Mastodon Kuan0: 2012

Sunday 14 October 2012

Europe, EU, EEA, EFTA, Council of Europe - Venn diagram - & cloud computing data protection implications

I've produced a Venn diagram and table showing which countries are in Europe, EU, EEA, EFTA and/or the Council of Europe. These country groupings are all different, and there's often confusion as to which country is in which international organisation.

It makes a difference. For example, for EU data protection law purposes, there's a restriction on transferring personal data outside the EEA (relevant eg when using cloud computing) - there's a shorter article about this restriction.

The EEA is not the same as Europe. "Europe" is broader than "EEA", as you'll see from my Europe/EEA/EU etc Venn diagram. In fact there are 20 countries in "Europe" that are not in the "EEA".

Cloud services which allow users to choose data centres in "Europe" may think they're helping users with their data protection law compliance responsibilities by enabling users to keep their data in "Europe", but they're not.

Cloud providers who really want to help their users with data protection compliance should allow users to confine their personal data to data centres in the "EEA" or "EU".

If the provider specifically names the countries concerned (as Amazon now does), that's also helpful, as users can work out (eg from the diagram) whether that country is in the EEA. Similarly, Microsoft, for its Windows Azure cloud service, refers to "Europe" as a selectable region, but clarifies that this means Ireland and the Netherlands.

However, cloud providers like Google are still offering storage eg of buckets in "EU - Europe" (with "EU" meaning "Europe" here, rather than the "European Union"). It should clarify whether this is in fact within the EEA or European Union. "Europe" just isn't good enough, for EU data protection law purposes.

Hopefully, more providers will start to provide clearer data centre location information soon - ie, they should name the countries where their data centres are located, or else state that they are in the EEA or EU (if that is the case). Stating that customers may choose to process their data in "Europe" is not enough to assist them to meet their data protection law obligations.

Tuesday 3 July 2012

Cloud contracts requirements for personal data - regulators set out their views

EU privacy regulators the Article 29 Working Party have today issued their Opinion 05/2012 on Cloud Computing (WP 196), adopted 1 July 2012

Basically, the data protection regulators have taken a very strict approach; it will be harder for cloud users to process personal data in the cloud, and the opinion unfortunately still doesn't take into account how cloud works (see my 12 Cs of Cloud Computing) - to use the analogies in that article, they're basing it all on regulating the hiring of caterers or chefs rather than renting a (possibly pre-equipped) kitchen or buying take-out or ready meals.

Making a provider agree to follow your instructions in preparing a meal for you makes sense when the provider is a caterer, but not so much when it's a kitchen rental company and you're doing the cooking in their kitchen, or when it's a fast food chain selling you take-out.

Providers will be asked to disclose the identities of all sub-providers (so providers who use Amazon Web Services, Google App Engine, Windows Azure etc will be asked about their sub-providers, and yes that includes both Engine Yard and Heroku as intermediary sub-providers), as well as the locations of all data centres where personal data may be processed.

I'm still going through it but I wanted to draw attention to the passages quoted below which are relevant to the contracts of EU users who want to put personal data (eg customer data) in the cloud.

Just to mention a few points here, there's going to be difficulty with "passing on" obligations "down" the provider chain, as the regulators require.

As for a provider giving assurance as to compliance of sub-providers with "applicable national and international legal requirements and standards", how will a Dropbox be able to guarantee that Amazon's internal arrangements are compliant, never mind ensure Amazon must "act only" in accordance with the instructions of each of Dropbox's many customer(s)?

As I've touched on in the 12 Cs article but want to elaborate on more here, cloud is a form of IT outsourcing, but not in the traditional sense. With cloud, compared with traditional outsourcing, the "direction of travel", as I like to call it, is the opposite. In classic outsourcing a customer hires a provider, who then engages sub-contractors, who might engage sub-sub-contractors etc. (Analogy, hire a caterer who might hire sub-caterers etc).

But, in cloud, often a provider builds its service on top of an existing standard service offered on standard terms in a standardised way by an existing IaaS or PaaS provider. The customer then comes along and uses the provider's service. It's not easy to ask the provider to re-write its contract with its existing IaaS or PaaS provider to accommodate the customer's data protection law regulatory requirements.

Current laws just don't cater for this opposite direction of travel in cloud. To be fair, the regulators are, in giving their opinion, working within the constraints of existing laws. It's those which don't deal with, to again use my analogies, self-service rental kitchens or take-outs rather than caterers, and which assume the old "direction of travel" used in classic outsourcing.

Providers who want users to process personal data using their services may well have to come up with a "personal data" version of their contract terms (and a, no doubt more expensive, "personal data" service). As I predicted in my article.

The winners may well be the providers like IBM who control the whole supply chain, and don't use external sub-providers.

The regulators' recognition that third party certifications may be relied on to some extent is helpful, but that could perhaps go further.

I now quote some of the key points from the opinion on cloud contracts (bold added):

"The contract must at a minimum establish the fact, in particular, that the processor is to follow the instructions of the controller and that the processor must implement technical and organizational measures to adequately protect personal data.

To ensure legal certainty the contract should also set forth the following issues:

1. Details on the (extent and modalities of the) client’s instructions to be issued to the provider, with particular regard to the applicable SLAs (which should be objective and measurable) and the relevant penalties (financial or otherwise including the ability to sue the provider in case of non-compliance).

2. Specification of security measures that the cloud provider must comply with, depending on the risks represented by the processing and the nature of the data to be protected. It is of great importance that concrete technical and organizational measures are specified such as those outlined in paragraph 3.4.3 below. This is without prejudice to the application of more stringent measures, if any, that may be envisaged under the client’s national law.

3. Subject and time frame of the cloud service to be provided by the cloud provider, extent, manner and purpose of the processing of personal data by the cloud provider as well as the types of personal data processed.

4. Specification of the conditions for returning the (personal) data or destroying the data once the service is concluded. Furthermore, it must be ensured that personal data are erased securely at the request of the cloud client.

5. Inclusion of a confidentiality clause, binding both upon the cloud provider and any of its employees who may be able to access the data. Only authorized persons can have access to data.

6. Obligation on the provider’s part to support the client in facilitating exercise of data subjects’ rights to access, correct or delete their data.

7. The contract should expressly establish that the cloud provider may not communicate the data to third parties, even for preservation purposes unless it is provided for in the contract that there will be subcontractors. The contract should specify that subprocessors may only be commissioned on the basis of a consent that can be generally given by the controller in line with a clear duty for the processor to inform the controller of any intended changes in this regard with the controller retaining at all times the possibility to object to such changes or to terminate the contract. There should be a clear obligation of the cloud provider to name all the subcontractors commissioned (e.g., in a public digital register). It must be ensured that contracts between cloud provider and subcontractor reflect the stipulations of the contract between cloud client and cloud provider (i.e. that sub-processors are subject to the same contractual duties than the cloud provider). In particular, it must be guaranteed that both cloud provider and all subcontractors shall act only on instructions from the cloud client. As explained in the chapter on sub-processing the chain of liability should be clearly set in the contract. It should set out the obligation on the part of the processor to frame international transfers, for instance by signing contracts with subprocessors, based on the 2010/87/EU standard contractual clauses.

