Analytics cookies: The ICO are going to do their damndest to turn a blind eye

(Viewing this article, as with any page on the Attacat site, means you now have a pile more cookies on your computer. Excite yourself with fascinating insights about this here)

Being what is probably the only 2012 weekend of really good Scottish weather, who could think of anything more fitting to do than wade through another 30 pages of ICO guidance (that’s them in charge of enforcing the cookie law)?

No? Me neither, but I have skipped through them and contained within are some nuggets of common sense (even if not amongst the decidedly weird doctors’ surgery analogy on page 8!).

Indeed, in the case of analytics cookies, the guidance gets as close to saying “if you want to break the law, we will do our best to turn a blind eye” as I suspect any piece of legalese gets:

Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals, if an organisation can demonstrate they have done everything they can clearly to inform users about the cookies in question and to provide them clear details of how to make choices. Whilst he does not consider they are exempt from the rules the Commissioner is therefore unlikely to prioritise, for example, first party cookies used for analytical purposes and cookies that support the accessibility of sites and services, in any consideration of regulatory action.

In other words, analytics cookies are covered by the legislation but as long as we tell people we are using them and provide an easy opt-out, then we can sleep pretty easy.

I interpret this as saying the approach we have adopted on this site (and the one we advocate in our suite of free cookie tools) is acceptable to the ICO (provided we don’t specifically ask them to endorse it!)

Of course this approach:

  1. Still requires you to do something; and
  2. Doesn’t work for all cookies

Doing something

The new guidance includes this wireframe of a new less intrusive way of highlighting cookie information.

The surrounding commentary is cleverly worded to leave a little doubt as to whether further notices and/or a prior consent message is required too but I interpret this to mean that an approach of “let’s just make sure we mention cookies somewhere in our site’s header and call that a consent mechanism” is probably a relatively low-risk, even if not strictly compliant, approach.

The second part of “doing something” is to ensure you provide a clear explanation and links to opt-outs. In my humble opinion, the “Cookie Information Page” that our tool generates automatically will tick this box admirably!

Applicable cookies

The above approach though is not suitable for all cookies. The guidance talks about relatively un-invasive cookies:

The Commissioner is therefore unlikely to prioritise, for example, first party cookies used for analytical purposes and cookies that support the accessibility of sites and services, in any consideration of regulatory action.

I can understand “analytics” OK but “accessibility of sites and services”?

From Wikipedia:

Accessibility is a general term used to describe the degree to which a product, device, service, or environment is available to as many people as possible. Accessibility can be viewed as the “ability to access” and benefit from some system or entity

That covers quite a lot of sins but I can’t see this being stretched to cover advertising cookies! Further, this wording in a web context has a pretty narrow definition:

Web accessibility refers to the inclusive practice of making websites usable by people of all abilities and disabilities.

So we still don’t have clear guidance as to whether the “prominent notice and opt-out” approach is suitable for things like embedded Google Maps or share buttons. In my mind effort is required here to try to find cookie free solutions if you can and provide some further notice where you can’t.

To sum up

There has been a bit of a U-turn from the ICO. “Implied consent” is now part of the story but in limited circumstances. You are more likely to have a good hearing from the ICO if you play your part in educating your visitors to the benefits of cookies and seeking opt-in for more intrusive ones.

Of course, just because the ICO is seeking to take a softer approach doesn’t mean the rest of Europe will. Indeed European legislators may yet have something to say to the ICO yet!

(Please feel free to make use of those cookies we’ve placed and share this article)

Leave a Reply

Your email address will not be published. Required fields are marked *

Like the Brain? Sign up for the packed-full-of-tips monthly newsletter