As Google has announced an end to third-party cookies, we look at the issues that have led to the decision, and at what may replace these cookies.

The Difference Between First and Third-Party Cookies

A cookie is a piece of code (used for tracking) that takes the form of a small text file that is stored on the browser of someone who visits a website. A 'first party' cookie is only generated when a person visits one particular website (domain) and is only used for finding out what that person did when they visited that site, recording how often they visit in future, and for recording details such as remembering passwords, basic data about the visitor, and some other preferences. This type of cookie does not record details about a person’s activities when they go on to visit other websites after leaving that website (i.e. websites that are not affiliated with the first website).

A third-party cookie, on the other hand, is created by a third-party, perhaps an advertiser, and is placed on a visitor's computer when they visit your website and other websites. Its main purpose is to track a web user and gather data about their activities and preferences (e.g. websites they visit frequently, what they purchased online and what they show interest in). This enables the building of a visitor profile which, in turn, leads to them being shown ‘relevant’ targeted adverts. For example, after showing interest in products on one particular website one day, they can then be shown adverts about that product type when visiting completely different websites at different times.

Google’s Announcement

Google announced that it will not only get rid of third-party cookies but that it will not use other technology to replace these cookies or build features into its Chrome Browser to allow itself access to that data. Google plans to not simply remove third-party cookies but to phase them out over two years before rendering them obsolete. The reason for the slow phase-out is given as allowing time to develop workarounds that address the need of not just users, but also of businesses, publishers, and advertisers.

Why?

There are many reasons why Google is phasing out third-party cookies in Chrome. These are essentially the same reasons why other browsers such as Firefox and Safari have already phased out third-party cookies. For example:

- Legislation. Improved and new data privacy laws. The introduction of GDPR, the California Consumer Privacy Act (CCPA) and Privacy Rights Act (CPRA) and others have meant that tech companies can no longer track everything that users do without permission and share that data with multiple other third parties as they wish. For example, in the UK, websites now have cookie consent and privacy information displayed on the home page following the introduction of GDPR.

- Privacy Campaigners. Many privacy campaign groups and others have challenged tech companies and advertisers over the years about privacy and tracking users. For example, in November 2020 Big Brother Watch, Oxford University and UCL were among 38 signatories of an open letter to the UK charity sector asking them to look at how advertising companies are allowed to build profiles of users based on sensitive information gained from trackers in websites and the impact that cookie consent processes had on these trackers.

- High profile Criticism. Among other things, in January the UK Competition and Markets Authority started investigating whether restricting cookies on Chrome could help Google increase its dominance in the online ad industry. For example, some commentators have questioned Google’s motives for removing third-party cookies, suggesting that forcing a reliance upon first-party cookies may simply be a way for Google to get more of a grip on the ad market and receive the revenue that would have been spent on third-party platforms.

Competition Between Browsers

Some browser companies have been publicly at the forefront of restricting the use of third-party cookies e.g., Safari (Apple), Mozilla’s Firefox (Mozilla) and Brave. This has put pressure on the browser market-leading company Google to follow suit.

Interim Measures

As part of the phasing out of third-party cookies, Google is putting some Interim measures in place. These include Google’s Chrome limiting insecure cross-site tracking (started in February 2021). For example, Google’s Chrome is treating cookies that don’t have a SameSite label as first-party only, and requiring cookies labelled for third-party use to be accessed over HTTPS, thereby making third-party cookies more secure and giving users more precise browser cookie controls for now. Also, Google is trying to stop covert tracking using new anti-fingerprinting measures (to launch later this year).

Replacements?

Although the phasing out of third-party cookies by Google was not unexpected, it has, of course, worried advertisers, publishers and owners of ad-supported websites who need to know how they can continue to rely upon the generation of effective adverts and revenue. For example, Google Ad manager data shows that when advertising is made less relevant by removing cookies, funding for publishers falls by 52 per cent on average.

