Friday, 22 June 2012

Cookie law humour

A few organisations are at least approaching the problematic EU cookie law with a modicum of humour, as I found when investigating the compliance methods used by top tech law firms and others.

One firm (BLP) has named its cookie script -
"hungry.js".

The Register tech news website uses
"http://www.theregister.co.uk/EUCookieMonster/nom"
for the directory and sub-directory holding the script to handle the consent click.

Has anyone else come across other examples of cookie law humour?

Tuesday, 19 June 2012

Cookie law - how top London tech law firms are complying - survey

(Added) A version of this blog post has been published by Society for Computers & Law.

The grace period in the UK for complying with the EU cookie law expired towards the end of May 2012. When even UK government sites are behind in complying, how are organisations meeting the challenge - or are they? For instance, KPMG reported on 6 June that, of the 55 major UK organisations whose websites they analysed, 80% were not compliant, which in KPMG's view meant "gaining users’ consent and giving them the option to change cookie settings".

On the basis that top London technology law firms and data protection law experts might be more motivated than most to be seen to be compliant, I investigated their websites - 29 firms in total. I also had a quick look at some data protection regulators' websites.

I have not yet analysed the content of those firms' cookie or privacy policies, just their chosen compliance mechanics, although the adequacy of information given in those policies of course affects compliance.

Embedded at the end of this blog is a table of the results, for ease of reference. However the full webpage, setting out how top London IT law firms are complying with the cookie law, will be more easily usable - the table can be viewed horizontally in full there, and includes further notes on abbreviations, methodology etc.

The following are some key points and lessons learned that may be drawn from the survey results.

Immediate session cookies

Almost all of the firms involved set at least one session cookie immediately on visiting their site, reflecting the dependence of many sites on cookies. This was so even for firms with explicit consent mechanisms.

Lack of cookie notice, and cookie minimisation

Lack of clear links to privacy or cookie policies may not necessarily indicate non-compliance.

The firm concerned might have chosen not to set many cookies in the first place, eg only a few session cookies, and so may have decided that it didn't need a cookie notice.

Methods of compliance

Most of firms involved simply displayed a link marked "Cookie Policy" or similar.

6 firms (ie 21% of those surveyed) used "pop-up" messages. Only 2 of these firms (7%) centred their messages in the middle of the webpage; the other 4 firms (14%) displayed their messages at the bottom of the page. In 2 cases, the message was not even "sticky", ie it did not follow the viewer, but disappeared from view if they scrolled down the page (perhaps an inadvertent coding issue).

9 firms (31%) included "Cookie" or "Cookies" in a link, of which 4 (14% of all firms surveyed) highlighted the link using a different colour, symbol or uppercase. 3 of those firms positioned the Cookies link at the top of their webpages, 2 included the link both at the top and bottom, and the rest at the bottom only. In other words, only 5 firms (17%) had a clear Cookie link at the top of their webpages. One firm had an interesting hybrid solution with a short notice and cookies policy link at the bottom of its webpages, plus a button to disable cookies from the site.

The other 14 firms (48%) only displayed a "Privacy Policy", "Privacy Statement" or similar link at the bottom of their webpages, without specifically mentioning "cookies", or else (in 3 cases, ie 10%) displayed no privacy policy link on their home pages at all.

Compliance mechanics - types and effectiveness

Even firms with "pop-up" messages set session cookies automatically, on arrival at the website.

Most pop-up messages stated that use of the site (and/or clicking elsewhere on the page) would be taken as consent or result in their use of cookies, ie implied consent.

1 firm simply stated in its message (with a cookie notice link) that clicking elsewhere on the page would be consent, and activated cookies on the visitor so clicking. Its "Cookie Consent Tool", while separated from the notice, did allow users to accept particular cookies in a granular fashion (although only one was listed, ie Google Analytics).

Only 2 firms offered Yes/No options, ie the option to refuse. Selecting the No option resulted in a cookie being set, to record the refusal. One provided a "What happens if I say No?" message, and the option for the visitor to record their preference permanently.