8. Clarification of the responsibilities of the cloud provider to notify the cloud client in the event of any data breach which affects the cloud client’s data.

9. Obligation of the cloud provider to provide a list of locations in which the data may be processed.

10. The controller’s rights to monitor and the cloud provider’s corresponding obligations to cooperate.

11. It should be contractually fixed that the cloud provider must inform the client about relevant changes concerning the respective cloud service such as the implementation of additional functions.

12. The contract should provide for logging and auditing of relevant processing operations on personal data that are performed by the cloud provider or the subcontractors.

13. Notification of cloud client about any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation.

14. A general obligation on the provider’s part to give assurance that its internal organisation and data processing arrangements (and those of its sub-processors, if any) are compliant with the applicable national and international legal requirements and standards. In the event of infringement by the controller, any person suffering damages as a result of unlawful processing shall have the right to receive compensation from the controller for the damages caused. Should the processors use the data for any other purpose, or communicate them or use them in a way that breaches the contract, they shall also be considered to be controllers, and shall be held liable for the infringements in which they were personally involved.

It should be noted that, in many cases, cloud service providers offer standard services and contracts to be signed by controllers, which set forth a standard format for processing personal data. This imbalance in the contractual power of a small controller with respect to large service providers should not be considered as justification for the  controllers to accept clauses and terms of contracts which are not in compliance with data protection law."

Friday 22 June 2012

Cookie law humour

A few organisations are at least approaching the problematic EU cookie law with a modicum of humour, as I found when investigating the compliance methods used by top tech law firms and others.

One firm (BLP) has named its cookie script -

The Register tech news website uses
for the directory and sub-directory holding the script to handle the consent click.

Has anyone else come across other examples of cookie law humour?

Tuesday 19 June 2012

Cookie law - how top London tech law firms are complying - survey

(Added) A version of this blog post has been published by Society for Computers & Law.

The grace period in the UK for complying with the EU cookie law expired towards the end of May 2012. When even UK government sites are behind in complying, how are organisations meeting the challenge - or are they? For instance, KPMG reported on 6 June that, of the 55 major UK organisations whose websites they analysed, 80% were not compliant, which in KPMG's view meant "gaining users’ consent and giving them the option to change cookie settings".

On the basis that top London technology law firms and data protection law experts might be more motivated than most to be seen to be compliant, I investigated their websites - 29 firms in total. I also had a quick look at some data protection regulators' websites.

I have not yet analysed the content of those firms' cookie or privacy policies, just their chosen compliance mechanics, although the adequacy of information given in those policies of course affects compliance.

Embedded at the end of this blog is a table of the results, for ease of reference. However the full webpage, setting out how top London IT law firms are complying with the cookie law, will be more easily usable - the table can be viewed horizontally in full there, and includes further notes on abbreviations, methodology etc.

The following are some key points and lessons learned that may be drawn from the survey results.

Immediate session cookies

Almost all of the firms involved set at least one session cookie immediately on visiting their site, reflecting the dependence of many sites on cookies. This was so even for firms with explicit consent mechanisms.

Lack of cookie notice, and cookie minimisation

Lack of clear links to privacy or cookie policies may not necessarily indicate non-compliance.

The firm concerned might have chosen not to set many cookies in the first place, eg only a few session cookies, and so may have decided that it didn't need a cookie notice.

Methods of compliance

Most of firms involved simply displayed a link marked "Cookie Policy" or similar.

6 firms (ie 21% of those surveyed) used "pop-up" messages. Only 2 of these firms (7%) centred their messages in the middle of the webpage; the other 4 firms (14%) displayed their messages at the bottom of the page. In 2 cases, the message was not even "sticky", ie it did not follow the viewer, but disappeared from view if they scrolled down the page (perhaps an inadvertent coding issue).

9 firms (31%) included "Cookie" or "Cookies" in a link, of which 4 (14% of all firms surveyed) highlighted the link using a different colour, symbol or uppercase. 3 of those firms positioned the Cookies link at the top of their webpages, 2 included the link both at the top and bottom, and the rest at the bottom only. In other words, only 5 firms (17%) had a clear Cookie link at the top of their webpages. One firm had an interesting hybrid solution with a short notice and cookies policy link at the bottom of its webpages, plus a button to disable cookies from the site.

The other 14 firms (48%) only displayed a "Privacy Policy", "Privacy Statement" or similar link at the bottom of their webpages, without specifically mentioning "cookies", or else (in 3 cases, ie 10%) displayed no privacy policy link on their home pages at all.

Compliance mechanics - types and effectiveness

Even firms with "pop-up" messages set session cookies automatically, on arrival at the website.

Most pop-up messages stated that use of the site (and/or clicking elsewhere on the page) would be taken as consent or result in their use of cookies, ie implied consent.

1 firm simply stated in its message (with a cookie notice link) that clicking elsewhere on the page would be consent, and activated cookies on the visitor so clicking. Its "Cookie Consent Tool", while separated from the notice, did allow users to accept particular cookies in a granular fashion (although only one was listed, ie Google Analytics).

Only 2 firms offered Yes/No options, ie the option to refuse. Selecting the No option resulted in a cookie being set, to record the refusal. One provided a "What happens if I say No?" message, and the option for the visitor to record their preference permanently.

3 firms offered no "No" buttons, but simply displayed one button with "Yes" or similar, so that therefore clicking the button would be consent - ie  "OK hide this message", "If you are happy with cookies please click 'Proceed'" (with a Proceed button), and "I consent to cookies from the site" (with a Continue button).

These messages might suggest that cookies would be set only if the visitor clicked Yes or Proceed etc, but in fact cookies other than necessary session cookies (notably Google Analytics and AddThis), could still be set automatically, even before the visitor had consented. Indeed, in one case, all the Proceed button seemed to do was to get rid of the cookie message; cookies were set anyway, whether the visitor clicked the button or not.

Of firms choosing to provide a consent mechanism, in fact only 2 firms correctly stopped all cookie-setting scripts from running unless and until the visitor clicked Yes, Proceed or the like. It is not clear whether this reflects defects in their implementation, or deliberate decisions on their part.

Only 1 firm made it impossible (if Javascript is enabled) to click through to other parts of its site without clicking Continue, ie explicit consent to cookies was effectively made a pre-condition to allowing visitors to use the site. (With messages at the top of the bottom the site is still usable without clicking anything. This centred modal message is in my personal view the best way to ensure clear explicit consent, nudging the visitor to click Continue or Close without interfering too much with usability or the user experience; that method is also used by the Financial Times.)

While 1 firm offered a "disable cookies" button, clicking it did not seem to stop Google Analytics from setting cookies nevertheless.

The above therefore indicates that even firms which appeared, from their messages, to prevent cookies being set until the user had consented, nevertheless set non-necessary cookies, so their mechanisms may not work as effectively as might initially seem to be the case.

