Information Commissioner's Office
They break the laws they regulate.
Whistleblowers and complainants should be scared of contacting the ICO
The ICO are supposed to regulate data protection law.
The ICO have known about the problems with the NSPCC since 2019 and yet the NSPCC still break the law.
So why have they ignored it?
Perhaps it does not help that they are breaking their own laws too.
The ICO website loads YouTube and Vimeo embeds that include identifiable tracking of users. In both cases, the ICO does not obtain any consent prior to loading the integrations.
Where a child's trouble is that their privacy is being breached, they now have the problem that the ICO is showcasing some of the same unlawful behaviour, so what hope does a child have that the ICO will protect their privacy.
Where children or adults wish to complain, even blow the whistle; with the ICO breaking its own laws here, not only does it raise the question of "what is the point?", but it demonstrates a significant failing in the ICO's own data governance.
If the result of their own data protection practices is such an obvious breach, how bad are the rest of their data controls?
Can they be trusted with your data?
YouTube
Unlawful Google tracking on the ICO's Privacy Notice
It seems too ironic to be true, but they do and it sets a standard: it is okay to break the law in the one feature the DPO should know best.
The ICO website includes a YouTube video on their privacy notice, that uses YouTube Privacy Enhanced Mode.
Despite being named Privacy Enhanced Mode and primarily using a domain youtube-nocookie.com, the embed still includes tracking requests, some with cookies and it also uses local storage.
There is no need for the ICO to use cookies to show a short video. Hosting short video these days need not be much harder than images - long gone are the days of RealPlayer and Adobe Flash.
We should be very concerned about any public sector body, especially a regulator, accepting freebies, and even more so when doing so results in the regulator breaking their own laws.
The ICO present the embedded video with the misleading text below:
Pressing play on the video above will set a third-party cookie. Please read our cookie policy for more information.
Misleading, as YouTube will send Google Play analytics requests, with Google Account cookies, regardless of clicking play.
However, the YouTube documentation is pretty clear that the ICO must.
- obtain consent for Google's use of cookies or other local storage where legally required
- obtain consent for Google's collection, sharing, and use of personal data for personalization of ads.
- gate the embed until confirmation of parental permission for under 18s
- gate the embed until until a user has consented to YouTube's terms of service
- gate the embed until the users have consented to Google's privacy policy and data collection
- provide clear instructions for revoking consent to Google's data collection
- retain records of consent given by end users
The ICO does not.
Not tl;dr
In many websites, the boring details might be declared as too long, don't read.
However, in this case the ICO has to read these and much, much more to ensure their use of the YouTube embed is lawful.
If you Turn on privacy-enhanced mode the documentation only appears to commit to not collecting data for personalised YouTube content and adverts
The privacy-enhanced mode of the YouTube embedded player prevents the use of views of embedded YouTube content from influencing the viewer's browsing experience on YouTube. This means that the view of a video shown in the privacy-enhanced mode of the embedded player will not be used to personalise the YouTube browsing experience, either within your privacy-enhanced mode embedded player or in the viewer's subsequent YouTube viewing experience.
If ads are served on a video shown in the privacy-enhanced mode of the embedded player, those ads will likewise be non-personalised. In addition, the view of a video shown in the privacy-enhanced mode of the embedded player will not be used to personalise advertising shown to the viewer outside of your site or app.
but that doesn't mean Google and YouTube stop collecting data for other purposes and their Privacy Enhanced Mode guidance explicitly advises:
the YouTube API Terms of Service and developer policies apply
The Api Terms require
9.2 Notice to EU Users. For users in the European Union, you and your API Client(s) must comply with the EU User Consent Policy currently located at http://www.google.com/about/company/user-consent-policy.html.
The Developer Policies require
Give users control.
Building on the importance of transparency, this principle dictates that users must be aware of and have actively consented to the actions that an API Client takes on their behalf. It means that users know about and have final authority over any actions the API Client takes to insert, share, update, or delete their data. It also means that each API Client must provide a privacy policy that clearly informs users about the information that the API Client accesses, collects, stores, shares, and otherwise uses.
with general terms that require:
- API Clients must display a link to YouTube's Terms of Service (https://www.youtube.com/t/terms), and they must also state in their own terms of use that, by using those API Clients, users are agreeing to be bound by the YouTube Terms of Service.
