Who: The UK’s Information Commissioner (“ICO”)
Where: London, UK
When: 6 November 2013
Law stated as at: December 2013
What happened:
Over the past year there has been increasing press and social media speculation that the “tech giants” are developing technological alternatives to web browser cookies.
This in part to improve user tracking users across platforms (browser based cookies don’t help a marketer trying to follow behaviour across all TV, games consoles, smartphone, app and tablets interactions where cookies are not king). But equally in part a direct consequence of the sometimes negative attention paid to cookie based behavioural advertising and user tracking techniques.
Many in the tech and advertising industries understand that increased privacy education and awareness, together with more opt-out and privacy monitoring tools will increasingly interfere with the art of making behavioural inferences and building profiles based solely upon the humble cookie. What’s more the future EU Privacy Regulation looks likely to regulate the building of personal profiles potentially even if the data does not directly relate to an individual.
Computer Weekly went as far as declaring cookie tracking an “outdated approach” last month.
Why this matters: Of course replacing the browser cookie with a proprietary tracking technology may ring-fence advertising and behavioural tracking within a certain technology vendor’s ecosystem.
If Microsoft’s own technology can track user behaviour within the Microsoft environment to the exclusion of others it doesn’t take much to realise some genuine market advantage is available. However, if that proprietary tracking technology could also by-pass existing privacy laws, particularly those around cookies, perhaps the world’s tech and advertising giants could steal a march on current stringent EU laws?
No so! On November 6th an ICO spokesperson confirmed that any technology developed track individuals online would be required to comply with “all relevant aspects” of UK law. Therefore we turn back to Data Protection Act and the Privacy and Electronic Communications Regulations and principles of transparency and control.
The news in 2003 and then again in 2011 and 2012 saw endless coverage around “the new cookie law”. Driven by Europe, the UK’s Privacy and Electronic Communications (EU Directive) Amendment Regulations 2011 (the “Regulations”) implemented the required specific changes in to UK law. No longer was it sufficient to inform and offer information on how to opt-out of a cookie. The 2011 revisions meant that cookies or similar devices must not be used unless the subscriber or user of the relevant terminal equipment:
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.
The law already referred to “similar devices” and simply regulates the “storage of” or “access to” information. In fact in the full text of Section 6 of the Regulations the word “cookie” doesn’t even appear.
So the so called “cookie legislation” has a wider reach. This “cookie law” is already technologically neutral.
But is any of this news? We already have web beacons, clear pixel gifs and HTML5 local storage. Not to mention Adobe’s proprietary “Flash Cookie” (another form of local object storage) all of which are already deployed (sometimes in conjunction with a browser cookie) to store and track user’s data and information. Just as lawyers focus on IP addresses as identifiers but neglect to question about numerous others, we see a similar trap within tracking compliance and privacy policy awareness. “Browser cookies” get a mention, perhaps a generic nod to a web beacon, but how many privacy policy disclosures go further?
Newer Technologies like javascript tagging or coding to assemble device IDs and “device fingerprinting” are not as apparent as our humble cookie. With new technology and tracking also clearly at development stage now is the time to dispel the rumour that future tracking will fall outside the current law. But it’s also the time to ask more questions.
And, quelle surprise, ICO has already brought this to our attention, way back when they published their May 2012 Cookie Guidance they reminded us:
“In some areas it is possible for functions usually performed by a cookie to be achieved through other means. This could include, for example, using certain characteristics to identify devices so that you can analyse visits to a website (this is sometimes known as ‘device fingerprinting’). …… Focusing solely on cookies is missing the point. Even where the clear cookies rules do not apply you must consider the DPA whenever you are collecting information that builds up a picture that could allow you to identify an individual. You should tell people what you are collecting and how you are using this information.”
Another timely reminder that, it’s not about cookies it’s about privacy.
