Contentsquare's take on Analytics Cookie Consent
A bit of background.
On 3 July 2019, UK’s data protection authority, the Information Commissioner’s Office (the ICO), published guidance on the use of cookies and similar technologies. You can find such guidance at: https://ico.org.uk/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies/
and related blog at:https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/blog-cookies-what-does-good-look-like/.
Although this guidance by the ICO is helpful and an aid to understanding how to address website cookie consent obligations, it contains certain views which seem to take one step further (some might say, too far) on the requirements concerning analytics cookies. Until the day of publication of such ICO guidance, companies could comfortably argue that analytics cookies are a necessary condition to providing the service to their website visitors and therefore, in accordance with the GDPR, does not fall under the requirement of obtaining a website visitor consent. However, this argument became a much harder one to hold, and, at least from UK authority point of view, the use of analytics cookies is not necessary for the services and should not be covered under legitimate interest – and therefore requiring such website visitor’s consent.
Also on that topic, on October 4, 2019, the Council of the European Union released a draft of the proposed ePrivacy Regulation - you can find it at: https://data.consilium.europa.eu/doc/document/ST-12633-2019-INIT/en/pdf.
Such draft is a result of long and continuing negotiations by the EU Members States on the topic of adjusting and enhancing existing issues not fully covered under GDPR and ePrivacy Directive (from 2002, as amended in 2009, also known as the “Cookie Law”) concerning the electronic communications sector, and specifically, with a view to change the way in which consent is obtained from website visitors.
Once enacted, the ePrivacy Regulation will replace the ePrivacy Directive and will also complement (and in places even override) the GDPR when handling electronic communications. It is important to note that although currently (i.e. true to the date of this document) such ePrivacy Regulation is still in debate, and we will examine some of the interpretations of these statements below:
Current market practices.
As leaders in our industry, we have the opportunity to witness different approaches, taken by our clients (based on their own legal advice), concerning their compliance with recent ICO guidance and analytics cookies requirements in general. We encourage you to check your competitors, and other companies in your industry, for their cookie consent practices as well. The below highlights our main findings, but please consult with your legal advisors before implementing any of them in your website:
Full Cookie Wall
. Essentially, blocking visitors from accessing anything on the website until that visitor accepts the use of all cookies. A “take-it-or-leave-it” approach. Although this practice is still used by some companies, it is important to note that it might be considered to not be in line with the requirements of applicable privacy regulations (consent might not be deemed as “freely given”).
Consent Management Platform
. A solution (whether internally built, or provided by a third-party vendor), that allows the visitor to choose specifically and freely, which cookies to accept or reject. The visuals and user interface of such solutions may vary, but in general these solutions hold the injection of any cookies into the visitor's browser (other than necessary cookies) until such visitor makes a decision, without blocking the visitor’s use of the website. This practice, depending on level of implementation and granularity, is usually considered appropriate and in line with the requirements of privacy regulations, but may have an effect on the analysed traffic in the customer website.
Mixed Approach
. Some companies also decide to choose an in-between approach, in which they deploy a Consent Management Platform in most of their webpages, but nonetheless, choose to apply a full Cookie Wall (preventing access) on specific webpages where they determined that the use of analytics cookies is deemed essential (usually for sensitive webpages or for compliance reasons). This mid-ground approach might hold some balance, but it is definitely not a clear win, as any argument focusing on analytics cookies being essential, is currently still controversial.
“Continue as Usual”
. A number of our customers, despite the ICO position, have so far decided to consider analytical data (and cookies by proxy) as necessary to the services provided, especially when it comes to compliance with specific regulations (e.g. anti-discrimination laws, accessibility regulations, age limitations, etc.). The specific arguments may vary, but the essence is that without such analytics information, critical data required to ensure that such companies are compliant, will not be available, putting them at risk. Such “continue as usual” approach received encouragement from the recently published (and still negotiated) draft of the new ePrivacy Regulation, specifically with respect to analytics data. Although still under debate, certain companies consider the draft as representing the current state of mind of the regulators, and therefore deeming analytics cookies as necessary and exempt from consent, strengthening their “continue as usual” position. Needless to say, that maintaining a practice that is in contradiction to regulator’s guidance, no matter the argument, has its risk and needs to be considered carefully by a legal counsel.
