The Cookie Law is not about the Cookies by Richard Beaumont

When you use cookies on a website, you are very often collecting data about people. Most of the time you can argue that the consequences of this are minor, and most or the time that is mostly true.

Sometimes however this exposes those individuals to risks. If those people happen to be some of the more vulnerable members of society, those risks can be significant. If you allow that data to get into the hands of other organisations with no control over what can happen to it, those risks are greater still. And if you are an organisation that is supposed to be helping those people, but seem to be either unaware of these risks, or ignoring them, then this becomes a serious failure in a duty of care.

Compound that with broader failures in the treatment of sensitive personal data – and you have an organisation that can end up putting people in harm’s way, rather than helping them.

Background

A lot of people don’t like the cookie law. However, there are a lot of good things about it which really only come to light when you look at how a failure to understand the issues can be both symptomatic, and compound the impact, of bigger failures in protecting the privacy and data of vulnerable people.

The excellent Heather Burns, designer and well known blogger on web law issues, has recently helped to expose how both the Scottish Police and a charity for supporting the victims of crime, Victim Support Scotland (VSS), appear to have made some serious data protection blunders.

You can read the story on Heather’s blog. For our purposes, the important part of this story, is that the Scottish Police are passing contact details to VSS without any consent from the people involved. The charity, which I am sure is trying to do good, then uses the information to classify these people as ‘victims’ to try and offer their services to them. The important bit is that it seems it is not possible to prevent this from happening.

Also, to place this in context, I would encourage looking at VSS’ own privacy and data protection documents:http://www.victimsupportsco.org.uk/privacy-policy-2/ - if only to understand how woefully inadequate they are.

Profiling People as Victims

The classification of a person as a ‘victim’ in the VSS database is a profile of an individual. There is no clarity about how this profile is arrived at, which is one problem. The seeming lack of opt-out from this profile, exposed by Heather’s story, is another.

Many genuine victims of crime are vulnerable people. They deserve and should receive support. They also deserve privacy. They should expect that even the fact that they may be in need, or receipt, of support, would be a confidential matter.

To some extent VSS recognises this. They have a nice big ‘Hide this Page Now’ button on their website. If you click it, you are navigated away to a search engine page. Presumably the idea is that you can quickly stop someone from seeing you are looking at the site if they come and peer over your shoulder.

This seems like they have thought about your privacy online, and done something really good to protect you. Then you realise that there is no way for the individual to prevent the information about their visit being made available to numerous data collection agencies – through the use of cookies. And that is a major risk issue. The ‘Hide this page from data surveillance’ button doesn’t exist.

A Cookie non-Policy

If you visit the site, you will see they have a cookie notice at the bottom of the page. Like many it requires you to accept that cookies are going to be used on the website. It refers you to their privacy policy for more information – but there is none in there.

The notice also says ‘you can opt out if you wish’ – but this is a lie. There are no opt-out controls, and there is no realistic possibility of opting out because there is no information available about the cookies being set on the site.

And there are several organisations setting cookies whose prime business model is compiling profiles of people to sell to the highest bidder. I can say this with confidence, because we decided to run a cookie audit, using our Optanon technology. We found not less than four external services setting tracking cookies on the site.

One of those is Facebook, setting cookies via its ‘Like’ buttons found all over the place. This of course is fairly common. The issue here is that if you are a Facebook user, they know exactly who you are – through a combination of their real names policy and of course knowing your email address. Facebook is one of the biggest exploiters of personal information there is, it is their entire business model. You have no privacy from Facebook. So if Facebook has a good idea that you might be a victim of crime – it can sell this information to any organisation that might be interested in this fact.

Another and perhaps more concerning company is one that is not so visible, Lotame. With Facebook at least you know that the buttons are there, even if you don’t realise they collect data just by being there.

In the case of Lotame – you will not know because there is nothing on the site to tell you they are collecting data on you. Lotame is a Data Management Platform – its purpose is to collect highly granular information about website visitors, and turn it into actionable information.

It helps website publishers understand more about their visitors, but this is not like ordinary analytics. Lotame directly connects data it collects with the publishers contact list, so the data is directly personal. As they say in their marketing, Lotame helps site owners ‘build a complete profile of the people who are visiting your digital properties’. It can identify people across different devices they may use. It claims it collects up to 40 data points on every page visit by every user.

Using Lotame VSS could be building up some very detailed information about its users, and hooking that to contact details supplied by Scottish Police – without the individuals’ knowledge or consent. There are no details in their privacy policy about what they might be doing with this information, and no way for people to even know they are doing it.

But it gets worse. Lotame is part of the online advertising ecosystem. Which means that this data, like the Facebook data, is being sold off to all sorts of organisations, many of whom are adding to data piles from other sources, and further building up profiles on vulnerable people, to deliver adverts to them. They will say that this is ‘non-personal’ data – but that just means it is not name and addresses – don’t be fooled by this. IP addresses and other identifiers, stored in cookies, can enable victims to be targeted, and their privacy invaded, just as effectively as if they had those details – which some of the people they sell the information to will have anyway.

There is nothing illegal about these practices in general – this is what the web economy is built on – creating profiles on people and selling to businesses who want to advertise to them. However, the point of the cookie law was to make all of this more visible, and make it easy for people to stop it from happening to them, or at least limit it in some way.

VSS’ failure to put any kind of proper thought into cookie compliance is not uncommon – far from it. I also don’t believe for a minute that they are deliberately trying to fool people, or put them at risk in the way they may have done.

It is clear however that they don’t understand the particular risks that the nature of their services pose. They didn’t connect the use of cookies with the collection of data, so failed to put any privacy controls in place to protect their vulnerable clients from data exploitation. They are in fact exposing them to such exploitation.

Ironically I think VSS are themselves victims here. Victims of ignorance, obfuscation and misrepresentation of what cookies do and what the cookie law is about. That doesn’t make them any less responsible for their failings of course. It means they need better advice.

Maybe I should give them a call and offer some victim support of my own.