With just over a month until the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 is enforced, it was high time that an organisation with the weight to set a precedent got off the fence and took a serious position on the matter.
Who better than the UK's Government Digital Service?
I’m not sure I expected the UK government to be the one to lead the charge on cookie law compliance, and I’m certain I didn’t expect them to be the ones to argue that web analytics are “essential”, but that’s exactly what they’ve done with their snappily titled Implementer Guide to Privacy & Electronic Communications Regulations (PECRs) for public sector websites.
So does it stand up to scrutiny? And more pressingly, does it get the rest of us out of a potentially difficult situation?
The government’s argument
The Government Digital Service (GDS) takes the view that web analytics are “essential to the effective operation of government websites” and that “at present the setting of cookies is the most effective way of doing this”.
Further, they feel that web analytics cookies are “minimally intrusive” and that “their usage tends to be controlled by the first-party” (emphasis theirs).
Provided clear information is given about their activities we are unlikely to prioritise first-party cookies used only for analytical purposes in any consideration of regulatory action.
Does it stack up?
The title of the GDS’s blog post, It’s not about cookies, it’s about privacy, echoes sentiments expressed in my own recent article on privacy and the cookie law for the LBi bigmouthmedia blog: Joe Public does not, on the whole, have a firm grasp of online privacy, and we don’t have to look very hard to see stark contradictions between popular belief and patterns of behaviour.
So getting hung up on the technology isn’t the point; we must instead concern ourselves with the end result.
Still, laudable as it is, the GDS’s concern for the spirit rather than the letter of the law doesn’t stop them from protecting their own priorities, relying largely on the ICO’s statement that they’re “unlikely to prioritise first-party cookies used only for analytical purposes in any consideration of regulatory action” to justify doing little to change their current analytics implementations.
Like private sector website owners, they’re not terribly keen on obtaining informed consent, either, calling it “disruptive to the user experience”, by which they mean, of course, that practically nobody will consent.
They’re not explicit about how they’ll address this problem, but they will apparently seek to “raise the awareness levels amongst users of government websites about the uses and functions of cookies”.
The other sticking point is that elsewhere in the quoted Guidance document, the ICO advises that analytics cookies are “unlikely to fall within the exception” and defines “the exception” as applying only to cookies which are “for the sole purpose of carrying out the transmission of a communication” or which are “strictly necessary” (as distinguished from “reasonably necessary”).
In other words it could go either way and, like many organisations considering their cookie options, the GDS seems set to take a gamble that the ICO won’t crack down on analytics.
That's not a position I'd have expected the government to take and, as an ex-local government officer myself, I have some sympathy with whichever poor soul had to write the risk assessments.
Of course, one could take a view that their aims of assuring the “best possible user experience” and encouraging “citizens to use more cost-effective channels for accessing government services” means that what’s good for them is good for their users, but that seems like the thin end of a wedge and an argument that would be unlikely to cut much ice with the ICO were a private company to be the first to make it.
Where does this leave us?
In terms of understanding what a robust, long-term response to the law looks like, it seems we’re still at square one, but unless the GDS change their view (or are required to change it after May), the rest of us can at least continue to be hopeful that our analytics are safe for now.
So what do you think, government fudge or rational response to vague guidance?