Implied consent

The above suggests that most of the firms surveyed decided to rely on notification or implied consent only (nearly 80%, more if you count the firms that seemed to use explicit consent mechanisms but set non-necessary cookies anyway!). This may be a sensible pragmatic decision, as recent research by tag management firm Qubit, reportedly based on over 1/2 million user interactions since the grace period ended, has indicated that:

  1. explicit consent - specifically asking users to agree to enabling cookies - resulted in only 57.2% consenting, ie some 43% rejecting cookies
  2. implicit consent - notifying users about cookies and giving them the option to disable them - produced 99.7% (implied) acceptance
  3. notification only - ie a simple notice about cookies - resulted in 99.9% "consent".

Analytics cookies

Google Analytics was by far the most popular web analytics service, used by 25 of the firms ie 86% (see the preponderance of yellow highlights in the table).

Only 4 firms (14%) didn't use it, apparently using their own solutions or IBM-owned, the second most popular analytics/marketing service (which some other firms used in addition to Google Analytics).

Google Analytics scripts set cookies as standard, and technically Google Analytics cookies are first party rather than third party cookies, although it is not clear whether regulators view them as first or third.

I have not yet checked what information the firms concerned have provided in their cookie policies regarding their use of Google Analytics, and in particular to what extent they have disabled sharing of their analytics data with Google. In my view that would be an important disclosure to make.

Blogs or sub-sites hosted by a third party

A few firms had blogs or sub-sites hosted by a third party service.

Free external blogging platforms often set several cookies, and it is generally impossible for the blogger to control what cookies are set. This is only within the control of the platform, who may provide bloggers with such control if they wish (but invariably they don't). The blogger's only choice is as to which platform to use, and personally I feel that the main responsibility for compliance here ought to be on the blogging platform rather than the blogger.

A firm's cookie or privacy policy may not flag all cookies set by blogging platforms; arguably it should. I didn't check all the notices involved, or locate all externally-hosted blogs used by these firms, but it seemed there was a risk that information about such cookies could be omitted from the firm's policy/notice.

Other third party services, including social media buttons

Several firms ran social media sharing scripts, notably AddThis (with a couple of ShareThis users) and Twitter.

These externally-created scripts often set cookies. However, firms did not necessarily prevent such scripts from running until the visitor had consented - even firms that displayed a specific cookie message.

While I have not checked the content of all these firms' cookie or privacy policies yet, I would hazard a guess that not all firms will have disclosed the setting of these social media cookies.

Yet these cookies can potentially be as privacy-invasive as behavioural advertising cookies are generally considered to be. Recall for example the debacle regarding the NHS's insertion of Facebook Like code on their site, enabling Facebook to track people across sites.

Again, this raises the issue of responsibility for third party scripts which a site or blog includes on its own webpage. Personally, I believe the main responsibility should lie with the third party service that produces the script and controls the script's functions, including the cookies it sets and reads. This is particularly so in the case of individual bloggers or SMEs with little IT expertise, who would not be in a position to evaluate the purpose or effect of the third party script that the third party markets only as a tool to help the blog or site add sharing buttons that make it quicker and easier for visitors to share or publicise the site.

From the site's viewpoint, it is possible to include social sharing buttons without running the service's scripts (and setting their cookies). A couple of the firms surveyed in fact did so.

As for other third party web services, several firms included Google Maps or Google Custom Search on their sites. The Google code may allow Google to set cookies.

Again, have these firms prevented the Google scripts from running until the visitor has consented (if choosing to offer an explicit consent mechanism)? Can they implement these third party services in a way that doesn't set Google cookies? (at least one of the firms involved had, but others hadn't). Firms using Google services need to consider this issue, but it seems not all have.

Checking the whole site and sub-sites

Consistency matters. If a site chooses to include a cookie message, or pause setting of cookies until consent is given, it needs to check that all its pages and sub-sites include it.

As flagged above, this wasn't always the case, eg a firm's sub-site might set Google, Google Analytics or AddThis cookies without any cookie message, and indeed even if the visitor had clicked No to refuse consent!

While I didn't go into this level of detail in the table, HR and PR/marketing departments' pages, in particular, seemed to be the main sub-sites that set cookies without messages or consenting button clicks, particularly through including social media sharing buttons.

We don't yet know what view the ICO will take of these various mechanisms and their effectiveness (or not), but I await with great interest reports on the responses to the ICO's letters to various organisations on their cookie law compliance (see the list of organisations and link to letter).



Table of detailed survey results

(view as full page with notes)

Monday 18 June 2012

Google's self-resurrecting PREF cookie

Note that in Firefox, a "PREF" cookie, which Google says is meant to save language preferences and the like, will from time to time suddenly be set, even if you have only a blank tab open.

It's not set by any website you happen to be visiting - it's Google who's setting these cookies. They are saved even if you don't have any webpage open!

This behaviour has been known for some months and concerns have been expressed about it, as it could conceivably do more than Google says it does.

In Firefox 13, even after deleting all cookies, turning off Firefox's New Tab page and disabling Safe Browsing, I found that this cookie kept re-appearing. So the previous fix of disabling Safe Browsing in order to stop this cookie no longer works in Firefox 13, from my testing yesterday.

As for the Chrome browser, although a few months ago Chrome did not automatically set this cookie, the Attacat Cookie Tool kept reporting Google cookies ("NID" and "PREF") even when only a blank tab was open and no cookies were visible via Chrome's settings page! So perhaps it's now impossible to prevent these cookies in Chrome too. (This could be an issue with Attacat's tool, though; I'll report it to them.)

However, it seems Internet Explorer doesn't get any PREF cookies, for now. I haven't tested it in Opera yet.

So - should there be a cookie law notice & consent for the PREF cookie? And who should be responsible for that?

Cookie law - Google Analytics etc - first party, third party, and isn't disabling data sharing more important?

This discusses Google Analytics cookies under the EU cookie law, which (amongst other things) prohibits saving or reading cookies on website visitors' browsers without their consent.

Many sites use Google Analytics for their web metrics / analytics, because it's useful and free. Even the UK data protection regulator, the ICO, uses Google Analytics.

What Google Analytics code does

To use Google Analytics, a site would paste some code into its webpage or website template, like this (with Xs for the site's unique ID number):
<script type="text/javascript">
  var _gaq = _gaq || [];
  _gaq.push(['_setAccount', 'UA-XXXXXXXX-X']);
  (function() {
    var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
    ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '';
    var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);

You can see that this code references a "ga.js" script from, a Google website.

When someone visits your site, containing your Analytics code, their browser downloads and runs that code. That code in turn tells it to fetch and run the ga.js script from Google's site.

That ga.js script will then read/set/update Analytics cookies via the visitor's browser.

Are Google Analytics cookies "first party" or "third party" cookies?

That depends on your definition.

EU privacy regulators the Article 29 Working Party (A29WP) say (my emphasis):

"third party cookies"… cookies that are set by data controllers that do not operate the website currently visited by the user…the term “first party cookie” will be used to refer to a cookie set by the data controller (or any of its processors) operating the website visited by the user, as defined by the URL that is usually displayed in the browser address bar.

Why does it matter?

This matters because first party cookies are considered less invasive than third party cookies, for cookie law purposes, so that eg fewer hoops may need to be gone through in order to show that you've obtained user consent to those cookies. Generally, third party cookies are considered to pose greater privacy risks than first party.

