If you sit very quietly today and listen for a moment you’ll be able to hear a noise. That noise is the sound of thousands of website owners throughout the UK saying “Phew!”
Why are they saying that? It is because today the ICO has (finally) put in writing that you are allowed implied consent on tracking cookies, rather than having to do complete opt-in:
Blue Latitude has commented on the process as it has evolved previously. In June last year when the new law was announced we said:
“The right to privacy for an individual is deeply important and the use of personal data must be regulated. The directive fails to do this, it just meddles with some of the key building blocks that underpin how businesses build customer relationships online.”
We also suggested that the law showed “a real disregard for how many businesses gain intelligence on their marketing performance.” After the ICO showed that their opt in had caused a 90% drop in reported visits.
In January this year we revisited the issue to see if the ‘strictly necessary’ option following consultation with the International Chamber Of Commerce where the ICO suggested that their opt in approach was overly heavy handed, and whether lighter approaches would be acceptable. We speculated as to whether this could be extended to analytics cookies or not, before deciding that “when implemented, this directive will seriously impact on everyone involved in digital activities.”
With the ICO rocking slightly as to whether we needed opt in for analytics cookies or not, the government itself took hold of the situation, suggesting that for their own websites analytics cookies were strictly necessary and hence implied consent was ok.
Does that mean that you should carry on as before? Not quite. Implied consent is one thing, but actually making the users more aware of what you are doing with cookies is still important. What we actually want is informed, implied consent. Therefore, if you have a website in the UK you should be doing the following things:
- Audit your site to see what cookies you are using. Stop giving out any that you no longer use and see if you can consolidate others. You should also be looking how long you set your cookies before they expire.
Analytics reporting is anonymous. There should be no personally identifiable data being passed into your analytics system and the point of the data is to provide aggregated information on the users’ behaviour to improve the quality of the site in question.
If you are linking your online data with offline data to get better information from your customer then there is another level of privacy you should be thinking about. This is, of course, near on impossible until you have some unique key to link them together. So the question of consent should come at the point of getting that unique key (e.g. if you are doing it based on a username then when you ask them for their username you should say “We will tie any data we hold about what you do when you are logged in with things you do with your account offline”).
Finally, it is important to remember that if you are a global organisation you’ll still have to pay attention to how all the other European countries have interpreted this law (and they have done so in a variety of ways, whilst some are still to define their law).