Visitor Tracking Without Cookies (or How To Abuse HTTP 301s)

Nice try. I’m not sure that it works from a legal perspective.

The law states:

… a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.

(2) The requirements are that the subscriber or user of that terminal equipment-
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent. …

In your example, you are deliberately sending your javascript to request the 301 and storing in the user’s cache (or, in the arcane language of this law – in the terminal equipment of a subscriber) the result of your 301 (which in itself contains a unique ID code for the purposes of tracking – although actually that is irrelevant here). It doesn’t matter that you are not explicitly reading it back.

Before anyone points out the obvious flaw here, there are exceptions… the most relevant being “where it is strictly necessary for delivering a service requested by the user” (i.e. sending the web page they have asked for).

The test is then:

IF CONSTRUE_NARROWLY(“Am I sending this data because the user has asked for it”) = YES THEN SEND DATA

ELSEIF CONSTRUE_NARROWLY(“Am I sending this data because the user has asked for it”) = NO AND CONSTRUE_IN_LINE_WITH_ICO_GUIDANCE(“the user given their consent to receive it”) = YES THEN SEND DATA

ELSE DON’T SEND DATA

The javascript code you send to request the 301, and the result of the 301 fail this test. Unless you get consent, of course. But if you’re going to get consent – you may as well just use a cookie.

As for your comment “there’s been a significant lack of information to support web managers in understanding and implementing the required changes” – that is what your lawyers are for :) If your lawyer is not up to scratch on this topic you could contact the ICO helpline directly for guidance. Or you could change lawyer.

CONSTRUE_IN_LINE_WITH_ICO_GUIDANCE()
{
http://www.ico.gov.uk/news/blog/2012/updated-ico-advice-guidance-e-privacy-directive-eu-cookie-law.aspx
http://www.ico.gov.uk/news/blog/2012/~/media/documents/library/Privacy_and_electronic/Practical_application/cookies_guidance_v3.ashx
}

CONSTRUE_NARROWLY()
{
import #commonsense
// assume user only wants directly what they’ve asked for – e.g. a train timetable or a recipe, not a google analytics cookie.
}