3 firms offered no "No" buttons, but simply displayed one button with "Yes" or similar, so that therefore clicking the button would be consent - ie  "OK hide this message", "If you are happy with cookies please click 'Proceed'" (with a Proceed button), and "I consent to cookies from the site" (with a Continue button).

These messages might suggest that cookies would be set only if the visitor clicked Yes or Proceed etc, but in fact cookies other than necessary session cookies (notably Google Analytics and AddThis), could still be set automatically, even before the visitor had consented. Indeed, in one case, all the Proceed button seemed to do was to get rid of the cookie message; cookies were set anyway, whether the visitor clicked the button or not.

Of firms choosing to provide a consent mechanism, in fact only 2 firms correctly stopped all cookie-setting scripts from running unless and until the visitor clicked Yes, Proceed or the like. It is not clear whether this reflects defects in their implementation, or deliberate decisions on their part.

Only 1 firm made it impossible (if Javascript is enabled) to click through to other parts of its site without clicking Continue, ie explicit consent to cookies was effectively made a pre-condition to allowing visitors to use the site. (With messages at the top of the bottom the site is still usable without clicking anything. This centred modal message is in my personal view the best way to ensure clear explicit consent, nudging the visitor to click Continue or Close without interfering too much with usability or the user experience; that method is also used by the Financial Times.)

While 1 firm offered a "disable cookies" button, clicking it did not seem to stop Google Analytics from setting cookies nevertheless.

The above therefore indicates that even firms which appeared, from their messages, to prevent cookies being set until the user had consented, nevertheless set non-necessary cookies, so their mechanisms may not work as effectively as might initially seem to be the case.

Implied consent

The above suggests that most of the firms surveyed decided to rely on notification or implied consent only (nearly 80%, more if you count the firms that seemed to use explicit consent mechanisms but set non-necessary cookies anyway!). This may be a sensible pragmatic decision, as recent research by tag management firm Qubit, reportedly based on over 1/2 million user interactions since the grace period ended, has indicated that:

  1. explicit consent - specifically asking users to agree to enabling cookies - resulted in only 57.2% consenting, ie some 43% rejecting cookies
  2. implicit consent - notifying users about cookies and giving them the option to disable them - produced 99.7% (implied) acceptance
  3. notification only - ie a simple notice about cookies - resulted in 99.9% "consent".

Analytics cookies

Google Analytics was by far the most popular web analytics service, used by 25 of the firms ie 86% (see the preponderance of yellow highlights in the table).

Only 4 firms (14%) didn't use it, apparently using their own solutions or IBM-owned unica.com, the second most popular analytics/marketing service (which some other firms used in addition to Google Analytics).

Google Analytics scripts set cookies as standard, and technically Google Analytics cookies are first party rather than third party cookies, although it is not clear whether regulators view them as first or third.

I have not yet checked what information the firms concerned have provided in their cookie policies regarding their use of Google Analytics, and in particular to what extent they have disabled sharing of their analytics data with Google. In my view that would be an important disclosure to make.

Blogs or sub-sites hosted by a third party

A few firms had blogs or sub-sites hosted by a third party service.

Free external blogging platforms often set several cookies, and it is generally impossible for the blogger to control what cookies are set. This is only within the control of the platform, who may provide bloggers with such control if they wish (but invariably they don't). The blogger's only choice is as to which platform to use, and personally I feel that the main responsibility for compliance here ought to be on the blogging platform rather than the blogger.

A firm's cookie or privacy policy may not flag all cookies set by blogging platforms; arguably it should. I didn't check all the notices involved, or locate all externally-hosted blogs used by these firms, but it seemed there was a risk that information about such cookies could be omitted from the firm's policy/notice.

Other third party services, including social media buttons

Several firms ran social media sharing scripts, notably AddThis (with a couple of ShareThis users) and Twitter.

These externally-created scripts often set cookies. However, firms did not necessarily prevent such scripts from running until the visitor had consented - even firms that displayed a specific cookie message.