But, from a technical viewpoint, actually "Google Analytics uses first-party cookies". This because, strictly speaking, Google Analytics cookies are effectively set by your website's domain, not Google's. Technically, whether or not legally, Google Analytics cookies are first party.

For example, below is a screenshot showing the cookies set via Google Analytics once you've accepted cookies on the ICO website. The first four, beginning _utm, are all Google Analytics cookies, but you'll see that they're associated with rather than or (Here are some explanations on how Google Analytics cookies are first party not third.)

Now for some further statements from the A29WP:

A first party analytic system based on “first party” cookies clearly presents different risks compared to a third-party analytics system based on “third party” cookies. There are also tools which use “first party” cookies with the analysis performed by another party. This other party will be considered as a joint controller or as a processor depending on whether it uses the data for its own purposes or if it is prohibited to do so through technical or contractual arrangements…  First party analytics should be clearly distinguished from third party analytics, which use a common third party cookie to collect navigation information related to users across distinct websites, and which pose a substantially greater risk to privacy.

So the big question is, for cookie law purposes, are Google Analytics cookies considered first party, or are they "first party cookies with the analysis performed by another party" or third party analytics, which regulators will come down harder on?

Let's check the ICO guidance:

First party cookies in basic terms are cookies set by a website visited by the user - the website displayed in the URL window. Third party cookies are cookies that are set by a domain other than the one being visited by the user. If a user visits a website and a separate company sets a cookie through that website this would be a third party cookie.

That doesn't necessarily clarify the position, as arguably  Google "sets a cookie through [a Google Analytics user's] website".

What's more, the ICO goes on to say:

The person setting the cookie is therefore primarily responsible for compliance with the requirements of the law. Where third party cookies are set through a website both parties will have a responsibility for ensuring users are clearly informed about cookies and for obtaining consent. In practice it is obviously considerably more difficult for a third party who has no direct interface with the user to achieve this. It is also important to remember that users are likely to address any concerns or complaints they have to the person they can identify or have the relationship with – the company running the website. It is therefore in both parties’ interests to work together.
The key point is not who obtains the consent but that valid, well informed consent is obtained.
Third parties setting cookies, or providing a product that requires the setting of cookies, may wish to consider putting a contractual obligation into agreements with web publishers to satisfy themselves that appropriate steps will be taken to provide information about the third party cookies and obtain consent.

Given the ubiquity of Analytics cookies, it would be helpful if regulators would confirm whether, for cookie law purposes, they're treated as first party or third party, and who's considered to be the person setting the cookie - the person who included the Analytics code on their website, or Google, who actually wrote, hosts and generally controls that code and what it does?

Social media "buttons"

It's not just Analytics scripts - lots of services offer scripts or other code for website owners to insert into their webpages. It's the service who controls that code, not the site owner. Lots of site owners are individuals, eg bloggers or SMEs, with little technical expertise. They wouldn't know how to dissect the service's script if they tried.

Their only choice is as to whether to use the script, which third party services may market heavily as helping to promote individual sites - or not. But individual sites may not have the technical or legal expertise to make that decision properly. I have in mind here AddThis, ShareThis, Twitter, Facebook and other services that offer social media "buttons" to sites and blogs - code that can be inserted to show the button, and do whatever else the third party service wants it to do.

I also, with respect, take issue with "In practice it is obviously considerably more difficult for a third party who has no direct interface with the user to achieve this." (In this case, I'm using "third party" to refer to the service that provided the script or other code.)

It's not. It's the third party who wrote the script it offers to sites. The script is its direct interface. It has the practical and technical ability to tweak its script to, eg, pop up a request to the website user to accept cookies set by its script, identifying itself so the user knows who is responsible for the script.

As for "Third parties setting cookies, or providing a product that requires the setting of cookies, may wish to consider putting a contractual obligation into agreements with web publishers to satisfy themselves that appropriate steps will be taken to provide information about the third party cookies and obtain consent" - that's even worse. Given what I've pointed out, that sentence seems to me to be the wrong way round, and very unfair on SMEs and bloggers. I feel it should be for Google and similar services to change their scripts so that information is given and consent requested - it's easy for them to do, and they ought to take at least some of the responsibility. Why aren't they doing something?

Sharing Google Analytics data

This is the kicker, to me. Rather than "first party" or "third party" distinctions, surely what matters more is how someone other than the site owner could potentially use that data, ie what can the third party services, that provide scripts to sites, do with the data they gather via their scripts? To what extent can they use the data for their own purposes, and not just the site's?

The A29WP do touch upon third party analysis or use of first party cookies and "third party analytics", but it should be remembered that the cookie law extends to non-personal data as well as personal data, and that its terms don't confine its scope to "controllers" (joint or not), or even "processors". As I've pointed out above, it is the analytics provider who creates and controls and code used by sites, so it would make sense for it to bear more responsibility than sites or blogs who may not have much technical knowledge.

This blog shows that, in practice, Google Analytics data is shared with Google as standard - sharing is ticked by default, and site owners must take active action to disable sharing data with Google, ie not exactly privacy by design or privacy by default! And it seems quite a long-winded, difficult and involved process to stop Google Analytics data sharing (scroll down the page for instructions).

I've disabled sharing Google Analytics data with Google as far as I can for my main site (indeed I've not even added working Analytics code to that site yet). But for users of it's just not possible to prevent the sharing, as no settings are provided to do that. Also, Blogger Stats (which uses Analytics) is "fully integrated with Blogger; you don't need to do anything to enable it for your blog" - put another way, analytics collection can't be turned off on Blogger blogs.

Shouldn't sites' cookie and privacy policies disclose whether they've turned off Google Analytics data sharing, or not (and exactly how Google will use the data, according to Google)? The statement that Google require EU Analytics users to put on their sites, quoted below (8.1), doesn't cover that fully enough, in my view. I've tried to provide something better in this blog's privacy policy. There also seems to be an inconsistency between Google's terms and its practices, which I'll get to next.

Google Analytics terms vs practice

Google clearly states on the Analytics settings pages (quoted in the blog linked above) that it uses sites' Google Analytics data to "improve" its service.

This is what Google's contract terms for UK Analytics customers provide (my emphasis):

You will have in place in a prominent position on your Website (and will comply with) an appropriate privacy policy. You will also use reasonable endeavours to bring to the attention of website users a statement which in all material respects is as follows:
“This website uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”). Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States . Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. Google will not associate your IP address with any other data held by Google. You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above.”…

8.3 You agree that Google and its wholly owned subsidiaries may retain and use, subject to the terms of its Privacy Policy (located at , or such other URL as Google may nominate for this use from time to time), information collected in Your use of the Service (including without limitation Customer Data) for the purpose of providing web analytics and tracking services to You. Google will not share such information with any third parties unless Google (i) has Your consent; (ii) concludes that it is required by law or has a good faith belief that such disclosure is reasonably necessary to protect the rights, property or safety of Google, its users or the public; or (iii) provides such information in certain limited circumstances to third parties to carry out tasks on Google's behalf (e.g., billing or data storage) with strict restrictions that prevent the data from being used or shared except as directed by Google. When this is done, it is subject to agreements that oblige those parties to process such information only on Google's instructions and in compliance with this Agreement and appropriate confidentiality and security measures.

