The Guardian vs. UK GDPR

2024-01-08

TL;DR

The Guardian were caught collecting user data without consent in LocalStorage (similar to cookies).
The Guardian repeatedly denied there was a problem.
They’ve now fixed their website.
Naughty Guardian.
Don’t be like the Guardian.

Background

Those annoying pop-ups that come up on every website you visit, asking whether you’re happy for them to set non-essential cookies on your device? I deny them all.

That’s why it was a bit strange, browsing their website one day, when they were able to tell me how many times I had read their articles. They shouldn’t be able to do this, right?

So I fire off one of my usual grumpy emails:

From: ronald@rmacd.com
To: dataprotection@theguardian.com
Date: 03 April 2023 19:36

Good evening,

I would be very interested to know what your rationale is for storing the number of times I’ve accessed your website (along with a bunch of other information).

I have explicitly rejected all non-essential cookies, but this type of banner is still being presented to me [1]:

You will be perfectly aware that consent is required for storing all non-essential data on a user’s device. Storing “weeklyArticleCount” or “dailyArticleCount” keys in Local Storage does not meet the exemption criteria set out by the ICO.

I’d also like to point out that I’ve noticed an “appnexus_id” stored on my device under your domain. Again – no permission to set this token, and it would appear to be related to a Microsoft-run advertising platform. I have requested a copy of all data associated with this ID from Microsoft. In the meantime, please supply me with a justification for ignoring my data / privacy preferences.

yours sincerely &c

attachment: image001.png

You've read 22 articles in the last year. We're a reader-funded news organisation, with more than 1.5 million supporters in 180 countries. With this vital support, our reporting remains fiercely independent, and is never manipulated by commercial or political ties. And it's free, for everyone. But if you can support us, we need you. Give just once from £1, or better yet, power us every month with a little more. Thank you. — Banner on The Guardian website, April 2023

Awaiting an initial reply …

No reply for a few days, till I get this:

From: dataprotection@theguardian.com
To: ronald@rmacd.com
Date: 07 April 2023 08:01

Dear Ronald,

Thank you for your email.

You can manage your preferences at any time by selecting ‘Privacy settings’, found at the bottom of any page.

To ensure that this type of banner is no longer presented to you, within ‘Privacy settings’ please ‘Reject all’.

Kind regards,

The Data Protection team

Eh, no.

From: ronald@rmacd.com
To: dataprotection@theguardian.com
Date: 07 April 2023 09:01

Good morning,

Please read the email -

I have already rejected the banner and all cookies but there are still items being stored on my device (via Local Storage) which are not essential for the site’s functionality. Therefore your site is not in compliance.

RM

<tumbleweed.gif>

From: ronald@rmacd.com
To: dataprotection@theguardian.com
Date: 12 May 2023 23:16

Good evening,

I note this still hasn’t been dealt with:

On a browser with a clean state / no cached data, your site immediately writes a value to the key “gu.alreadyVisited” in LocalStorage. That’s just one example. I fail to see why keeping track of the number of pages I’ve visited under your site would meet the exemption criteria as set out by the ICO.

Your advice re rejecting cookies makes no sense as this has nothing to do with cookies per se. NB ICO regard key/values in LocalStorage the same as storing the values in cookies, so your solution of storing the values in LocalStorage is not a viable work-around.

Can you please get back to me to tell me when this is fixed.

RM

“Give us 30 days to [maybe] reply”:

We get the 30-day-stall.txt canned response (which I can only assume is them hoping I’ll forget about all this by then):

From: dataprotection@theguardian.com
To: ronald@rmacd.com
Date: 16 May 2023 10:42

Dear Ronald,

Thank you for your email.

We expect to provide a response within 30 days from the date we received your email.

In the event that we need to extend the deadline, we will keep you updated. If we cannot proceed with the request, we will inform you of the reason(s) why, subject to any legal or regulatory restriction.

Kind regards,

The Data Protection team

One month later, as promised:

From: dataprotection@theguardian.com
To: ronald@rmacd.com
Date: 12 June 2023 08:01

Dear Ronald,

Thank you for your email.

We are alert to the questions you have raised and continue to examine how we can provide more clarity to our readers about our use of data. This includes how we use cookies and similar technology (including access to local storage) on our website.

