Ignoring Do Not Track Risks Cookie Law ComplianceBy: Richard Beaumont | Thursday, December 4, 2014 | Tagged: Do Not Track, Cookie Law, ICO, Implied Consent | Leave Comment
The UK’s most used cookie law compliance model is not compliant if Do Not Track requests are ignored by websites setting tracking cookies, according to the UK Information Commissioners Office (ICO) case work team.
In a response to a question posed about a common website set up, we have been told: “a website must act on the DNT request in order to comply”.
More details of the exchange are below, but in short this means that most websites in the UK are running a significant compliance risk, even if the regulator’s current priorities make the chances of enforcement action pretty slim at the moment.
One of the reasons that cookie notices are disliked by visitors is that most of them simply say that cookies are in use and continuing on the site is deemed to be consent for this.
The reason this can be interpreted as valid under the law, is that it contains a clause stating that consent can be signified through browser settings.
“For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.”
Therefore if the site says ‘ you can change your browser to block cookies’ it essentially puts the responsibility back on the user, without having to make any changes to the site itself – which for the owner avoids costs. Users can directly block cookies, so it they don’t, then this logic states that consent can be implied by the non-action.
This is a pretty loose interpretation of the law at the best of times, but is one widely used by websites to claim they are compliant, without offering any real user choice. Most users don’t take change cookie settings because doing so gives you a terrible user experience on most websites – and often results in a lot of lost functionality.
Enter Do Not Track
However, Do Not Track (DNT) is a browser setting, and one that users are adopting in significant numbers. DNT has a chequered history, with attempts to turn it into a global, meaningful standard continuing to fail. The main issue is that different interest groups cannot agree on what ‘track’ means, and therefore there is a continuing dispute about what should be the response. This of course benefits the tracking industry, which has been accused of ongoing filibustering, because until it is resolved, they believe they can continue to track with impunity.
However, the cookie laws are not global but local requirements, so it is perfectly possible, even reasonable, in the absence of an agreed global standard, to have a local interpretation of what DNT could mean, in the context of the EU cookie laws.
The Article 29 Working party, have previously issued some guidance on DNT, and have also submitted their views to the W3C consultation on the DNT standard. This is largely summed up as ‘it’s good, but it’s not compliance’
My Query to the ICO
I have long found this guidance less than helpful. After all, just because the standard does not fulfil all the requirements for compliance with the cookie law, it surely doesn’t mean a DNT signal should be ignored completely as an indicator of a preference not to be tracked.
So I wrote to the ICO, and posed the following question:
In relation to the cookie guidelines under PECR [the UK version of the cookie law], I would like to get your advice on what would be a correct response of a website when a visitor has set their browser to ask not to be tracked (DNT:1).
Should this be interpreted as either withdrawal or lack of consent from the visitor for any particular type of cookies, e.g. analytics or advertising cookies? Is there an obligation for a website to therefore take steps to prevent such cookies being set when a Do Not Track request is detected?
This is the response I received a few days later (quicker than I expected). I have edited some elements of the answer, mostly when quoting the relevant bit of law, and added my own emphasis, but the meaning of the response is unaltered:
Yes, DNT should be used as part of identifying a visitor’s preferences when considering consent.
… the Article 29 working party… has expressed concerns that compliance with DNT does not fully meet all the requirements of the cookie directive.
Ultimately this means a website must act on the DNT request in order to comply, but this is just part of creating a mechanism to respond to a consent preference to be fully compliant with the regulations on cookies.
I wanted to be sure about this so I further asked:
..if there is a clear DNT:1 signal, indicating a preference not to be tracked, and I do not respond to that, then setting tracking cookies would definitely not be compliant. Is that correct?
This is what I got back:
in [the standard’s] current state a [DNT] preference provided could be ignored without the user being made aware of it. This ultimately leaves the website in final control of how it responds and so the responsibility also is with the website in deciding if consent has been given or refused.
…you must consider the DNT value (of 1,0, or null) as part of deciding if the necessary consent has been provided for cookies to be set.
So in slightly plainer English I think this means the following:
If you are relying solely on the ‘change your browser settings’ approach to implied consent, as most websites are even if they don’t know it, then, as an absolute minimum, you have to respond to a DNT:1 browser setting.
First you will need to detect the setting, then deciding which cookies to block, if any. It would also make sense to tell visitors what has been done, even if the message is ‘we have not changed the website in response to your DNT preference’. However, if your site uses 3rd party cookies, such as ad targeting cookies that most people associate with ‘tracking’ you would be strongly advised to block them in response to the DNT:1 signal. And if you do this it would then also be in your interests to have a mechanism to try to get consent to switch them back on again.
Of course, our Optanon ePrivacy product will do all of this for you, and more besides. The key point however is that sticking up a notice about cookies and doing nothing to respond to a DNT request is clearly not good enough to be compliant.