Part 1: Which specific information must be provided in the consent request?
Should there be 1 or 2 layers?
Which information should be in the 1st and 2nd layer?
Recently (3 July 2019), the ICO published its "Guidance on the use of cookies and similar technologies".
ICO also changed the ICO cookie banner/control mechanism on the ICO website to mirror the changes in the new guidance.
In this blog post, we will have a look at:
- what is (not) missing in the ICO cookie banner/control mechanism with particular regard to the Google Analytics cookie ICO places in end-users’ browsers upon end-users’ consent.
- whether the information quality in the ICO cookie banner/control mechanism is adequate.
Which specific information must be provided in the consent request?
The following questions must be answered and provided in the consent request for the consent to be specific:
1. Which data are processed?
ICO informs that "information on how you use it" (the ICO website) is collected and reported.
ICO does not inform:
- that end-users’ IP address and browser string are collected,
- whether end-users’ IP addresses are anonymised by Google,
- which parts of end-users’ website usage are measured.
2. By which processing actions are data processed?
ICO informs that information on how you use the ICO website "is collected and reported".
ICO does not inform that:
- end-users’ data firstly are transmitted and stored.
- end-users’ data secondly are made accessible to the ICO.
3. Are data disclosed to recipients?
ICO informs that ICO would like to set "Google" Analytics cookies.
In a link to its cookie page, ICO links to Google’s Information for Visitors of Sites and Apps Using Google Analytics.
ICO does not inform:
- that end-users’ data are transmitted to and stored at Google.
- that Google makes the analytics results accessible to the ICO.
- of Google’s contact details and Privacy Policy.
According to the Advocate General in the Planet 49 case:
- the clear and comprehensive information a service provider has to give to a user includes ... the question whether third parties are given access to the cookies or not.
4. Are data transferred to third countries?
ICO does not inform whether end-users’ data are transferred outside the EU.
ICO’s end-users’ data are distributed among a shared infrastructure composed of Google's many homogeneous machines and located in Google's data centers also outside the EU.
5. By which method are data processed?
ICO informs that ICO would like to "set" Google Analytics "cookies".
ICO does not inform end-users that:
- information is stored or accessed in end-users’ browsers.
ICO also informs "(f)or more detailed information about the cookies we use, see our Cookies page".
At its cookie page, ICO says what cookies are:
According to the Advocate General in the Planet 49 case:
- a cookie stores or accesses information in end-users’ browsers.
- information stored or accessed in end-users’ browsers has a privacy aspect to it regardless of whether that information constitutes personal data.
- information stored or accessed in end-users’ browsers interferes with end-users’ private sphere.
- the validity of consent to the placement of cookies and the applicability of any relevant exemptions, however, should be evaluated based on the purpose of the cookie rather than the technical features.
Hence, in my view it is essential to inform end-users that:
- information is stored or accessed in end-users’ browsers,
- information is stored or accessed in end-users’ browsers for a purpose that is specified.
6. Are personal data processed for a single, specified purpose?
ICO informs that ICO sets cookies for a purpose that it specified as to "help us improve it" (the ICO website).
This purpose is a purpose that is single and separated from other purposes.
Is, however, this purpose ICO’s real purpose and ist it specific enough?
What ICO achieves by storing the Google Analytics cookie in end-users’ browsers is that:
- Google can access and transmit data on end-users’ usage of ICO’s website to Google.
- Google analyses the data on end-users’ usage of ICO’s website.
- Google makes available to the ICO the analytics of the data on end-users’ usage of ICO’s website.
- ICO accesses and reads Google’s analytics on end-users’ usage of ICO’s website.
- ICO can use the insights from Google’s analytics for a number of purposes, including to improve its website.
To me, ICO’s first order purpose of storing the Google Analytics cookie in end-users’ browsers is to access and read Google’s analytics on end-users’ usage of ICO’s website, and ICO’s second order purpose is to use the insights from Google’s analytics improve the ICO website website.
7. When does the Google Analytics cookie expire?
ICO does not inform end-users when the Google Analytics cookies will expire.
According to the Advocate General in the Planet 49 case:
- the clear and comprehensive information a service provider has to give to a user includes the duration of the operation of the cookies.
8. How long will the analytics data be retained?
ICO does not inform end-users how long the Google Analytics data will be retained.
Google enables the ICO to choose how long Analytics retains data before automatically deleting it. For web properties, the ICO can choose:
- 14 months
- 26 months
- 38 months
- 50 months
- Do not automatically expire
8. What is the legal basis for the processing purpose?
ICO informs end-users that the Analytics cookies are optional.
ICO does not explicitly inform end-users that:
- using the optionality to adjust the available slider to ‘On’ constitutes a consent.
- which exact legal basis the ICO uses.
9. What is the legal basis for transferring end-users’ data outside the EU?
ICO does not inform end-users which legal basis ICO uses to transfer end-users’ data to Google outside the EU.