While I have not checked the content of all these firms' cookie or privacy policies yet, I would hazard a guess that not all firms will have disclosed the setting of these social media cookies.

Yet these cookies can potentially be as privacy-invasive as behavioural advertising cookies are generally considered to be. Recall for example the debacle regarding the NHS's insertion of Facebook Like code on their site, enabling Facebook to track people across sites.

Again, this raises the issue of responsibility for third party scripts which a site or blog includes on its own webpage. Personally, I believe the main responsibility should lie with the third party service that produces the script and controls the script's functions, including the cookies it sets and reads. This is particularly so in the case of individual bloggers or SMEs with little IT expertise, who would not be in a position to evaluate the purpose or effect of the third party script that the third party markets only as a tool to help the blog or site add sharing buttons that make it quicker and easier for visitors to share or publicise the site.

From the site's viewpoint, it is possible to include social sharing buttons without running the service's scripts (and setting their cookies). A couple of the firms surveyed in fact did so.

As for other third party web services, several firms included Google Maps or Google Custom Search on their sites. The Google code may allow Google to set cookies.

Again, have these firms prevented the Google scripts from running until the visitor has consented (if choosing to offer an explicit consent mechanism)? Can they implement these third party services in a way that doesn't set Google cookies? (at least one of the firms involved had, but others hadn't). Firms using Google services need to consider this issue, but it seems not all have.

Checking the whole site and sub-sites

Consistency matters. If a site chooses to include a cookie message, or pause setting of cookies until consent is given, it needs to check that all its pages and sub-sites include it.

As flagged above, this wasn't always the case, eg a firm's sub-site might set Google, Google Analytics or AddThis cookies without any cookie message, and indeed even if the visitor had clicked No to refuse consent!

While I didn't go into this level of detail in the table, HR and PR/marketing departments' pages, in particular, seemed to be the main sub-sites that set cookies without messages or consenting button clicks, particularly through including social media sharing buttons.

We don't yet know what view the ICO will take of these various mechanisms and their effectiveness (or not), but I await with great interest reports on the responses to the ICO's letters to various organisations on their cookie law compliance (see the list of organisations and link to letter).

 

 

Table of detailed survey results

(view as full page with notes)

Monday, 18 June 2012

Google's self-resurrecting PREF cookie

Note that in Firefox, a google.com "PREF" cookie, which Google says is meant to save language preferences and the like, will from time to time suddenly be set, even if you have only a blank tab open.

It's not set by any website you happen to be visiting - it's Google who's setting these cookies. They are saved even if you don't have any webpage open!

This behaviour has been known for some months and concerns have been expressed about it, as it could conceivably do more than Google says it does.

In Firefox 13, even after deleting all cookies, turning off Firefox's New Tab page and disabling Safe Browsing, I found that this cookie kept re-appearing. So the previous fix of disabling Safe Browsing in order to stop this cookie no longer works in Firefox 13, from my testing yesterday.

As for the Chrome browser, although a few months ago Chrome did not automatically set this cookie, the Attacat Cookie Tool kept reporting Google cookies ("NID" and "PREF") even when only a blank tab was open and no cookies were visible via Chrome's settings page! So perhaps it's now impossible to prevent these cookies in Chrome too. (This could be an issue with Attacat's tool, though; I'll report it to them.)

However, it seems Internet Explorer doesn't get any PREF cookies, for now. I haven't tested it in Opera yet.

So - should there be a cookie law notice & consent for the PREF cookie? And who should be responsible for that?

Cookie law - Google Analytics etc - first party, third party, and isn't disabling data sharing more important?

This discusses Google Analytics cookies under the EU cookie law, which (amongst other things) prohibits saving or reading cookies on website visitors' browsers without their consent.

Many sites use Google Analytics for their web metrics / analytics, because it's useful and free. Even the UK data protection regulator, the ICO, uses Google Analytics.

