Analytics and A/B Testing Cookies — Only After Consent in Europe?
Updated February 19, 2020: A new update from the CNIL states that A/B testing and audience measurement are now exempt from consent.
You might think GDPR only caused a disruption when it came into effect in May 2018.
The truth is Europe has been in turmoil all throughout 2019 and it’s not good news.
The French and UK data protection authorities (the CNIL and the ICO) updated their guidance notes issued in July 2019, highlighting that analytics cookies (including A/B testing and personalization) need explicit consent before being placed on a visitor’s device. They specifically refer to the GDPR when mentioning consent (like opt-ins). It must be based on active user action, not on default settings.
In February 2020, the CNIL changed its stance on this matter (thanks Paul Schmitt for pointing this out to me). Even though the ICO and the CNIL previously stated that cookies for A/B testing and analytics needed consent, the latest guidelines (in French) say otherwise:
“Benefit from the exemption from consent, subject to a certain number of conditions, cookies used for audience measurement are exempt from consent. These conditions, as specified in the guidelines on cookies and other trackers, are (1) inform users of their use; (2) to give them the power to oppose it; (3) to limit the system to the following purposes only: audience measurement and A/B testing.”
This means that analytics tools that are set up only for data collection by an organization (and not shared in any way with third parties) can be installed without consent. This change might be a hard one for Google Analytics. This special agreement from Mozilla pushed Google Analytics not to share its data with other services. At this time, it isn’t certain that this setting is available for all users. Still, if Europe is opening the door to analytics without consent, I assume Google will have to follow course and provide this feature to its European customer base.
Although no other European national privacy authorities came with such additions to the ePrivacy Directive laws (that were in place before GDPR), this might have created a legal vacuum between July 2020 and the moment the new ePrivacy Regulations will replace the current Directive.
What happened? What changed?
For a summary of the main changes to privacy laws in Europe, watch the video below (disclaimer: in the video I mistakenly mentioned the changes were implemented in 2018, when in fact they were carried out in 2019).
The European ePrivacy Directive “cookie law” of 2011 and the UK version, The Privacy and Electronic Communications (EC Directive) Regulations of 2003 (“PECR”), have been recently reinterpreted by the ICO. This change means asking for ‘consent’ to drop any ‘non-essential’ cookies, whether or not personal data is collected.
In 2012, the ICO stated that implied consent (i.e. an opt-out rather than an opt-in) was permitted:
Implied consent has always been a reasonable proposition in the context of data protection law and privacy regulation and it remains so in the context of storage of information or access to information using cookies and similar devices.
On July 18, 2019, the French privacy authority (the CNIL) released its new guidelines regarding the use of cookies. The rules applicable to HTTP cookies also apply to many other tracking technologies (“trackers”), including local shared objects, terminal equipment fingerprints, hardware identifiers, and identifiers generated by operating systems. Just like the ICO and GDPR guidelines, here too there is no separate decision about the use of cookies, but fingerprinting now falls under consent.
But then the CNIL makes it all a little confusing by updating their Github page. The CNIL’s latest guidelines state that audience measurement and A/B testing are exempt from consent and can be placed right away (opt-out).
The European Data Protection Board (EDPB) issued a written opinion in March 2019 addressing the interplay between the ePrivacy Directive and the GDPR, because the GDPR does not mention cookies and there is a gap between the two laws.
Some interpreted the EDPB’s opinion as meaning that all references to “consent” in the ePrivacy Directive mean consent as defined by the GDPR. For cookies, this means you can’t place cookies without people actively opting in.
So why did the ICO and also the CNIL change their guidances a year after GDPR came into effect? Why did the information regarding “opt-out” of cookies change to consent opt-in in 13 months?
We have Planet49 to thank for that.
On 30 November 2017, Planet49, a German website and company, was brought to court over multiple questionable practices considering the GDPR and ePrivacy Directive.
Even though we had to wait for the results (attached in full at the bottom of the article), the ruling set the tone that clearer guidelines were needed for each country.
Because of this ruling, the CNIL and the ICO began updating their guidelines to reflect how the current privacy laws cover consent, information sharing and (analytics and tracking) cookies. We will have to wait and see if the CNIL influences other European countries to allow audience measurement and A/B testing cookies.
The Battle of the ‘Strictly Necessary’ Cookie Exemption
When us A/B testing companies adapted GDPR practices, analytics and A/B testing cookies could be presented to customers as essential for a business. Instead, the focus was more on ad-trackers.
Nowadays, one might hide behind the strictly necessary’ cookie exemption. I even heard someone say “but our legal team said we can place the Google Analytics cookie without consent”. I was also in that camp until I read the ICO’s new guidelines. Their site gives some good examples of what cookies are essential for website functioning and proper user interaction. With new guidelines coming out all the time, strictly adhering to one side or the other can be confusing. Some companies are now following the CNIL’s most recent recommendations.
