Who: The UK’s Information Commissioner (“ICO”)
Where: London, UK
When: 6 November 2013
Law stated as at: December 2013
Over the past year there has been increasing press and social media speculation that the “tech giants” are developing technological alternatives to web browser cookies.
This in part to improve user tracking users across platforms (browser based cookies don’t help a marketer trying to follow behaviour across all TV, games consoles, smartphone, app and tablets interactions where cookies are not king). But equally in part a direct consequence of the sometimes negative attention paid to cookie based behavioural advertising and user tracking techniques.
Many in the tech and advertising industries understand that increased privacy education and awareness, together with more opt-out and privacy monitoring tools will increasingly interfere with the art of making behavioural inferences and building profiles based solely upon the humble cookie. What’s more the future EU Privacy Regulation looks likely to regulate the building of personal profiles potentially even if the data does not directly relate to an individual.
Computer Weekly went as far as declaring cookie tracking an “outdated approach” last month.
Why this matters: Of course replacing the browser cookie with a proprietary tracking technology may ring-fence advertising and behavioural tracking within a certain technology vendor’s ecosystem.
If Microsoft’s own technology can track user behaviour within the Microsoft environment to the exclusion of others it doesn’t take much to realise some genuine market advantage is available. However, if that proprietary tracking technology could also by-pass existing privacy laws, particularly those around cookies, perhaps the world’s tech and advertising giants could steal a march on current stringent EU laws?
No so! On November 6th an ICO spokesperson confirmed that any technology developed track individuals online would be required to comply with “all relevant aspects” of UK law. Therefore we turn back to Data Protection Act and the Privacy and Electronic Communications Regulations and principles of transparency and control.
The news in 2003 and then again in 2011 and 2012 saw endless coverage around “the new cookie law”. Driven by Europe, the UK’s Privacy and Electronic Communications (EU Directive) Amendment Regulations 2011 (the “Regulations”) implemented the required specific changes in to UK law. No longer was it sufficient to inform and offer information on how to opt-out of a cookie. The 2011 revisions meant that cookies or similar devices must not be used unless the subscriber or user of the relevant terminal equipment:
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.
The law already referred to “similar devices” and simply regulates the “storage of” or “access to” information. In fact in the full text of Section 6 of the Regulations the word “cookie” doesn’t even appear.
So the so called “cookie legislation” has a wider reach. This “cookie law” is already technologically neutral.
And, quelle surprise, ICO has already brought this to our attention, way back when they published their May 2012 Cookie Guidance they reminded us:
“In some areas it is possible for functions usually performed by a cookie to be achieved through other means. This could include, for example, using certain characteristics to identify devices so that you can analyse visits to a website (this is sometimes known as ‘device fingerprinting’). …… Focusing solely on cookies is missing the point. Even where the clear cookies rules do not apply you must consider the DPA whenever you are collecting information that builds up a picture that could allow you to identify an individual. You should tell people what you are collecting and how you are using this information.”
Another timely reminder that, it’s not about cookies it’s about privacy.