What Google Analytics code does

To use Google Analytics, a site would paste some code into its webpage or website template, like this (with Xs for the site's unique ID number):
<script type="text/javascript">
  var _gaq = _gaq || [];
  _gaq.push(['_setAccount', 'UA-XXXXXXXX-X']);
  _gaq.push(['_trackPageview']);
  (function() {
    var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
    ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
    var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
  })();
</script>

You can see that this code references a "ga.js" script from google-analytics.com, a Google website.

When someone visits your site, containing your Analytics code, their browser downloads and runs that code. That code in turn tells it to fetch and run the ga.js script from Google's google-analytics.com site.

That ga.js script will then read/set/update Analytics cookies via the visitor's browser.

Are Google Analytics cookies "first party" or "third party" cookies?

That depends on your definition.

EU privacy regulators the Article 29 Working Party (A29WP) say (my emphasis):

"third party cookies"… cookies that are set by data controllers that do not operate the website currently visited by the user…the term “first party cookie” will be used to refer to a cookie set by the data controller (or any of its processors) operating the website visited by the user, as defined by the URL that is usually displayed in the browser address bar.
 

Why does it matter?

This matters because first party cookies are considered less invasive than third party cookies, for cookie law purposes, so that eg fewer hoops may need to be gone through in order to show that you've obtained user consent to those cookies. Generally, third party cookies are considered to pose greater privacy risks than first party.

But, from a technical viewpoint, actually "Google Analytics uses first-party cookies". This because, strictly speaking, Google Analytics cookies are effectively set by your website's domain, not Google's. Technically, whether or not legally, Google Analytics cookies are first party.

For example, below is a screenshot showing the cookies set via Google Analytics once you've accepted cookies on the ICO website. The first four, beginning _utm, are all Google Analytics cookies, but you'll see that they're associated with ico.gov.uk rather than google.com or google-analytics.com. (Here are some explanations on how Google Analytics cookies are first party not third.)

Now for some further statements from the A29WP:

A first party analytic system based on “first party” cookies clearly presents different risks compared to a third-party analytics system based on “third party” cookies. There are also tools which use “first party” cookies with the analysis performed by another party. This other party will be considered as a joint controller or as a processor depending on whether it uses the data for its own purposes or if it is prohibited to do so through technical or contractual arrangements…  First party analytics should be clearly distinguished from third party analytics, which use a common third party cookie to collect navigation information related to users across distinct websites, and which pose a substantially greater risk to privacy.

So the big question is, for cookie law purposes, are Google Analytics cookies considered first party, or are they "first party cookies with the analysis performed by another party" or third party analytics, which regulators will come down harder on?

Let's check the ICO guidance:

First party cookies in basic terms are cookies set by a website visited by the user - the website displayed in the URL window. Third party cookies are cookies that are set by a domain other than the one being visited by the user. If a user visits a website and a separate company sets a cookie through that website this would be a third party cookie.

That doesn't necessarily clarify the position, as arguably  Google "sets a cookie through [a Google Analytics user's] website".

What's more, the ICO goes on to say:

The person setting the cookie is therefore primarily responsible for compliance with the requirements of the law. Where third party cookies are set through a website both parties will have a responsibility for ensuring users are clearly informed about cookies and for obtaining consent. In practice it is obviously considerably more difficult for a third party who has no direct interface with the user to achieve this. It is also important to remember that users are likely to address any concerns or complaints they have to the person they can identify or have the relationship with – the company running the website. It is therefore in both parties’ interests to work together.
The key point is not who obtains the consent but that valid, well informed consent is obtained.
Third parties setting cookies, or providing a product that requires the setting of cookies, may wish to consider putting a contractual obligation into agreements with web publishers to satisfy themselves that appropriate steps will be taken to provide information about the third party cookies and obtain consent.

Given the ubiquity of Analytics cookies, it would be helpful if regulators would confirm whether, for cookie law purposes, they're treated as first party or third party, and who's considered to be the person setting the cookie - the person who included the Analytics code on their website, or Google, who actually wrote, hosts and generally controls that code and what it does?

Social media "buttons"

It's not just Analytics scripts - lots of services offer scripts or other code for website owners to insert into their webpages. It's the service who controls that code, not the site owner. Lots of site owners are individuals, eg bloggers or SMEs, with little technical expertise. They wouldn't know how to dissect the service's script if they tried.

