If you haven’t yet added cookie notices, you seem to be in good company (the EU …)

GDPR and cookies: I was looking for best practice

(Post by Patrick Lee, 26 August 2018).

I was trying to answer questions from an acquaintance about cookie notices, and I went looking for examples of best practice. So I visited both the UK Information Commissioner’s Office ( ICO) and the European Union (EU)’s websites. This is what I found.

The EU’s General Data Protection Regulations (GDPR) came into force across the whole of the EU just over 3 months ago, on 25 May 2018. As a result, many of you will have seen (and indeed before May) prominent cookie notices asking you to give explicit consent when visiting websites.

The ICO’s website: looks pretty good

This cookie notice is what you see, and very prominently when you visit the UK Information Commissioner’s (ICO) website for the first time (or after clearing cookies):

ICOWebsiteCookieNotice26Aug2018

The reason for this is that cookies can be used to record personal information. Under GDPR, (and this is from the ICO’s own guidance – the bold emphasis is mine):

Consent must involve some form of communication where the individual knowingly indicates their acceptance. This may involve clicking an icon, sending an email or subscribing to a service. The crucial consideration is that the individual must fully understand that by the action in question they will be giving consent.

In other words, the ICO is implying that users need to knowingly perform an action to give consent to cookies. And that is precisely what the ICO’s own website does via its prominent cookie control notice.

To me (and I should make clear that I am not a lawyer) the ICO website does indeed appear to be very much in line with the letter and spirit of the GDPR.

The EU’s website: a very different story

What about the EU’s website, europa.eu? Remember that I visited in the expectation of seeing an example of good, or perhaps best practice.

At present, the EU’s website, http://europa.eu doesn’t give visitors any notice or prominent indication that it is storing cookies on their device.

This is what you see the first time you go to http://europa.eu (or if you have cleared cookies). Notice as well as the absence of any cookie notice, the “Not secure” warning from Google Chrome. This seems to be because, unlike the ICO, the EU website does not (initially at least) redirect users to the secure version of their website (https://europa.eu):

EUWebsiteInsecureAsAt26Aug2018
If you click on English as your desired language, you then see (notice that the site has now at least redirected me to its secure version):

EUWebsiteAfterSelectingEnglishAsLanguage

There is no cookie notice, or prominent link to information about what cookies it stores and what their purpose is. You have to look in the top right or scroll right down to the bottom of the page to see links to Cookies and Privacy policy.

EU Cookies page says they “may” store cookies

The Cookies page says that they may use cookies (amongst other reasons) to record whether visitors have agreed (or not) to the use of cookies on their site.

EUWebsiteCookiesPage

Remember that the site says it *may* use cookies. What is it actually doing by this stage? If you are using Google Chrome, you can see which cookies a site is storing on your device by using Ctrl + Shift + I to bring up the developer tools. Then click on the Application tab from the top, and click and expand the Cookies link on the left and click on the name of the site you are visiting.

By this stage, I had decided to look at the site’s Privacy Policy page, and this is what came up:

EUPrivacyPolicyPageOnFirstVisit26Aug2018

So while the site’s Cookies page says that it “may” store cookies, or (at the top) “we sometimes place” (them) on your device, it has already stored 4 cookies. In fact it stored 2 cookies when I opened the home page, and the third, has_js, when I clicked on the link to use English as my desired language. The 4th, PIKIW_SESSID, appeared when I went to the Privacy Policy page.

The privacy policy page says that by default website visitors are tracked using cookies from Europa. Rather than (as recommended by the UK Information Commissioner’s Office guidance) asking for explicit consent (in other words, an explicit opt-in), notice that the EU has chosen to rely on an implicit opt-in, i.e. you have to untick the box to opt out:

By default, website visitors are tracked using the first-party persistent cookies from Europa. You may choose not to be tracked by Piwik (opt-out). If you change your mind, you can choose to be tracked again by Piwik (opt-in).

Notice again the PIWIK_SESSID cookie. That seems to be the tracking cookie that the EU is referring to.

Let’s try opting out

But what happens if you decide to opt out? Does the EU’s site do what it says it will do? When you first visit the Privacy Policy page, the Piwik cookie is stored on your pc. The privacy page says that you are opted-in to be tracked by Piwik, but that you can choose not to have a unique web analytics cookie stored on your device, presumably the Piwik cookie that has just been stored. So let’s try opting out by unticking the “you are currently opted in” checkbox.

The site now says that you have opted out, and has an extra cookie (piwik_ignore) to record that you have opted out:

EUWebsitePrivacyPolicyPageAfterOptingOut26Aug2018

The tracking cookie is still there …

But the PIWIK cookie (PIWIK_SESSID) cookie is still there!

Does it disappear when I go to another page on the site, e.g. the page on Personal Data Protection? No, the cookie is still there.

Perhaps it will go away if we close the browser completely and re-open it …

What if I close the browser completely and open it up again. Will the cookie have disappeared? Apparently not!

EUPrivacyPolicyPageAfterClosingAndReopeningChromeAsAt2013On26Aug2018

It’s not just Google Chrome: similar things happen if you open the site in a different browser, Microsoft Edge.

Conclusion

My conclusion? Again, I am not a lawyer, but I think it is not clear whether the EU website complies with the GDPR (its own regulations) at the moment:

  • there is no prominent cookie notice when you visit the site
  • you have to explicitly opt out of being tracked
  • even when you do opt out, contrary to what the site says, the same or very similar cookie that is used for tracking is still there.

(Article dated 26 August 2018). #GDPR, #EU #Cookies #Privacy

3 comments

  1. I am grateful for someone pointing out to me that technically, the relevant law seems to be the PECR (Privacy and Electronic Communications Regulations 2003), rather than the GDPR as such.

    But I don’t think the PECR has been referred to very often in the many press and web articles written about cookies and the GDPR’s increased focus on getting explicit and informed consent seems to have significantly reduced the scope for complying with the PECR via implicit consent.

    Does the EU website comply substantially with the spirit of the combined PECR and GDPR regulations? In my opinion it could go a lot further at the moment if it wanted to be an example of best or even good practice.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s