Some might feel this isn't quite the same as what's in its FAQs.  The phrase "providing other services relating to website activity and internet usage" in the terms is very, very broad, and could cover "improve the service" and create "more powerful features" as well as much more ("other services relating to internet usage" is very wide indeed).

Yet the FAQs and settings pages seem to suggest to those using Google Analytics for their sites that Google won't use the data except for the limited purposes stated in the FAQs, and that if sites decide to disable sharing, this will prevent Google using it for its own purposes.

The terms do state the data will not be shared with third parties without consent (or required by law etc etc). But, strictly, they don't stop Google from using the data for its own purposes to help it provide "services relating to internet usage", even if the site using Google Analytics has disabled sharing in their settings - unless Google's provision of those settings can be taken as Google's representation or implied undertaking that it won't use a site's Analytics data for other purposes if the site has in fact turned off sharing in the settings.

Perhaps Google's next privacy policy review will ensure that its terms are more consistent with what it does in practice?

Tuesday 12 June 2012

Cookie law compliance: list of organisations contacted by ICO about their compliance

Below is the list of all the organisations to whom the ICO have written (here's the form of ICO letter) to ask about their cookie law compliance, an interesting mix of private and public sector!

Acumen Professional Intelligence Limited Limited
AOL (UK) Limited
Apple (UK) Limited
Argos Limited
Associated Newspapers Limited
Automobile Association Developments Limited
Barclays Bank PLC
BBC News
BBC Radio 1
BBC Sports
Belfast City Council
Betfair Limited
Boots UK Limited
British Airways PLC
British Broadcasting Corporation
British Sky Broadcasting Limited
Channel Four Television Corporation
Department For Transport
Deputy Company Secretary
Derry City Council
Direct Line Insurance Plc
Domino's Pizza Group Limited
Dumfries and Galloway Council
easyJet Airline Company Limited
Ebay (UK) Limited
Everything Everywhere Limited
Facebook UK Ltd Limited
Google UK Limited
Group Regulatory Relations
Hallmark Cards PLC
Haymarket Media Group Ltd
IPC Media Ltd (NME)
Jamie Oliver Enterprises Limited Limited
John Lewis PC
Lloyds TSB Bank PLC
Merthyr Tydfil County Borough Council
Met Office
Microcourt Limited
Microsoft Limited
Mind Candy Limited
MyMaths Limited
National Assembly for Wales
National Lottery
National Westminster Bank PLC
Network Rail Limited
Next Group PLC
NHS Choices
Northern Ireland Assembly
Public Service Ombudsman Wales
Qype Limited
Rightmove Group Limited
Royal Society For The Protection of Birds
Sainsburys Supermarket Limited
Scottish Government
Scottish Parliament
Scottish Public Services Ombudsman
Tesco Stores Limited
The Cabinet Office
The National Trust For Places of Historic Interest or Natural Beauty
The Office Of The Ombudsman For NI
Trader Publishing Ltd
TSL Education Limited
Turner Broadcasting System Europe Ltd
Virgin Media Limited
Welsh Government
William Hill (Bookmakers) Ltd
Yahoo UK Limited

Note - despite concerns to the contrary, the list and form of letter are both public. They were linked to from this ICO webpage.

For more info, see my summary of the EU cookie law.

Thursday 31 May 2012

UK cloud users and US PATRIOT Act

My article on whether UK cloud users are legally restricted from using US cloud providers' services under data protection law, given the risks of the US PATRIOT Act, is now in the ComputerWorldUK Cloud Vision blog. Link here.

I also want to point out another useful resource which was published after I'd sent the article in to ComputerWorldUK, namely a paper by Hogan Lovells on government access to cloud data in Australia, Canada, Denmark, France, Germany, Ireland, Japan, Spain, United Kingdom, and the United States. Summary chart of findings and link to full paper here.

Friday 4 May 2012

EU cookie law essentials - 20 questions

The cookies law (under the EU e-Privacy Directive 2002/58) will hit websites and mobile apps etc very soon - and already has, in many countries.

Here's an overview and introduction, by way of 20 FAQs, covering the key important points that websites (including personal sites and blogs) and smartphone apps developers etc need to know about the so-called EU cookie law, following my CloudCamp and GirlGeekMeetup talks.

