Your chance to ask an expert: Making sense of cookie laws for corporate websites

During the week of November 11th, we are running our first ‘ask an expert’ event on Instagram and Guild, the Bowen Craggs Club online platform. Our guest expert will be Lawrence Shaw, from the Privacy and Cookies software service.

Lawrence will be on hand to answer your questions throughout the week. Here, Andrew Rigby of Bowen Craggs sets out some of the thorniest issues around the often changing – and sometimes contradictory advice around cookies and corporate websites. We hope this will spark some questions of your own next week.

Changing guidance on GDPR – are your analytics at risk?

The European Union’s top court recently ruled that, under GDPR (General Data Protection Regulation), pre-ticked check boxes are not sufficient for gaining user consent, for nearly all types of cookies, including for analytics.

In the UK, the Information Commissioner’s Office (ICO) has also changed its guidance, saying that even analytics cookies need explicit rather than implied consent.

This is a shift away from the previous understanding of websites’ responsibilities under GDPR, at least in the UK. In fact, until recently the ICO’s own website was dropping analytics cookies by default, and requiring users to change their settings if they objected.  

Regulators are no longer making a distinction between analytics cookies (which carry no personal information and help make websites run better) and third-party cookies, which are often commerce-driven.

The ICO is clear about this in its blog: analytics cookies require active consent from users – via a tickbox or button. Only cookies ‘essential to the running of a site’ (such as ones which save items in a shopping cart) are exempt, and the ICO does not believe that, under GDPR, analytics cookies are essential. 

Of course, this ignores the legitimate need for businesses to understand their online audiences better in order to serve them more effectively, as Brian Clifton, an internationally recognised Google Analytics expert and author, eloquently argued on his own blog.  

What should I do now, and will the guidance change again?

If your business is covered by GDPR – and many global websites with European operations will be – then the current guidance is that you need to gain explicit consent from users to drop all non-essential cookies, including analytics.

In other jurisdictions, we recommend taking the time to understand the latest laws and guidance. For example, in the US, the California Consumer Privacy Act (CCPA) is getting a lot of publicity ahead of its implementation in January 2020.

 It is important to note that the upcoming CCPA is more concerned with data selling. As this article helpfully explains, its effect on analytics cookies is therefore negligible.

For now, Brian Clifton’s perspective is helpful – he sets out a five point test to ensure you are tracking users with their best interests at heart. This is a good place to start when deciding your approach to tracking and gaining user consent – although you need to be mindful of applicable laws, such as GDPR. Brian is confident that case law will lead to looser restrictions on analytics cookies, but your organization may well not want to rely on yet-to-be decided case law.

In the EU, an updated ePrivacy regulation is due in 2020, which many are hoping will make a distinction between benign first-party cookies, and third-party ones. 

Join us next week to find out more

We are delighted that Lawrence Shaw, from the Privacy and Cookies software service - which provides solutions to help locate, verify and report cookies for major companies, as well as supporting membership bodies, governments and regulators - will be on hand to answer your questions alongside members of the Bowen Craggs measurement team during the week of November 11th. Lawrence has a wealth of digital experience, across industries as diverse as aeronautics and retail, and has been heavily involved in privacy regulatory compliance through leading companies such as IBM and Deloitte, as well as advising the UK government.

Lawrence has looked at some examples of cookies and tracking on some corporate websites and – without naming and shaming – will be sharing some interesting insights from their mistakes and successes.

We’ll be happy to discuss anything relating to the topic.

To take part, follow us on Instagram and keep an eye on our story. Or if you are a Bowen Craggs Club member head over to Guild where Lawrence will be joining us from Monday.

First published 05 November, 2019
< Back to Commentaries