collection can't be turned off on Blogger blogs.
Google clearly states on the Analytics settings pages (quoted in the blog linked above) that it uses sites' Google Analytics data to "improve" its service.
This is what Google's contract terms for UK Analytics customers provide (my emphasis):
Some might feel this isn't quite the same as what's in its FAQs. The phrase "providing other services relating to website activity and internet usage" in the terms is very, very broad, and could cover "improve the service" and create "more powerful features" as well as much more ("other services relating to internet usage" is very wide indeed).
Yet the FAQs and settings pages seem to suggest to those using Google Analytics for their sites that Google won't use the data except for the limited purposes stated in the FAQs, and that if sites decide to disable sharing, this will prevent Google using it for its own purposes.
The terms do state the data will not be shared with third parties without consent (or required by law etc etc). But, strictly, they don't stop Google from using the data for its own purposes to help it provide "services relating to internet usage", even if the site using Google Analytics has disabled sharing in their settings - unless Google's provision of those settings can be taken as Google's representation or implied undertaking that it won't use a site's Analytics data for other purposes if the site has in fact turned off sharing in the settings.
Acumen Professional Intelligence Limited
AOL (UK) Limited
Apple (UK) Limited
Associated Newspapers Limited
Automobile Association Developments Limited
Barclays Bank PLC
BBC Radio 1
Belfast City Council
Boots UK Limited
British Airways PLC
British Broadcasting Corporation
British Sky Broadcasting Limited
Channel Four Television Corporation
Department For Transport
Deputy Company Secretary
Derry City Council
Direct Line Insurance Plc
Domino's Pizza Group Limited
Dumfries and Galloway Council
easyJet Airline Company Limited
Ebay (UK) Limited
Everything Everywhere Limited
Facebook UK Ltd
Google UK Limited
Group Regulatory Relations
Hallmark Cards PLC
Haymarket Media Group Ltd
HSBC Bank PLC
IPC Media Ltd (NME)
Jamie Oliver Enterprises Limited
John Lewis PC
Lloyds TSB Bank PLC
Merthyr Tydfil County Borough Council
Mind Candy Limited
National Assembly for Wales
National Westminster Bank PLC
Network Rail Limited
Next Group PLC
Northern Ireland Assembly
Public Service Ombudsman Wales
Rightmove Group Limited
Royal Society For The Protection of Birds
Sainsburys Supermarket Limited
Scottish Public Services Ombudsman
Tesco Stores Limited
The Cabinet Office
The National Trust For Places of Historic Interest or Natural Beauty
The Office Of The Ombudsman For NI
Trader Publishing Ltd
TSL Education Limited
Turner Broadcasting System Europe Ltd
Virgin Media Limited
William Hill (Bookmakers) Ltd
Yahoo UK Limited
For more info, see my summary of the EU cookie law.