Kind regards,

The Data Protection team

A superb piece of shirking. I checked and, not surprisingly, the problem had still not been fixed; round and round in circles we go:

From: ronald@rmacd.com
To: dataprotection@theguardian.com
Date: 12 June 2023 08:18

Good morning,

My issue is not regarding a lack of clarity - as you state, “providing clarity to readers” - it’s about respecting choices that users are making.

If a user has answered that they do not wish unnecessary cookies (or similar) to be set, I shouldn’t then be finding a cookie that (for example, and as in this case) counts the number of articles I’ve read (to allow it to say “you’ve read this many pages in the last month, please consider subscribing”* - which I doubt could be argued is strictly “necessary” to access your site).

Ron

*in this case, editing cookie value caused the value on the promo banner to change, hence my argument that the data in that case is being collected, stored and used to provide non-necessary functionality

“We now consider this matter closed” —

From: dataprotection@theguardian.com
To: ronald@rmacd.com
Date: 14 June 2023 12:32

Dear Ronald,

Thank you for your email.

As you set out in your email, the requirement under PECR is to obtain consent to store or gain access to information on a device, typically through a cookie or similar technology. Consent is defined in GDPR.

The Guardian operates an “information society service” in providing our website. There is an exemption to the requirement to obtain consent. This allows for the storage of or access to information on a device, if it is “strictly necessary” to provide an “information society service”. As the ICO guidance makes clear, in assessing whether the activity is “strictly necessary”, we look at this from the user or subscriber’s perspective.

We have assessed that the cookies and similar technology (including access to local storage) identified are strictly necessary to provide the service a reader expects of an international news publisher. In relation to gu.alreadyVisited, users who have rejected non-essential cookies do not have their articles counted for the purpose of displaying an article count in our banner asking for support.

However, gu.alreadyVisited is used to ensure that we do not show our support banner on every page visited by a user and that it is only displayed after fixed periods or numbers of pages visited.

We continue to assess that this is strictly necessary for users to receive the experience they would expect when visiting the website of an international news publisher.

We now consider this matter closed.

Kind regards,

The Data Protection team

Yeah, no:

From: ronald@rmacd.com
To: dataprotection@theguardian.com
Date: 14 June 2023 14:40

Good afternoon,
> users who have rejected non-essential cookies do not have 
> their articles counted for the purpose of displaying an 
> article count in our banner asking for support
OK – let’s have a look and see what happens to the article count and where it ends up being sent.

ReaderRevenueBanner.tsx:111 constructs an object with the following structure:
{
tracking: {
    ophanPageId: window.guardian.config.ophan.pageViewId,
    platformId: 'GUARDIAN_WEB',
    clientName: 'dcr',
    referrerUrl: window.location.origin + window.location.pathname,
    },
targeting: {
    alreadyVisitedCount,
    shouldHideReaderRevenue,
    isPaidContent,
    showSupportMessaging: !shouldHideSupportMessaging(isSignedIn),
    engagementBannerLastClosedAt,
    subscriptionBannerLastClosedAt,
    signInBannerLastClosedAt,
    mvtId: Number(
        getCookie({ name: 'GU_mvt_id', shouldMemoize: true }),
    ),
    countryCode,
    weeklyArticleHistory,
    articleCountToday,
    hasOptedOutOfArticleCount: optedOutOfArticleCount,
    modulesVersion: MODULES_VERSION,
    sectionId,
    tagIds: tags.map((tag) => tag.id),
    contentType,
    browserId: (await hasCmpConsentForBrowserId())
                ? browserId ?? undefined
                : undefined,
    purchaseInfo: getPurchaseInfo(),
    isSignedIn,
    lastOneOffContributionDate: getLastOneOffContributionDate(),
    }
}
Inspecting the contents of the outgoing request on page load (to /banner endpoint), I see the above object is then sent, including the alreadyVisitedCount regardless of the value of hasOptedOutOfArticleCount.

This means that it remains possible for you to gather data at your end regardless of my preferences. So sure – you’re not displaying it anymore – but you’re still gathering it. Whether or not you then display the contents at my end is neither here nor there.

Anyway, I didn’t hear anything back from them, but noted they quietly updated their privacy settings. A win? Tiny, but I’ll take it:

Many readers tell us they enjoy seeing how many pieces of Guardian journalism they've read, watched or listened to. Can we start showing you your article count on support appeals like this? To opt out of other tracking activity, manage your Privacy Settings — Banner on The Guardian website, October 2023