Our position.
In our current environment, where privacy regulations and legal requirement are constantly in motion, we understand and relate to our customers' concerns. Any drastic change in their practices, specifically when it comes to their use of analytics cookies and reliance on analytics information thereof, may have a crucial effect on the accuracy of the analysed data and their ability to have a clear view reflecting their visitors’ journey through their website.
Despite what it seems as a clarifying guidance by the ICO, we see ICO’s statement, as a confusing message that is missing the target and causing more damage than good. The extremely broad determination that all analytics cookies are non-essential and not necessary for the services must be refined, covering only the type of cookies that actually are not necessary, while allowing the use of un-intrusive analytics cookies.
We believe that behaviour analytics information, and analytics cookies (first-party without personal information) as its conduit, are an essential and necessary part of any service and business survival. By default, online commerce has a fundamental drawback in comparison to retail stores when it comes to understanding customer traffic. Website owner’s ability to see and understand its customers’ needs and concerns is significantly impaired as it lacks the inherent visibility that a retail store manager has. This is where online behaviour analytics information comes into place and overcomes that gap. Without customer behaviour analytics information, any business, whether online or retail, will not survive the end of the year. Money will be wasted, and owners will be disconnected and delayed in reacting to customers’ trends, needs and concerns.
As mentioned above, we believe that there should be a clear definition and limitation as to what is an exempted analytics cookie – and that is a first party analytics cookie that contains no personal information. We accept the understanding that 3rd party cookies, and cookies containing personal information, should not be exempted from the requirement of a freely given, specific, informed and unambiguous consent. It is important to clarify that our opinion towards the broadness of ICO’s guidance does not, and will not, affect our respect towards our customers’ interpretation of the regulatory requirements, and our continuing support we provide them with - including any information, assistance and recommendation they require, allowing them to fulfil their compliance needs.
Our recommendations.
Respect the data of your customers and website visitors.
Make sure your online privacy statements and policies are complete and provide a clear and transparent view of your data practices and processes, including, but not limited to information on any third-party tools you are using in your website (which we assume include Contentsquare’s solution).
Read the guidance, the proposed regulations, this document and any other publications on this topic, in order to gain a better understanding of the current legal environment and requirements.
Check other leading companies in your industry for common practices, interpretations and ideas.
Consult with your legal and privacy advisors and determine your privacy compliance scheme suitable to your website, your data and your views.
What Contentsquare is doing for you.
We value your privacy. We respect your control over your data. We are constantly monitoring and adjusting to advancements in privacy regulations and practices. We are transparent on our practices and will provide you with any information requested. We will assist you with your compliance needs and requirements, whether by guidance or by tools to achieve such compliance.
Quick Q&A.
What should we do?
This is for your legal counsel to interpret the guidance and determine your best suitable practice. See our Recommendations above.
Will the ICO enforce their recommendations?
“Cookie compliance will be an increasing regulatory priority for the ICO in the future. However, as is the case with all our powers, any future action would be proportionate and risk-based. Start working towards compliance now - undertake a cookie audit, document your decisions, and you will have nothing to fear.” - quoted from Ali Shah, ICO’s Head of Technology Policy, Blog: Cookies – what does ‘good’ look like? dated July 3, 2019.
What should we expect from upcoming ePrivacy Regulations?
No one can tell when, if or how such new ePrivacy Regulations will come to be in effect. We can only hope that any regulation will provide a bit more clarity to our industry and practices, but for now all that we can do is better understand the state of mind and aim of the Member States when it comes to privacy electronic communications – and start preparing.
How can you contact Contentsquare?
Feel free to send any question, concern or request to privacy@contentsquare.com.