In the examples below, a cookie is ‘strictly necessary’ to provide a service to users. In each case, exemptions apply and no consent is required:
- A cookie used to remember the products a user wishes to buy when they go to the checkout or add goods to their shopping basket,
- Cookies that are essential to comply with the GDPR’s security principle for an activity the user has requested — for example, in connection with online banking services,
- Cookies that help ensure that the content of a page loads quickly and effectively by distributing the workload across numerous computers (this is often referred to as ‘load balancing’ or ‘reverse proxying”).
It is important to remember that what is ‘strictly necessary’ should be assessed from the user’s or subscriber’s point of view, not your own. So, for example, whilst you might regard advertising cookies as ‘strictly necessary’ because they bring in revenue that funds your service, they are not ‘strictly necessary’ from the user’s perspective.
Cookies that the ICO states need user consent (proactive opt-in by user action) are for example:
- Cookies used for analytics, e.g. to count the number of unique visits to a website (that would include personalization and A/B testing),
- First and third-party advertising cookies (including those used for operational purposes related to third-party advertising, such as click fraud detection, research, product improvement, etc.),
- Cookies used to recognize a user when they return to a website so that the greeting they receive can be tailored (personalization is specifically mentioned by the ICO).
The ECJ “Planet49” Judgment of 1 October 2019
In October 2019, the Court of Justice of the European Union (the ‘CJEU’) ruled in its “Planet49” judgment that the GDPR-standard consent also applies to the setting of cookies under the ePrivacy Directive, following the interpretation that the CNIL and the ICO had implemented since July 2019.
Therefore, active and informed consent is required for placing cookies and profiling technologies (like fingerprinting), including advertising cookies (but not strictly necessary cookies).
Pre-ticked boxes, like the ones Planet49 tried to get away with, are not a valid means to get consent.
We as a company rebuilt our entire infrastructure to make sure we complied with GDPR and stored no personal data in cookies.
The ruling of the CJEU states that it does not matter whether personal data is collected through cookies. Consent must be obtained even when cookie placement does not involve processing personal data. The controller should inform users of the lifespan of each cookie and of any third parties’ access to information collected through such cookies, prior to getting their consent.
Any Non-consent Hope for Analytics and A/B Testing Cookies?
The ICO does not distinguish between cookies used for analytics and those used for other purposes, but the CNIL does.
Analytics cookies do not fall within the ‘strictly necessary’ exemption for the ICO. This means businesses need to inform users about analytics cookies and gain consent for their use in the UK, while in France, the CNIL allows analytics (with limitations) and A/B testing without consent.
The ICO (UK) describes cookies used for online advertising or web analytics as non-essential, so they require prior consent. This includes first-party cookies and first-party cookies as set by third-party providers (read Convert or Google Analytics). Convert complies with the CNIL’s regulations as well and does not share datasets among customers and installs are per customer only, so A/B testing and personalization with holdback for testing is allowed.
The ICO guidance clearly states:
Consent is necessary for first-party analytics cookies, even though they might not appear to be as intrusive as others that might track a user across multiple sites or devices.
Consent is necessary for first-party analytics cookies, even though they might not appear to be as intrusive as others that might track a user across multiple sites or devices.
Although the ICO cannot rule out the possibility of formal action in any area, this may not always be the case where the setting of a first-party analytics cookie results in a low level of intrusiveness and low risk of harm to individuals. However, you should also note that where you use first-party analytics cookies provided by a third party, this is not necessarily going to be the case.
You should know there is a grace period to follow the ICO’s PECR guidelines until July 2020.
If the information collected about website use is passed to a third party, this should be made clear to users. It should also be clear what this third party does with the information.
Depending on your service, you may also offer users the ability to alter account settings to limit sharing information with third parties, including analytics providers. (An analytics service may also provide this functionality, consider enabling it, wherever appropriate.) The controls provided to the user should be prominently displayed and not hidden away.
Ultimately, provide clear information to users about analytics cookies and seek their consent or share the information (old cookie banners). This is likely to involve showing users why these cookies are useful to them — but you must ensure you aren’t pushing the user to choose one option over another.
On certain aspects, such guidance documents go further than the current draft of the new ePrivacy Regulation (dd. 4 October 2019), which will replace the existing ePrivacy Directive (and current PECR and French laws). In the current draft, it permits operators to place first or third-party cookies on users’ devices without consent for “audience measuring” (i.e. to analyze traffic passing through their websites for optimizing the service).
If still in doubt, here’s a diagram from the ICO that explains the use of cookies really well.