20 cookie law questions & answers

  1. Law from 25 May 2011? No, in the UK, there's an informal grace period till 25 May 2012, to give people time to come up with compliance solutions. 26 May is not far off at all, though. See Wolf Software's cookie law countdown!
  2. Cookies? Not just about "cookies". "Cookie law" is a convenient misnomer. (I'll still use "cookies" as shorthand.) It also includes Flash cookies/(Local Shared Objects / LSOs), HTML 5 web storage, DOM storage, web bugs or web beacons, etc. And malware - spyware, trojans, viruses etc - planted on users' equipment. And, in my view, eTags.
  3. Organisations? Not limited to business use. No commercial purpose necessary. Individual app developers, SMEs. personal websites, message boards & forums, bloggers etc, everyone has to comply with the cookie law.
  4. Computers? Not just computers - it's phones, iPads and other tablets, games consoles, internet-enabled TVs, etc. And, I'd argue, Kindles and other ebook readers, iPods etc too. The cookie law applies to any "terminal equipment" of a "subscriber" or "user" - whatever "terminal equipment" may mean.
  5. "Personal data"? Not just "personal data" - it covers any "information". Separate laws deal with personal data, under the 1995 EU Data Protection Directive (implemented in the UK by the Data Protection Act 1998). Related but different laws. Both sets of laws apply, regulators say.
  6. Storing information? Not just storage - gaining access to info on terminal equipment is covered too, even if someone else (eg users or third parties) stored the information. Cough cough Path
  7. Internet? Not just about storing or accessing information over the internet or other network. No network necessary, under the EU and UK law (though it is in Ireland...)  - spyware delivered on USB sticks or a virus on a CD could be included. And, while the boundaries aren't clear, perhaps via RFID or even NFC too.
  8. Browsers/websites? It doesn't just affect websites setting or accessing cookies via browsers (like Internet Explorer, Safari, Firefox, Chrome). The law also applies to any other applications, programs, scripts, software etc that store or access data on computers, mobile phones (eg iPhone, Android and other smartphone apps), etc. It's not how you store or access information, it's the act of storing or accessing information on terminal equipment that's covered.
  9. Just the UK or EU? It was meant to come in from May 2011 in all EU countries, but most are behind in passing the required laws (as of mid-March, 12 hadn't).
    The cookie law applies to websites, services or apps of people or organisations based in an EU country (wherever the site or app is hosted) which store or access information in terminal equipment of those using EU public communications networks.
    Even for those based outside the EU, eg in the US, if their site/app is accessible in an EU country over EU comms networks, then the cookie law may still apply to them - indeed, in every such country. And, again, separate EU data protection laws may also apply to any storage or access of "personal data" on EU users' equipment.
  10. What exactly does the law cover, then? Behavioural tracking cookies, innit? 'Fraid not. While the law might have been triggered by concerns about wide-scale tracking and profile of consumers without their knowledge or consent, particularly behavioural targeting by the advertising industry (online behavioral advertising or OBA), the law is very wide - most think, too wide. It bans all storage of or access to info on terminal equipment, unless the user or subscriber -
    (i) is provided with clear and comprehensive information about the purposes of the storage or access, and
    (ii) has given consent.
    So, basically, consent is king. Or "notice + choice", as the US might put it.
  11. Aren't there any exceptions? There's 2 exceptions when info can be stored/accessed without consent etc, but they're narrow.
    Ignoring a limited exception that's essentially confined to enabling network transmissions, the main exception is where it's "strictly necessary" for providing an "information society" service (effectively, online ecommerce service) requested by the user.
    Classic example - cookies for remembering items added to users' shopping baskets on e-commerce online sales websites. Or, cookies for services with secure login, to recognise users, and other security cookies.
    Tidbit: the ICO doesn't think cookies for saving language/accessibility etc preferences are strictly necessary; the French regulator does! More on this in a future blog post.
  12. Can't consent be opt-out, or given afterwards, or must it be prior consent? Cue big arguments, which are still raging.
    Wider view: consent can be implied from user actions, and isn't always necessary in advance. The UK government considered that the relevant Directive doesn't say "prior" consent ("prior" was deleted from a previous draft), stressing that what's important is informed consent; but still acknowledging that consent must be "any freely given specific and informed indication of" user wishes. While consent normally means prior consent, it argued "This absolutely does not preclude a regulatory approach that recognises that in certain circumstances it is impracticable to obtain consent prior to processing."
    Indeed, the ICO themselves had to set a cookie for all visitors automatically, although needed for just one form, and they managed to get rid of it only in the last week of March 2012 (I checked regularly!).
    (Added) Just before 25 May 2012, the ICO updated their guidance to allow for implied consent.
    Strict, narrow view: consent must be express and explicit, eg by users actively clicking a button or ticking a box, and must be given before the info storage/access. This is the view of continental regulators, although the ICO apparently accept that implied consent is possible if there's enough consumer awareness about cookies; and they even said that, when using a pop up or splash page, where no cookies are turned on until the user agrees, if the user just clicks through to another part of the site their consent might be inferred (but a reminder elsewhere that you're setting cookies would help).
    The conflict between UK government and other views certainly doesn't help clarify matters.
  13. Can browser settings be taken to indicate consent? Err. No easy answer here! The law does envisage that "Where it is technically possible and effective, in accordance with [data protection laws], the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application." This seems the most sensible solution for user choice, rather than placing the onus on site owners and app developers.
    Currently, browsers are generally set by default to accept all cookies automatically, including third party cookies. Only the tech-savvy tailor browser settings, use NoScript etc, or periodically delete cookies. Can browser's default settings, to accept cookies, be taken to signify the user's consent to cookies?
    UK government: users could indicate consent by choosing not to change default browser settings, if provided with adequate info on cookies and what those settings mean for them. It thinks this approach would enable industry work on third party cookies in online behavioural advertising. But note that "adequate information" must still be provided first, even on this view.
    Regulators: the ICO, who enforces the law in practice, considers that currently, as most browsers aren't sophisticated enough, services can't assume consent from browser settings, and "for now we are advising organisations which use cookies or other means of storing information on a user’s equipment that they have to gain consent some other way."
    The authorities have asked browser manufacturers to come up with something (it's interesting in itself that browser providers are being asked to bear the costs of changing their browsers when that law doesn't necessarily apply to them as browser makers, nor would they necessarily benefit from it! Although longer-term, this makes overall sense). No news on this front yet… We'll see if eg Do Not Track (DNT) will be good enough; it's certainly seems to be gaining traction.
  14. Break the cookie law, just get a warning? Not necessarily… The UK data protection regulator, the ICO, will consider how seriously a breach affects privacy and others' rights, in deciding what enforcement action to take, if there's a complaint. Worst case scenario, serious breaches could mean a penalty of up to £500k, and non-compliance with any enforcement notice is a criminal offence. But it seems the ICO won't consider formal action about analytics cookies to be high priority, if you "take what steps you can" (?) to seek consent after explaining them, and "we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action." (What about third party analytics cookies…?)
    However, it might not be safe for non-compliant sites to assume they'll escape scot-free, and don't forget other EU countries may take a stricter view and theoretically they could go after eg US services. Not sure if they'd go as far as arresting people travelling in their country yet, as with the EU online gambling executives in transit in the US, but you never know…
  15. What can be done to comply? Another tough one. It depends on how strict or relaxed an approach you take to compliance and consent. I plan to blog more on this soon, looking in detail at some of the free tools out there - watch this space!
    Meanwhile, the main guidance to read is the ICO's Guidance on the rules on use of cookies and similar technologies and shorter ICO's Changes to the rules on using cookies and similar technologies for storing information, which outline a 3-point action plan -
    1. Cookie audit - what type of cookies and similar technologies do you use, how do you use them?
    2. How intrusive is your use of cookies?
      [Note: the all-encompassing cookie law doesn't actually distinguish between cookies based on how privacy-invasive they are. It's the ICO who has introduced this notion of assessing intrusiveness.]
    3. Decide what solution will be best in your circumstances, and deploy it: get rid of all cookies that you can, work out cookie-less solutions as much as possible, for the rest figure out how best to obtain consent before storage/access. The more intrusive the use, the harder you'll have to try to inform users and seek meaningful consent.
    It's probably easier with mobile apps, as users are used to automatically OK'ing all sorts of things when they first install an app, so consent can be included there (if the info is clearly given).
    For websites…the ICO initially seemed clear in their own view that sites need to provide information about cookies and obtain consent before a cookie is set for the first time, while recognising that gaining consent will often "be a challenge", and also "Wherever possible the setting of cookies should be delayed until users have had the opportunity to understand what cookies are being used and make their choice. Where this is not possible at present websites should be able to demonstrate that they are doing as much as possible to reduce the amount of time before the user receives information about cookies and is provided with options."
    (Added) However, just before the grace period expired, the ICO updated their guidance to allow for implied consent.
    Changing t's & c's or privacy policy to stipulate user consent is not good enough in itself, without drawing the cookie point specifically to users' attention and getting them to take positive action to agree, regulators say. And they're the ones enforcing the law. But consent in TOS might work for new sign ups to services require login, if it's made clear enough.
    Popups or splash pages (better still, lightboxes that aren't blocked by popup blockers) could work to provide info and get consent, although regulators note the "annoyance" factor.
    The ICO's own site has a banner across the top with tick box. Guess how few people have bothered to tick it…!
    Good news: it's OK to use the same cookie for the same person (and same purpose) in future, without having to ask on every visit, ie cookies once accepted may be maintained across multiple visits without seeking consent again on each visit.
    ICC UK have produced their own guide on cookie categorisation, sample privacy notices and tool tips, etc.
  16. What about third party cookies? Also caught. To me, one of the most problematic issues is, who's responsible for compliance, with third party cookies? Facebook, AddThis, Google etc? Or the user who added a Facebook or AddThis widget to their blog, or Google Analytics, Adsense code or other Javascript tags to their personal website, without necessarily realising how much info that sends to Facebook etc about the user's visitors? Similarly, if you use Google's Blogger and Blogspot, as I do for this blog, you can't control what cookies Google chooses to use (though of course you could choose not to use Blogger/Blogspot altogether).
    The UK ICO considers both parties are responsible: "Where third party cookies are set through a website both parties will have a responsibility for ensuring users are clearly informed about cookies and for obtaining consent. In practice it is obviously considerably more difficult for a third party who has no direct interface with the user to achieve this."
    I disagree. There is a direct interface with the third party, as its code is being run. Also, there's an expertise and knowledge imbalance: I feel that these third parties, who are much more technically sophisticated than many SMEs or individual site owners or bloggers, should take much more responsibility (it's their code, their cookies) for producing cookie-less solution, or for providing the required info/choice as part of their script. A site owner may install third party scripts marketed as allowing visitors to "Like" or tweet their site etc, without realising the full extent of what it does; it's the third party who truly controls that. More on this in a future blog post…
    Meanwhile, here's Google's privacy troubleshooter form and AdSense's support form for those who'd like to fill it in!
    (I'm not engaging in arguments about whether Google Analytics cookies are technically first or third party cookies. I use "third party" here when referring to code a site owner adds to their site, ie widgets and the like, that originates from and is controlled by a third party.)
  17. But third party analytics cookies and advertising cookies are very common, help?! Analytics cookies and advertising cookies are not "strictly necessary" to deliver the content to users, according to most regulators' interpretation, and the ICO recently confirmed this view. Even if you consider analytics essential to improve your site, or advertising essential to enable you to provide content to users for free. I think bloggers and site owners should be putting pressure on ad networks, analytics providers etc to provide solutions, but any queries I've seen have (with the honourable exception of ShareThis, though I've not seen a solution yet), mostly met with only a  continued resounding deafening silence from the providers, even EU ones, or criticisms of the cookie law from providers, rather than actual pro-active solutions. Though Google have said (ht) that they'll post something about analytics on their Analytics blog. I hope, AdSense too! I'll discuss all this in a future blog post.
    (Added) CNIL, France's regulator, has at least stated that in France 6 month analytics cookies are exempt on certain conditions, eg notice, easy opt-out mechanisms etc.
  18. But, at least all this is better for consumers, right?
    Not necessarily. While hopefully any efforts to comply should help raise consumer awareness about cookies, in my personal view the new laws unfortunately won't solve the underlying problems: tracking/targeting without informed consent, and insufficient granularity of user choice.
    Nor is the information being given to users necessarily clear or comprehensible enough to the average non-technical person - to be discussed further in a future blog post, but see eg the explanation of cookies by cookie name in the ICO's own privacy notice.
    I feel tracking will continue, but (for sites that take the trouble to get rid of cookies) tracking will just move server-side, eg to the cloud, log files-based, employing analytics systems that use IP address and user agent, and therefore tracking may become harder for users to detect. (I don't think device or browser fingerprinting will escape this law, though.)
    It'll cost money to comply (see below), especially as the law isn't fully harmonised across different EU countries, which may raise costs generally without necessarily providing any real benefits to consumers. Strict compliance all-round may even threaten the existence of free ad-funded services currently enjoyed by consumers. So, by focusing on process rather than purpose, the cookie law risks gumming up the workings of internet and mobile services while missing its intended target, and hitting law-abiding SMEs and individuals the hardest.
  19. So who's it better for, then? Well, it's certainly better for cookie auditors/consultants and lawyers! To get their website compliant, the UK data protection regulator had to pay nearly £4k (with further, unknown, costs for sorting out that single recalcitrant cookie mentioned in 13 above).
    It will cost law-abiding sites and apps providers time and money to try to produce compliant solutions, while the real underlying problems remain unaddressed. If all the money regulators and sites etc have had to spend on this were instead used to detect and enforce breaches of existing data protection law (including behavioural tracking without informed consent), we'd all be better off.
    And you can bet your bottom euro that lots of sites and apps aren't going to bother to try to comply, whether through lack of awareness, or a deliberate decision to take the risk, betting that no one will come after them or that, if they do, they won't be fined much. Typical approach, as per an email to me from a tech industry person: "I suspect that most would rather ignore it rather than hamstring their service."
    So all this will effectively penalise law-abiding services, while other services ignore the cookie law and may get away with it. It doesn't seem helpful to have laws that most people won't obey or that won't get enforced (whether for practical or other reasons); it brings the law into disrespute, without necessarily achieving its underlying aim.
  20. And what of the future, eg implications for the internet of things? As mentioned above, RFID and possibly (though less likely) NFC could be covered too - it's not clear enough yet. The European Commission are consulting on regulating the internet of things, so those who respond to the IoT consultation (ending 12 July 2012) could take the opportunity to comment eg on the impact of the cookie law on the internet of things. And the revision of the Data Protection Directive could also provide an opportunity to comment on the cookie law. There's a site protesting the law, as well as an e-petition against it!

