Monday, 18 June 2012

Cookie law - Google Analytics etc - first party, third party, and isn't disabling data sharing more important?

This discusses Google Analytics cookies under the EU cookie law, which (amongst other things) prohibits saving or reading cookies on website visitors' browsers without their consent.

Many sites use Google Analytics for their web metrics / analytics, because it's useful and free. Even the UK data protection regulator, the ICO, uses Google Analytics.

What Google Analytics code does

To use Google Analytics, a site would paste some code into its webpage or website template, like this (with Xs for the site's unique ID number):
<script type="text/javascript">
  var _gaq = _gaq || [];
  _gaq.push(['_setAccount', 'UA-XXXXXXXX-X']);
  _gaq.push(['_trackPageview']);
  (function() {
    var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
    ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
    var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
  })();
</script>

You can see that this code references a "ga.js" script from google-analytics.com, a Google website.

When someone visits your site, containing your Analytics code, their browser downloads and runs that code. That code in turn tells it to fetch and run the ga.js script from Google's google-analytics.com site.

That ga.js script will then read/set/update Analytics cookies via the visitor's browser.

Are Google Analytics cookies "first party" or "third party" cookies?

That depends on your definition.

EU privacy regulators the Article 29 Working Party (A29WP) say (my emphasis):

"third party cookies"… cookies that are set by data controllers that do not operate the website currently visited by the user…the term “first party cookie” will be used to refer to a cookie set by the data controller (or any of its processors) operating the website visited by the user, as defined by the URL that is usually displayed in the browser address bar.
 

Why does it matter?

This matters because first party cookies are considered less invasive than third party cookies, for cookie law purposes, so that eg fewer hoops may need to be gone through in order to show that you've obtained user consent to those cookies. Generally, third party cookies are considered to pose greater privacy risks than first party.

But, from a technical viewpoint, actually "Google Analytics uses first-party cookies". This because, strictly speaking, Google Analytics cookies are effectively set by your website's domain, not Google's. Technically, whether or not legally, Google Analytics cookies are first party.

For example, below is a screenshot showing the cookies set via Google Analytics once you've accepted cookies on the ICO website. The first four, beginning _utm, are all Google Analytics cookies, but you'll see that they're associated with ico.gov.uk rather than google.com or google-analytics.com. (Here are some explanations on how Google Analytics cookies are first party not third.)

Now for some further statements from the A29WP:

A first party analytic system based on “first party” cookies clearly presents different risks compared to a third-party analytics system based on “third party” cookies. There are also tools which use “first party” cookies with the analysis performed by another party. This other party will be considered as a joint controller or as a processor depending on whether it uses the data for its own purposes or if it is prohibited to do so through technical or contractual arrangements…  First party analytics should be clearly distinguished from third party analytics, which use a common third party cookie to collect navigation information related to users across distinct websites, and which pose a substantially greater risk to privacy.

So the big question is, for cookie law purposes, are Google Analytics cookies considered first party, or are they "first party cookies with the analysis performed by another party" or third party analytics, which regulators will come down harder on?

Let's check the ICO guidance:

First party cookies in basic terms are cookies set by a website visited by the user - the website displayed in the URL window. Third party cookies are cookies that are set by a domain other than the one being visited by the user. If a user visits a website and a separate company sets a cookie through that website this would be a third party cookie.

That doesn't necessarily clarify the position, as arguably  Google "sets a cookie through [a Google Analytics user's] website".

What's more, the ICO goes on to say:

The person setting the cookie is therefore primarily responsible for compliance with the requirements of the law. Where third party cookies are set through a website both parties will have a responsibility for ensuring users are clearly informed about cookies and for obtaining consent. In practice it is obviously considerably more difficult for a third party who has no direct interface with the user to achieve this. It is also important to remember that users are likely to address any concerns or complaints they have to the person they can identify or have the relationship with – the company running the website. It is therefore in both parties’ interests to work together.
The key point is not who obtains the consent but that valid, well informed consent is obtained.
Third parties setting cookies, or providing a product that requires the setting of cookies, may wish to consider putting a contractual obligation into agreements with web publishers to satisfy themselves that appropriate steps will be taken to provide information about the third party cookies and obtain consent.

Given the ubiquity of Analytics cookies, it would be helpful if regulators would confirm whether, for cookie law purposes, they're treated as first party or third party, and who's considered to be the person setting the cookie - the person who included the Analytics code on their website, or Google, who actually wrote, hosts and generally controls that code and what it does?

Social media "buttons"

It's not just Analytics scripts - lots of services offer scripts or other code for website owners to insert into their webpages. It's the service who controls that code, not the site owner. Lots of site owners are individuals, eg bloggers or SMEs, with little technical expertise. They wouldn't know how to dissect the service's script if they tried.

Their only choice is as to whether to use the script, which third party services may market heavily as helping to promote individual sites - or not. But individual sites may not have the technical or legal expertise to make that decision properly. I have in mind here AddThis, ShareThis, Twitter, Facebook and other services that offer social media "buttons" to sites and blogs - code that can be inserted to show the button, and do whatever else the third party service wants it to do.