Give It to Me Straight
A problem that could arise here is that companies placing cookies will try to interpret the law in their own way. But even though we make analytics, A/B testing and personalization software, we will give it to you straight.
- The United Kingdom (ICO) and France (CNIL) privacy authorities changed their guidelines in July 2019 stating that analytics, A/B testing and personalization software like Convert Experiences, Optimizely, AB Tasty, VWO, Adobe Target, PageSense, OmniConvert, Google Optimize and the rest all need opt-in using consent to place first- and third-party cookies for their citizens.
- France (CNIL) changed their Github page with guidelines exempting A/B testing and basic analytics from cookie consent.
- Germany and Spain are following either the United Kingdom (ICO) or France (CNIL) and you can expect updates on their guidelines shortly.
- The Court of Justice of the European Union (the ‘CJEU’) ruled in its “Planet49” judgment of October 2019 that the GDPR-standard consent also applies to the setting of cookies under the ePrivacy Directive. The ruling reaffirms that the UK and French guidelines need to be adopted by all national privacy authorities.
- The new law in draft called the ePrivacy Regulations that will replace the ePrivacy Directive has a cookie exception for A/B testing, personalization, and analytics.
- It’s unlikely that the ICO or the CNIL will actively go after companies that use first-party analytics, A/B testing and personalization at this time. The ePrivacy Regulations will likely take effect in (mid) 2021 and there is a grace period till July 2020. The scope of these organizations’ work is very broad.
- Draw your own conclusions based on what we consider a fair representation of what happened since July 2019 in Europe. Talk to your legal advisor. Don’t base your advice on a tool that sells consent management platforms (they want all consent), but neither from providers of analytics, A/B testing and personalization tools… us and them.
I hope this article helped shed some light on the changes happening right now in Europe.
Although it hurts our business model, we always strive to share the truth.
We want our optimization tools to be used to provide the best user experience, so that users get the best product page, the least confusing menu, the form that saves them time to complete it.
We see website optimization as a noble craft, in the best interest of website visitors and owners (our paying customers) alike. We want our customers to take privacy seriously and build warnings and privacy right into every layer of our tools. We only store aggregated data — and no personal data — into our tools, for the sake of compliance and privacy.
We actually care. Although we might be in a tough spot because of the current ICO and the ever-changing CNIL guidelines and the ePrivacy Regulations, we know that with full transparency, we will be the company of choice for brands that care about privacy and that consumers can trust.
To this purpose, we launched a small pop-up that shows website visitors what personalizations and A/B testing they are a part of.
It’s an optional code customers can add to their global Javascript inside the Convert Experiences A/B testing and personalization tool (see the image below on how that works).
If you’d like to discuss privacy, the CNAME solutions we are working on, or new legal developments, please reach out to me on LinkedIn.
Judgment of the Court (Grand Chamber) of 1 October 2019 (request for a preliminary ruling from the Bundesgerichtshof — Germany)
Bundesverband der Verbraucherzentralen und Verbraucherverbände — Verbraucherzentrale Bundesverband eV v Planet49 GmbH (source Curia)
(Case C-673/17) 1
(Reference for a preliminary ruling — Directive 95/46/EC — Directive 2002/58/EC — Regulation (EU) 2016/679 — Processing of personal data and protection of privacy in the electronic communications sector — Cookies — Concept of consent of the data subject — Declaration of consent by means of a pre-ticked checkbox)
Language of the case: German
Referring court
Bundesgerichtshof
Parties to the main proceedings
Applicant: Bundesverband der Verbraucherzentralen und Verbraucherverbände — Verbraucherzentrale Bundesverband eV
Defendant: Planet49 GmbH
Operative part of the judgment
Article 2(f) and of Article 5(3) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), as amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009, read in conjunction with Article 2(h) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and Article 4(11) and Article 6(1)(a) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 (General Data Protection Regulation), must be interpreted as meaning that the consent referred to in those provisions is not validly constituted if, in the form of cookies, the storage of information or access to information already stored in a website user’s terminal equipment is permitted by way of a pre-checked checkbox which the user must deselect to refuse his or her consent.
Article 2(f) and Article 5(3) of Directive 2002/58, as amended by Directive 2009/136, read in conjunction with Article 2(h) of Directive 95/46 and Article 4(11) and Article 6(1)(a) of Regulation 2016/679, are not to be interpreted differently according to whether or not the information stored or accessed on a website user’s terminal equipment is personal data within the meaning of Directive 95/46 and Regulation 2016/679.
Article 5(3) of Directive 2002/58, as amended by Directive 2009/136, must be interpreted as meaning that the information that the service provider must give to a website user includes the duration of the operation of cookies and whether or not third parties may have access to those cookies.
____________
1 OJ C 112, 26.3.2018.