Their only choice is as to whether to use the script, which third party services may market heavily as helping to promote individual sites - or not. But individual sites may not have the technical or legal expertise to make that decision properly. I have in mind here AddThis, ShareThis, Twitter, Facebook and other services that offer social media "buttons" to sites and blogs - code that can be inserted to show the button, and do whatever else the third party service wants it to do.

I also, with respect, take issue with "In practice it is obviously considerably more difficult for a third party who has no direct interface with the user to achieve this." (In this case, I'm using "third party" to refer to the service that provided the script or other code.)

It's not. It's the third party who wrote the script it offers to sites. The script is its direct interface. It has the practical and technical ability to tweak its script to, eg, pop up a request to the website user to accept cookies set by its script, identifying itself so the user knows who is responsible for the script.

As for "Third parties setting cookies, or providing a product that requires the setting of cookies, may wish to consider putting a contractual obligation into agreements with web publishers to satisfy themselves that appropriate steps will be taken to provide information about the third party cookies and obtain consent" - that's even worse. Given what I've pointed out, that sentence seems to me to be the wrong way round, and very unfair on SMEs and bloggers. I feel it should be for Google and similar services to change their scripts so that information is given and consent requested - it's easy for them to do, and they ought to take at least some of the responsibility. Why aren't they doing something?

Sharing Google Analytics data

This is the kicker, to me. Rather than "first party" or "third party" distinctions, surely what matters more is how someone other than the site owner could potentially use that data, ie what can the third party services, that provide scripts to sites, do with the data they gather via their scripts? To what extent can they use the data for their own purposes, and not just the site's?

The A29WP do touch upon third party analysis or use of first party cookies and "third party analytics", but it should be remembered that the cookie law extends to non-personal data as well as personal data, and that its terms don't confine its scope to "controllers" (joint or not), or even "processors". As I've pointed out above, it is the analytics provider who creates and controls and code used by sites, so it would make sense for it to bear more responsibility than sites or blogs who may not have much technical knowledge.

This blog shows that, in practice, Google Analytics data is shared with Google as standard - sharing is ticked by default, and site owners must take active action to disable sharing data with Google, ie not exactly privacy by design or privacy by default! And it seems quite a long-winded, difficult and involved process to stop Google Analytics data sharing (scroll down the page for instructions).

I've disabled sharing Google Analytics data with Google as far as I can for my main site (indeed I've not even added working Analytics code to that site yet). But for users of Blogger.com it's just not possible to prevent the sharing, as no settings are provided to do that. Also, Blogger Stats (which uses Analytics) is "fully integrated with Blogger; you don't need to do anything to enable it for your blog" - put another way, analytics collection can't be turned off on Blogger blogs.

Shouldn't sites' cookie and privacy policies disclose whether they've turned off Google Analytics data sharing, or not (and exactly how Google will use the data, according to Google)? The statement that Google require EU Analytics users to put on their sites, quoted below (8.1), doesn't cover that fully enough, in my view. I've tried to provide something better in this blog's privacy policy. There also seems to be an inconsistency between Google's terms and its practices, which I'll get to next.

Google Analytics terms vs practice

Google clearly states on the Analytics settings pages (quoted in the blog linked above) that it uses sites' Google Analytics data to "improve" its service.

This is what Google's contract terms for UK Analytics customers provide (my emphasis):

8.1…
You will have in place in a prominent position on your Website (and will comply with) an appropriate privacy policy. You will also use reasonable endeavours to bring to the attention of website users a statement which in all material respects is as follows:
“This website uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”). Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States . Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. Google will not associate your IP address with any other data held by Google. You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above.”…

8.3 You agree that Google and its wholly owned subsidiaries may retain and use, subject to the terms of its Privacy Policy (located at http://www.google.com/privacypolicy.html , or such other URL as Google may nominate for this use from time to time), information collected in Your use of the Service (including without limitation Customer Data) for the purpose of providing web analytics and tracking services to You. Google will not share such information with any third parties unless Google (i) has Your consent; (ii) concludes that it is required by law or has a good faith belief that such disclosure is reasonably necessary to protect the rights, property or safety of Google, its users or the public; or (iii) provides such information in certain limited circumstances to third parties to carry out tasks on Google's behalf (e.g., billing or data storage) with strict restrictions that prevent the data from being used or shared except as directed by Google. When this is done, it is subject to agreements that oblige those parties to process such information only on Google's instructions and in compliance with this Agreement and appropriate confidentiality and security measures.