See further links to primary sources, some possible free compliance tools,and other resources on the EU cookie law.

Note: this focuses mainly on the UK position. It's my first go at looking at these laws in detail, so any corrections or comments are welcome.

Obligatory weaselly lawyer's disclaimer: the above is just general information, not legal advice. You should consult suitably qualified lawyers about your own situation, as everyone's is different. And opinions are mine alone.

Wednesday 2 May 2012

EU Cookie Law Changes - Key Legislation Extracts

I've updated my cookie law links list to include a link to the text of the relevant legislation, showing the changes, marked up against the previous law, with the text of the EU and UK legislation side by side.

Direct link here.

Tuesday 17 April 2012

Cookie law - links

Last revised 30 June 2013
In the UK, the EU cookie law will be enforced fully from 25 May 2012, under the revised Privacy and Electronic Communications Regulations (implementing the EU E-Privacy Directive 2002/58).
Here are some key links, which I'll add to over time - not necessarily comprehensive! Dates of items indicate their chronology.
Suggestions of further links are welcome.

Introduction / tutorial

Those new to this topic may wish to see my EU e-Privacy Directive cookie law introduction / tutorial.
Survey of top London tech law firms' cookie law compliance - table, with analysis in blog post (and article).

Some free tools that may assist compliance

These examples are listed for illustrative purposes only; you need to consult a suitably-qualified expert to check your own compliance, as everyone's situation is different.

1. Cookie audit tools

To check cookies on your site there's some tools (though I've not tested them all - on my list!) - but NB you may still get the Google's self-resurrecting PREF cookie whatever you do!. Some examples:
  • Cookies Manager+ Firefox extension - best one in my view as I can use hotkeys (remember to clear all existing cookies in Firefox first before viewing your site and using the add-on)
  • a free Chrome extension by Attacat (no registration required, unlike some)
  • a general View Cookies Firefox extension, again delete existing cookies first
  • Cookiecert have a free audit service - enter the site you want to audit in their search form, check again in a day or two if it's not already in their database.

2. Notice / consent tools

For getting consent (again just as examples of free tools I've found so far, but none of them do what I would like for this blog as regards analytics etc without requiring modification, and I haven't tested all of them) -

3. Cookie notices - samples

Example privacy notices - International Chamber of Commerce's UK cookie guide, updated Nov 2012, has sample notices, tool tips etc; see also the ICC's blog 2 April 2012 and article about the guide. (Of historical interest - their original April 2012 edition with clarification note - now only available (2nd edition) here).
BT's website has been mentioned by many  - it pops up a notice in the bottom right hand corner for 10 seconds saying if you continue without changing cookie settings, you consent. Settings are changeable via a "Change cookie settings" link at the bottom of webpages.