- Each API Client must require users to agree to a privacy policy before users can access the API Client's features and functionality. The privacy policy must:
- be prominently displayed and easily accessible to users at all times,
- notify users that the API Client uses YouTube API Services,
- reference and link to the Google Privacy Policy at http://www.google.com/policies/privacy,
- clearly and comprehensively explain to users what user information, including API Data relating to users, the API Client accesses, collects, stores and otherwise uses,
- clearly and comprehensively explain how the API Client uses, processes, and shares the user information described in section (III.A.2.e), including how the information is shared with either internal or external parties,
- disclose, if it does so, that the API Client allows third parties to serve content, including advertisements,
- disclose, if it does so, that the API Client stores, accesses or collects (or allows third parties to do so) information directly or indirectly on or from users’ devices, including by placing, accessing or recognizing cookies or similar technology on users' devices or browsers,
- if the API Client accesses or uses Authorized Data, explain that, in addition to the API Client's normal procedure for deleting stored data, users can revoke that API Client's access to their data via the Google security settings page at https://security.google.com/settings/security/permissions, and
- if the API Client uses Authorized Data, explain how users can contact the API Client owner or developer with questions or complaints about the Client's privacy practices.
The EU User Consent Policy (which applies to the UK too)
Properties under your control
For Google products used on any site, app or other property that is under your control, or that of your affiliate or your client, the following duties apply for end users in the European Economic Area along with the UK.
You must obtain end users’ legally valid consent to:
- the use of cookies or other local storage where legally required; and
- the collection, sharing, and use of personal data for personalization of ads.
When seeking consent you must:
- retain records of consent given by end users; and
- provide end users with clear instructions for revocation of consent.
You must clearly identify each party that may collect, receive, or use end users’ personal data as a consequence of your use of a Google product. You must also provide end users with prominent and easily accessible information about that party’s use of end users’ personal data.
The Google Privacy Policy furthermore explains Google's position on collection of data by legitimate interest and these are critical, as unless the ICO has evidence otherwise it needs to validate the appropriateness of these legitimate interests for the usage of its privacy policy and it needs to include these in its own privacy flow too.
When we’re pursuing legitimate interests
We process your information for our legitimate interests and those of third parties while applying appropriate safeguards that protect your privacy. This means that we process your information for things such as:
- Providing, maintaining and improving our services to meet the needs of our users
- Developing new products and features that are useful for our users
- Understanding how people use our services to ensure and improve the performance of our services
- Customising our services to provide you with a better user experience (and, if relevant, tailoring the experience to be age-appropriate)
- Marketing to inform users about our services
- Providing advertising, which allows us to offer many of our services without a fee (and when ads are personalised, we ask for your consent)
- Detecting, preventing or otherwise addressing fraud, abuse, security or technical issues with our services
- Protecting against harm to the rights, property or safety of Google, our users or the public as required or permitted by law, including disclosing information to government authorities
- Performing research that improves our services for our users and benefits the public
- Fulfilling obligations to our partners like developers and rights holders
- Enforcing legal claims, including investigation of potential violations of applicable Terms of Service
I do not believe the above legitimate interests are fully appropriate, as some, like marketing purposes would require consent according to the ICO's own guidance on PECR and GDPR.
What is PECR? (ePrivacy directive)
PECR is the law that protects our electronic data from our devices... all of it, not just the personal bits.
Whether it is ...
- your best seller novel in Word
- the footage from the nanny cam going into the cloud
- your phone's geo-location
- the password to your wifi
- a scan of your car's V5
- details for the business bank accounts
- alarm codes for opening up the office
- any activity on your own device
internet services (websites, cloud storage, anti-virus checking, grammar plugins, etc) cannot capture or then use it without you knowing.
If not essential for their service, then they need clear, opt-in, consent - not hidden in contract terms.
This is the cookie law, except it covers all data communicated from your device, not just cookies.
It doesn't just protect your privacy, it protects all data on you device.
Less unnecessary data in communications means:
- simpler and thus less buggy apps
- faster apps
- cheaper bandwidth costs
- improved security - data from your mobile and laptop is only where you expect it to be
What is GDPR?
This is the data protection law for any data that relates to a living person.
So, SW1A 1AA is the post code for Buckingham Palace. Stand-alone and even with the full address, it is not covered by GDPR (it's geographical addressing of a building)
But, if a user at SW1A 1AA is searching for a Rolls Royce on AutoTrader - then combining the postcode with the search is personal data about the King's interests.