Some might feel this isn't quite the same as what's in its FAQs.  The phrase "providing other services relating to website activity and internet usage" in the terms is very, very broad, and could cover "improve the service" and create "more powerful features" as well as much more ("other services relating to internet usage" is very wide indeed).

Yet the FAQs and settings pages seem to suggest to those using Google Analytics for their sites that Google won't use the data except for the limited purposes stated in the FAQs, and that if sites decide to disable sharing, this will prevent Google using it for its own purposes.

The terms do state the data will not be shared with third parties without consent (or required by law etc etc). But, strictly, they don't stop Google from using the data for its own purposes to help it provide "services relating to internet usage", even if the site using Google Analytics has disabled sharing in their settings - unless Google's provision of those settings can be taken as Google's representation or implied undertaking that it won't use a site's Analytics data for other purposes if the site has in fact turned off sharing in the settings.

Perhaps Google's next privacy policy review will ensure that its terms are more consistent with what it does in practice?

Tuesday, 12 June 2012

Cookie law compliance: list of organisations contacted by ICO about their compliance

Below is the list of all the organisations to whom the ICO have written (here's the form of ICO letter) to ask about their cookie law compliance, an interesting mix of private and public sector!

Acumen Professional Intelligence Limited
Amazon.co.uk Limited
AOL (UK) Limited
Apple (UK) Limited
Argos Limited
Associated Newspapers Limited
Automobile Association Developments Limited
Barclays Bank PLC
BBC News
BBC Radio 1
BBC Sports
Belfast City Council
Betfair Limited
Boots UK Limited
British Airways PLC
British Broadcasting Corporation
British Sky Broadcasting Limited
Channel Four Television Corporation
Department For Transport
Deputy Company Secretary
Derry City Council
Direct Line Insurance Plc
Domino's Pizza Group Limited
Dumfries and Galloway Council
easyJet Airline Company Limited
Ebay (UK) Limited
Everything Everywhere Limited
Facebook UK Ltd
Giving.com Limited
Google UK Limited
Group Regulatory Relations
Hallmark Cards PLC
Haymarket Media Group Ltd
HSBC Bank PLC
IPC Media Ltd (NME)
Jamie Oliver Enterprises Limited
Jet2.com Limited
John Lewis PC
Lloyds TSB Bank PLC
Merthyr Tydfil County Borough Council
Met Office
Microcourt Limited
Microsoft Limited
Mind Candy Limited
Moneysupermarket.com
MyMaths Limited
National Assembly for Wales
National Lottery
National Westminster Bank PLC
Network Rail Limited
Next Group PLC
NHS
NHS Choices
Northern Ireland Assembly
Public Service Ombudsman Wales
Qype Limited
Rightmove Group Limited
Royal Society For The Protection of Birds
Sainsburys Supermarket Limited
Scottish Government
Scottish Parliament
Scottish Public Services Ombudsman
Tesco Stores Limited
tfl.gov.uk
The Cabinet Office
The National Trust For Places of Historic Interest or Natural Beauty
The Office Of The Ombudsman For NI
Trader Publishing Ltd
TSL Education Limited
Turner Broadcasting System Europe Ltd
Virgin Media Limited
Weightwatchers
Welsh Government
William Hill (Bookmakers) Ltd
Yahoo UK Limited

Note - despite concerns to the contrary, the list and form of letter are both public. They were linked to from this ICO webpage.

For more info, see my summary of the EU cookie law.