4. Miscellaneous

Google's "privacy troubleshooter" form - to quiz them about what they're doing on Analytics, Adsense etc to help sites comply! And more info on Google Analytics cookies.

ICO (UK data protection regulator)

The main documents are -
Other ICO info:
And about the ICO's own site and cookies -
More general ICO info, broader than cookies but including some coverage of cookies -
On RFID under the Data Protection Act 1998 -

Article 29 Working Party (EU regulators collectively)

These papers are particularly relevant to the cookie law -


Implementation of the revised Framework– Article 5(3) of the ePrivacy Directive - Commission guidance to EU Member States on implementing the cookie law, 20 Oct 2010
Answers to EU Parliamentary questions on cookies, tracking etc given by Ms Kroes on behalf of the Commission (links to the questions are in the top right corner): 18 Jan 2012, 10 Oct 2011, 31 Aug 2011, 26 Aug 2011,
Speeches by Commissioner Neelie Kroes:
Do not track or right on track? – The privacy implications of online behavioural advertising - speech by European Data Protection Supervisor Peter Hustinx, 7 July 2011
Commission presses 16 Member States to implement new EU telecoms rules, 24 Nov 2011
Commission starts legal action against 20 Member States on late implementation of telecoms rules, 19 July 2011
Consultation on internet of things (not strictly on the E-Privacy Directive) -

Other UK government links

Speeches by Ed Vaizey, Minister for Culture, Media and Sport (DCMS) -

Open letter on the UK implementation of Article 5(3) of the e-Privacy Directive on cookies - Ed Vaizey, 24 May 2011, PDF. Taking the view, on consent, that "This absolutely does not preclude a regulatory approach that recognises that in certain circumstances it is impracticable to obtain consent prior to processing."
Government Digital Service -

News etc

The European Commission’s chaotic cookie compliance culture (non-compliance by EU institutions), Data Protector blog, June 2013 (original news item)
Center for Internet and Society Launches “Cookie Clearinghouse” to Enable User Choice for Online Tracking (US), June 2013:
Half of UK institutions continue to ignore EU Cookie Law one year on, KPMG study May 2013: analysis of 55 major UK organisations across private and public sectors has found that 51 percent have failed to comply with the legislation
Businesses must engage in EU law consultations if they want to avoid repeat of cookies law mess, says expert, Out-law (Luke Scanlon), Sept 2012.
ICO disputes Freedom of Information Act findings on cookie reporting, SC Magazine (Dan Raywood), Aug 2012 -
  • of 75 websites ICO wrote to (link above) - 45 have been analysed, of which 27 have clearly taken action to increase cookies information visibility; only 3 don't mention cookies on their home page; 'these, along with the six sites that failed to respond to our letter, will be set a deadline to take steps towards compliance, with formal enforcement action likely for the organisations that fail to meet this deadline'
  • of 331 websites reported to ICO - ICO has reviewed them, it will write to them; 'a significant number of the responses do not provide any intelligence that can be analysed, while a proportion also highlight websites that rely on implied consent, which is in line with the EU law'
  • progress report from ICO is due in Nov 2012, including list of sites contacted.
ICO "not ready" to probe cookie complaints, PC Pro report of freedom of information request (Nicole Kobie), Aug 2012.
The way the cookie crumbles - '90% of people haven’t bothered to read it', Forms and Functions, Aug 2012.
Sweet irony: EU imposes cookie law, ignores own rules, ZDNet (Zack Whittaker), May 2012.
ICO on enforcement of cookie law regarding analytics cookies, The Register (Kelly Fiveash), April 2012 - "highly unlikely to prioritise first party cookies used only for analytical purposes"
Guardian article about the cookie law, 13 April 2012 - they have a project to track the trackers

Other cookie or cookie law links - research, papers, sites etc

Bird & Bird's map of cookies law implementation
Silktide - amusing blog & graphics about the cookie law, Jan 2013
Nocookielaw protest site - with the now well known "Dear ICO, Sue Us"
Top London tech law firms' cookie law compliance mechanisms - my own research, June 2012
Consent rates for different consent mechanisms - Qubit research, June 2012
AboutCookies, info site on cookies generally, by law firm Pinsent Masons
FTC Settles with Google over Cookie Control Override - how Google overrode Safari's cookie settings, Ed Felten updated Aug 2012
EU Cookie Law: The conundrum in numbers, Econsultancy May 2012 with infographics eg what consumers think about cookies.
Details on cookies used by Google Analytics; and how does Google use cookies for analytics? (in Google's advertising privacy FAQ)
New UK Cookie Laws: Practical Guidance, by law firm Linklaters, May 2012
89% of consumers feel that new EU cookie directive is a positive step, eDigitalResearch, May 2012 (also reported by EConsultancy)
Just 23% of web users would say yes to cookies, EConsultancy research April 2012
Could the EU cookie law be harming web accessibility? Pretty Simple, Apr 2012
KPMG news release, 10 April 2012 - on their analysis of 55 major UK organisations across UK private and public sectors which found 95% (!) were not in compliance, "with only one asking specifically for opt-in which is the key requirement of the directive. Surprisingly, two sites did not use any cookies at all."
How the EU has implemented the new law on cookies, by law firm DLA Piper, March 2012
82% of digital marketers think the EU cookie law is bad for the web, EConsultancy research, March 2012
Cookie ‘consent’ rule: EU implementation - table, by law firm Field Fisher Waterhouse, Feb 2012 (updated 4 Feb 2013)
EU - Three hurdles to Europe-wide cookie compliance, by law firm Linklaters, 20 Sept 2011 - outlining a risk-based approach to cookie compliance
Response by consumer organisation Which? on UK implementation of the cookie law, April 2011, including the results of their consumer research
Research into consumer understanding and management of internet cookies and the potential impact of the EU Electronic Communications Framework, report by PwC for DCMS, April 2011
Personal views of Peter Fleischer on the cookie law, Google's Global Privacy Counsel, 26 Nov 2010
Trained to Accept? A Field Experiment on Consent Dialogs, Böhme & Köpsell, 2010

Background legislation

Extracts from EU e-Privacy Directive and UK PECR legislation's cookie law wording showing changes from previous law, with EU and UK wording side by side.

UK implementation - The Privacy and Electronic Communications (EC Directive) Regulations 2003 (2003/2426) as amended by The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (2011/1208)
Denmark - Speechly Bircham's cookie guidance for Denmark
France implementation - explanation of French regulator CNIL's Dec 2011 cookie law guidance. The CNIL suggested in April 2012 (English translation) that "strictly necessary" cookies included preferences cookies, and 6-month analytics cookies would also be exempt on certain conditions eg clear notice, easy opt-out.
Ireland implementation - European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 SI 2011/336, and guidance note on the cookie law
Spain (AEPD) - guide on use of cookies, April 2013 (DataGuidance summary; Bird & Bird)