Although Google has said that it doesn’t plan to use other technology to replace third-party cookies there are alternatives. These include:

- Google’s Privacy Sandbox, which it originally announced last August, and touched upon again on in January this year. Google describes this as “a new initiative to develop a set of open standards to fundamentally enhance privacy on the web” and a “a secure environment for personalisation that also protects user privacy”. Exact details are thin on the ground. The idea of Sandbox, however, is to move all user data into the Google Chrome browser where it can be securely stored and processed so that it stays on the user’s device and is, therefore, making it compliant with privacy laws. It is understood that the Privacy Sandbox may also include an algorithm to group people according to their common web browsing and thereby create ‘clusters’ of people (who can’t be directly identified) with similar interests. These clusters can then be targeted by adverts without affecting the privacy of the individuals in a cluster.

- Systems made by rivals of Google Ads (e.g. Trade Desk Inc) where people can protect their privacy by logging on to websites using encrypted copies of email addresses. Also, Criteo SA, an AdTech company is reported to have developed a possible alternative.

Looking Ahead

Even though this is a big change, it is not unexpected and it will take place over a two-year phase out period within which time alternatives will have been introduced. Getting rid of third-party cookies is going to have the biggest impact on third-party ad platforms that are reliant on cookies for their revenue and for those who rely upon lots of data for their online advertising, pop-up ads, or a really focused audience-targeting strategy. For everyone else, considering third-party cookies aren’t used by most other (admittedly less popular) browsers, it’s unlikely to have a massive impact. It’s worth remembering that first-party cookies will still be used for Google Ads and that Google is likely to be investing money and effort into getting its alternative Privacy Sandbox tools up and running.

In this article, we look at not just the story of how a staggering 400,000 police records were accidentally deleted but also at the wider picture of what information is held about us UK citizens by the authorities, and what powers we have over that data.

Deleted

After first being reported in the Times newspaper, momentum has grown around the story of how it appears that due to “human error”, according to Home Secretary Priti Patel, some 400,000 police records have been deleted from the Police National Computer (PNC) database. When the story first broke, it was reported on some UK TV news broadcasts that 150,000 records had been deleted and that these were for people where no further action was needed on their cases anyway.

For example, policing minister Kit Malthouse has been widely quoted as saying that “the affected records apply to cases where individuals were arrested and then released with no further action, and we are working to recover the affected records as a priority”. Mr Malthouse has also said, however, that he is not entirely sure yet whether the loss of data of these police records could have an operational impact on the work of the police.

Types of Records

The types of records believed to have been deleted include 200,000+ offence records,175,000 arrest records, and 15,000 person records, as well as 26,000 DNA records, 30,000 fingerprint records, and 600 ‘subject’ records.

Human Error?

It has been reported that the human error that is being blamed for the mass deletion relates to mistakes made on a routine “weeding” session of surplus data and the running of “defective code”.

What Now?

Despite the deletions, it is understood that work is underway to write a new code to somehow restore the lost data.

Public Safety

Clearly, losing the records of potential or known criminals could jeopardise investigations and adversely affect UK justice and public safety as well as letting down victims of crime and their families.

Data Security

In addition to being a threat to public safety, the mishandling or loss of personal data is normally a matter for data security laws. In this case, the data has been deleted and so isn’t in danger of affecting the privacy of security of data subjects. That said, there is an important distinction to make between data handled by businesses and by law enforcement, and to clarify what the data law situation is following Brexit.

The introduction of GDPR saw UK businesses having to upgrade their understanding of (and dealing with) personal data. Since Brexit, the DPA 2018, which already enacts GDPR’s requirements in UK law has been amended by and merged with the DPPEC (Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit)) Regulations 2019 amends the DPA 2018. The new amended and merged post-Brexit data laws in the UK are now known as ‘the UK GDPR’.

Unlike data held and processed by UK businesses however, data held by law enforcement and for the purposes of national security is (according to the ICO) not covered by GDPR (i.e. UK GDPR), which is similar to being exempt. Police data, used for the purpose of investigating a crime, for example, is subject to the rules in Part 3 of the Data Protection Act 2018.