I also, with respect, take issue with "In practice it is obviously considerably more difficult for a third party who has no direct interface with the user to achieve this." (In this case, I'm using "third party" to refer to the service that provided the script or other code.)

It's not. It's the third party who wrote the script it offers to sites. The script is its direct interface. It has the practical and technical ability to tweak its script to, eg, pop up a request to the website user to accept cookies set by its script, identifying itself so the user knows who is responsible for the script.

As for "Third parties setting cookies, or providing a product that requires the setting of cookies, may wish to consider putting a contractual obligation into agreements with web publishers to satisfy themselves that appropriate steps will be taken to provide information about the third party cookies and obtain consent" - that's even worse. Given what I've pointed out, that sentence seems to me to be the wrong way round, and very unfair on SMEs and bloggers. I feel it should be for Google and similar services to change their scripts so that information is given and consent requested - it's easy for them to do, and they ought to take at least some of the responsibility. Why aren't they doing something?

Sharing Google Analytics data

This is the kicker, to me. Rather than "first party" or "third party" distinctions, surely what matters more is how someone other than the site owner could potentially use that data, ie what can the third party services, that provide scripts to sites, do with the data they gather via their scripts? To what extent can they use the data for their own purposes, and not just the site's?

The A29WP do touch upon third party analysis or use of first party cookies and "third party analytics", but it should be remembered that the cookie law extends to non-personal data as well as personal data, and that its terms don't confine its scope to "controllers" (joint or not), or even "processors". As I've pointed out above, it is the analytics provider who creates and controls and code used by sites, so it would make sense for it to bear more responsibility than sites or blogs who may not have much technical knowledge.

This blog shows that, in practice, Google Analytics data is shared with Google as standard - sharing is ticked by default, and site owners must take active action to disable sharing data with Google, ie not exactly privacy by design or privacy by default! And it seems quite a long-winded, difficult and involved process to stop Google Analytics data sharing (scroll down the page for instructions).

I've disabled sharing Google Analytics data with Google as far as I can for my main site (indeed I've not even added working Analytics code to that site yet). But for users of Blogger.com it's just not possible to prevent the sharing, as no settings are provided to do that. Also, Blogger Stats (which uses Analytics) is "fully integrated with Blogger; you don't need to do anything to enable it for your blog" - put another way, analytics collection can't be turned off on Blogger blogs.

Shouldn't sites' cookie and privacy policies disclose whether they've turned off Google Analytics data sharing, or not (and exactly how Google will use the data, according to Google)? The statement that Google require EU Analytics users to put on their sites, quoted below (8.1), doesn't cover that fully enough, in my view. I've tried to provide something better in this blog's privacy policy. There also seems to be an inconsistency between Google's terms and its practices, which I'll get to next.

Google Analytics terms vs practice

Google clearly states on the Analytics settings pages (quoted in the blog linked above) that it uses sites' Google Analytics data to "improve" its service.

This is what Google's contract terms for UK Analytics customers provide (my emphasis):

8.1…
You will have in place in a prominent position on your Website (and will comply with) an appropriate privacy policy. You will also use reasonable endeavours to bring to the attention of website users a statement which in all material respects is as follows:
“This website uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”). Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States . Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. Google will not associate your IP address with any other data held by Google. You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above.”…

8.3 You agree that Google and its wholly owned subsidiaries may retain and use, subject to the terms of its Privacy Policy (located at http://www.google.com/privacypolicy.html , or such other URL as Google may nominate for this use from time to time), information collected in Your use of the Service (including without limitation Customer Data) for the purpose of providing web analytics and tracking services to You. Google will not share such information with any third parties unless Google (i) has Your consent; (ii) concludes that it is required by law or has a good faith belief that such disclosure is reasonably necessary to protect the rights, property or safety of Google, its users or the public; or (iii) provides such information in certain limited circumstances to third parties to carry out tasks on Google's behalf (e.g., billing or data storage) with strict restrictions that prevent the data from being used or shared except as directed by Google. When this is done, it is subject to agreements that oblige those parties to process such information only on Google's instructions and in compliance with this Agreement and appropriate confidentiality and security measures.

Some might feel this isn't quite the same as what's in its FAQs.  The phrase "providing other services relating to website activity and internet usage" in the terms is very, very broad, and could cover "improve the service" and create "more powerful features" as well as much more ("other services relating to internet usage" is very wide indeed).

Yet the FAQs and settings pages seem to suggest to those using Google Analytics for their sites that Google won't use the data except for the limited purposes stated in the FAQs, and that if sites decide to disable sharing, this will prevent Google using it for its own purposes.

The terms do state the data will not be shared with third parties without consent (or required by law etc etc). But, strictly, they don't stop Google from using the data for its own purposes to help it provide "services relating to internet usage", even if the site using Google Analytics has disabled sharing in their settings - unless Google's provision of those settings can be taken as Google's representation or implied undertaking that it won't use a site's Analytics data for other purposes if the site has in fact turned off sharing in the settings.

Perhaps Google's next privacy policy review will ensure that its terms are more consistent with what it does in practice?