Where electronic data has personal identifiers, like mobile or home internet addresses (IP address), user accounts cookies, advertiser tracking cookies or similar and it is reasonably likely that they can relate to a living person, the data associated with that is protected by GDPR.
This means that the following are personal data points when captured with internet addresses or cookie identifiers and are covered:- The time when you are online and active
- The geo location of your internet address
- The video you are watching
- The web page that video is on if there is only one likely web site
- The web page you are on (may be in referer headers or captured and sent by analytics)
- The web site you are on (typically in referer headers or captured and sent by analytics)
- Your device looks like a new iPhone
- The fonts you use, including that dyslexic one
- Your screen resolutions, use of accessibility tools and more.
PECR and GDPR combine for a great protection against tracking
GDPR protection doesn't always mean that data collection must have consent, but because PECR requires consent for data from your device, in most cases online it will mean analytics and advertiser tracking cannot happen without consent: as it would be illegitimate without PECR consent for that data to leave your device.
The standalaone and combined values of PECR and GDPR union into broad protections for your privacy online. Privacy, that if protected by the ICO, as they are supposed to do, would make it very hard for advertising companies to track you and hopefully, impossible to do it behind your back.
Vimeo
Technically worse than their use of YouTube
YouTube embeds are offered with two different domains (youtube.com and youtube-nocookie.com) and whilst the "nocookie" version is still breaching the law (as explained above), it does reduce the data collection.
Vimeo does not appear to offer two domains (or at least if it does, the ICO is still using vimeo.com).
This means that the data collected by Vimeo when watching videos on the ICO website includes more invasive direct use of Vimeo user account identifiers.
This means that for the users of Vimeo out there, Vimeo will receive directly identifiable tracking identifiers - such as your user account id when a video loads and learn not just which video you are watching, but given they know the origin (the ICO website) they can likely identify which page you are reading too.
This is limited to the pages that Vimeo loads on, but the ICO use it in various places.
Why does this matter for kids?
The Children's Society is one of the organisations that swapped from YouTube to Vimeo after the complaint about YouTube was rasied.
Their site includes support videos regarding mental health problems and more troubles children might have.
By swapping from YouTube to Vimeo, instead of Google learning which children have these problems, now Vimeo risks learning about it instead.
Vimeo might not have the same ad and content reach as Google, but health is incredibly sensisitve data and children should not suffer their health conditions being someone else's commerical property that risks being leaked or used against them.
And who knows, maybe Vimeo will be the next social media giant to challenge YouTube's throne.
With the ICO actively breaching the law in the same technical fashion, what hopes do kids have of their rights being protected online?
What is Vimeo receiving
They obviously receive which video you are loading (as they have to serve it), but they also receive typical metadata with that, including a referer header that the request is from the ICO website.
It is the vimeo.com cookies though that make it such an invassive set of data points as it is guaranteed to be tied to your Vimeo account if you are still logged into it.
These cookies include values (not shown for security reasons) for the following data points (probably mostly meaningless, but a web search of some is interesting - such as _ga is typically for analytics).
- __cf_bm
- _ce.clock_data
- _ce.clock_event
- _ce.s
- _ga
- _ga_126VYLCXDY
- _gat_UA-76641-8
- _gcl_au
- _gid
- _mkto_trk
- _tt_enable_cookie
- _ttp
- _uetsid
- _uetvid
- AF_SYNC
- afUserId
- cebs
- cebsp_
- fc_session
- has_logged_in
- is_logged_in
- language
- recent_gtm_event
- sd_client_id
- sd_identity
- vimeo
- vimeo_cart
- vuid
That's a lot of cookies
Cookies, that the ICO has zero cookie consent for, but must obtain under PECR and GDPR.
It is absurd that the ICO asks for consent for unidentifiable analytics cookies in their consent banner, but then share identifiable data with Vimeo.
You can tell that the cookies are identifiable, as when the Video Player is loaded it includes a data element: vimeo_api_client_token.
vimeo_api_client_token is a JWT token and if you inspect the values, it includes my user id (104772838).
For all of us, but especially for the victims of data protection abuses and whistleblowers, the unlawful tracking the ICO have added is very invassive of our privacy, as the ICO is a regulator and users should demand the highest level of privacy protections.
For the regulator to particpate in breaching our privacy, suggests they are incompetent or malicious at the laws they regulate and that should scare whistleblowers and complainants from using their site and executing their rights.