Exemptions and Your Data Rights

There is also an exemption in GDPR for the processing of personal data for the prevention and detection of crime. According to the ICO, if there had been a data breach from the police, the exemption under GDPR would mean that the police would not have to notify individuals of a personal data breach if that data had been processed as part of crime prevention and detection. In essence, this appears to suggest that if your data is stolen from a police computer, you don’t have the same rights as if it was stolen from a business computer (i.e. you have lost some of your data protection rights).

What Kind of Data is Stored Where?

This case has triggered questions about the kind of data that is stored about UK citizens by the police and other authorities, as well as where and how that data is stored.

Police ‘data’ could refer to criminal convictions, cautions warnings, and reprimands, but also includes biometric data such as fingerprints and photos, CCTV footage (your image is your personal data), mobile phone messages, texts, emails, other written documents and more.

Police data can be stored by the local police force in your area as well as one of many national databases including, as in this case, the Police National Computer (PNC) or the National DNA Database (NDNAD), National Fingerprints Database (IDENT1), Custody Suite Imaging System (CSIS), and more databases besides.

For How Long?

According to the UK’s College of Policing, information about how long your data can or should be kept by the police is guided by a principle rather than a hard and fast rule, although a policy setting standard retention period should be set “wherever possible”. The "Fifth principle” of data storage limitation says that for law enforcement and general processing personal data should not be retained for longer than it is needed, and police need to be able to justify how long personal data is retained for, depending on the purposes for holding that information. This principle acknowledges that individuals have a right to erasure if that information is no longer needed although it also states that “personal data can be kept for longer if the police are only keeping it for public interest archiving, scientific or historical research, or statistical purposes”. For Biometric Data (i.e. fingerprints and DNA) in most cases, the Protection of Freedoms Act 2012 amends to the Police and Criminal Evidence Act 1984 (PACE) to allow police in England and Wales to keep a person’s biometric information indefinitely.

Criminal Records Check

Employers can request a basic, standard, or enhanced AccessNI check from the police records which discloses different types of information about a person’s criminal record history. Basic and standard checks can take about 10 days whereas an enhanced check can take about 3 weeks. Convictions for certain crimes will appear on these checks but some cautions, fines, offences and spent convictions won't appear.

The different levels of checks are:

Basic - for details of all convictions considered to be unspent.

Standard - containing details of all spent and unspent convictions, informed warnings, cautions and diversionary youth conferences.

Enhanced - contains the same information as a standard check and police records held locally. This type of check is usually required for work with children and vulnerable adults, the check may include information held by the Disclosure and Barring Service (DBS).

Requesting Your Data To Be Removed From Police Records

There are some circumstances under which a persons’ data, including biometric data in some cases, can be removed from police records on request. These circumstances are detailed here: https://www.acro.police.uk/Services/Record-deletion and guidance about the process is given here: https://www.acro.police.uk/ACRO/media/ACRO-Library/Deletion-of-Records-from-National-Police-Systems-(Guidance)-v2-1-April-2020.pdf.

Freedom of Information Request

In addition to much of the work of the police being kept secret for obvious reasons, much of the work of the UK government is also subject to laws relating to (national) security and privacy, although there is a wish to allow transparency where possible and where risks are minimised. The government actively publishes a lot of information and engages with the media as part of this transparency process.

Sometimes there are situations where individuals and organisations would like to find out more from the government (or the police) than what has been published or made freely available. As the Institute for Government says, “Freedom of information, parliamentary questions and ministerial correspondence are important mechanisms through which Parliament and the public can get information out of government”.

The Freedom of Information Act 2000 allows members of the public and press to submit Freedom of Information requests (FOI). If certain conditions are met, public authorities are then required under this act to release any information they hold relating to the request. The Freedom of Information Act applies to government departments and the executive agencies and public bodies they sponsor, parliament, the armed forces, devolved administrations, local authorities, the NHS, schools, universities, and police forces.

Submitting a Freedom of Information Request

Anyone can submit a Freedom of Information request (FOI) and there are no restrictions on nationality, residency status or age. A request must ideally be made in writing (or verbally if writing is really not possible) and be sent directly to the relevant organisation, stating clearly what information is being requested, providing the requester’s real name with a valid address (postal or email) to where the reply can be sent.

If the recipient (e.g. a government department) decides that the request is resolvable, it may choose to either provide all or just some of the information that has been requested and it may decide to withhold some or all the information that has been requested.

Numbers

Government departments usually receive up to 8,000 Freedom of Information requests every quarter. In Q2 of 2020, for example, 6770 requests were received by the UK government. Only 4956 of these were deemed to be resolvable and 1884 of these resolvable requests were withheld in full. Guidance on submitting a Freedom of Information Request (FOI) can be found here: https://www.gov.uk/make-a-freedom-of-information-request

Looking Ahead

At the time of writing this article, the matter of the deleted 400,000 police records is still ongoing and information about the incident is still being gathered. At the same time, questions are currently being asked about matters of responsibility and when the Home Secretary is going to be made available to answer questions about the incident.

The implications of this mass deletion of offence, arrest, person, fingerprint, and DNA records could be that the solving of other crimes committed by known offenders may not be possible because the data is no longer available to cross-reference. The loss may also already be having an immediate impact on fighting crime as data from the Police National Computer (PNC) is used in real-time checks. The best-case scenario now is, of course, that the data can be restored and that procedures are changed to make sure that the same error can’t happen again. If the data cannot be restored this could be a major blow to law and order which could adversely affect individuals, communities, and businesses, and represents a frustrating waste of valuable time, effort, and police resources in gathering the data in the first place.

Global tech market analysts Canalys have reported that the worldwide PC market has received its biggest sales boost in 10 years as remote working fuels the ongoing digital transformation.

Highest Full-Year Growth Since 2010

Canalys reported on 11 January that the global PC market ended 2020 on a high with 25 per cent sales growth in Q4 of desktops, notebooks and workstations reaching 90.3 million units, and that total PC shipments in 2020 grew 11 per cent to reach 297.0 million units. Canalys reports that this is the highest full-year growth since 2010 and the highest shipment volume since 2014.

Lenovo Top

Lenovo tops the Q4 sales market with 23.1 million units and year-on-year growth of 29 per cent, followed by HP in second place with 19.1 million units shipped, Dell in third place with 50.3 million units shipped (up 27 per cent), Apple in fourth place (22.6 million devices shipped) and Acer in fifth place, shipping 20.0 million devices. Canalys reports that just these top 5 vendors accounted for 78.5 per cent of PC shipments in 2020.

Reason

Most tech commentators agree that the pandemic has revived what was a declining PC market. Back in November, for example, International Data Corporation (IDC) research indicated that shipments of EMEA traditional PCs (desktops, notebooks, and workstations) would total 82.1 million in 2020, a 12.7 per cent year-on-year growth due to the increased demand caused by the need for people to work at home during the pandemic.

Digital Transformation

A survey by Studio Graphene in September 2020 showed that the need to quickly shift staff to working from home because of the lockdown appeared to be a driver and an accelerator of digital transformation for businesses. The survey showed that nearly half (46 per cent) of business leaders said that said Covid-19 had driven the most pronounced digital transformation that their businesses had experienced.

This Year

Even though the pandemic has caused some supply chain issues, there have been innovations on chipsets and the demand for devices has continued to remain strong into 2021, as it is expected to do for at least the first quarter. Some commentators have noted how the shift by many businesses to an indefinite remote working environment, coupled with factors like the need to educate children at home, look like favouring more mobile than stationary devices, going forward. That said, and as the sales figures show, PCs have been at the heart of a very large global digital transformation and as Rushabh Doshi, Canalys Research Director says, “the PC industry caters to a broader range of customers that bring with them new behaviours and use cases”.

What Does This Mean For Your Business?

Prior to the pandemic, PC sales were in decline but the need for people to work from home has provided a massive boost to PC sales. As the second peak has been even worse than the first and with more infectious new strains emerging, this shift to remote working has meant that PC businesses and their supply chains have thrived and struggled to meet demand. Many business customers have undergone an accelerated digital transformation, have put technology at the heart of their operations and have made changes to their whole businesses where possible that could see a more permanent shift to a remote workforce using PCs and other devices, thereby ensuring that the curve in PC sales does not dip for some time yet.