GDPR: can we justify third-party scripts?
I’ve written before about how managing privacy on websites is bigger than just deciding whether you need a cookie banner. In this post, we look in more detail at how websites process PII, how it goes beyond cookies, and whether a site should require consent to use third-party scripts.
So why isn’t this just about cookies?
As we pointed out in the previous post, GDPR is a law intended to govern the processing of personal data (PII) – and websites can use and transfer personal data in a multitude of ways besides cookies.
What PII do websites process?
The biggest issue for websites, and the one we’ll focus on here, is IP addresses. An IP address is a bit like a street address for the internet. Every computer has an IP address. And that IP address can (with some access to additional information) be linked back to a real person. To be clear: not everyone can link an IP address to a real person, but someone with privileged access – like an ISP, for example – can. And that makes IP addresses qualify as PII.
And websites communicate IP addresses all the time. The very nature of an http request is that it contains the user’s IP, so websites are constantly processing PII.
What processing of PII is allowed?
GDPR says that if you’re processing PII, you’ve got to have a legal basis for doing that. Art 6 shows the full options, but in short these are:
- Necessary for the performance of a contract
- Necessary for compliance with a legal obligation
- Necessary to protect someone’s vital interest
- Necessary for the performance of a task in the public interest or exercise of official authority
- Legitimate interest
In the communication between a user and a website they’ve opted to view, the processing of the user’s IP would fall under (b) – necessary for the performance of a contract. The user has asked to view a website, and in order to do so has to provide an IP address.
However, it all gets more complicated when websites use third-party scripts. Those are bits of code that are provided by another entity, someone who is not the website owner. Third party scripts are often used for things like embedding YouTube videos or putting spam protection on forms. And to run those scripts, the user’s IP address must now be sent to a third-party, like Google, or Facebook.
So the question becomes – is it legal to share the user’s IP address with a third party? If you’re using third-party scripts to provide fancy fonts, and therefore exposing PII to a third party, what legal basis are you relying on? Is it still (b) – necessary to display your website? Are fancy fonts and video embeds necessary?
That, of course, will depend on the nature of the feature which the script enables, and whether there’s another, better, way to achieve the same feature. If the website’s raison d’etre is to provide videos, then possibly third-party embed scripts are necessary. It is possible to self-host videos, but it's not terribly efficient. However, if the scripts are just putting in pretty fonts, and the website could have circumvented the legal issue by self-hosting the fonts, then there’s no necessity about it.
If we don’t think that it’s strictly NECESSARY to leak a user’s IP address in order to provide fancy fonts or video embeds, there are other options which would potentially still make it legal: either consent, or legitimate interest. With consent, you’d need informed opt-in: you need to identify what scripts you’re planning to use and ask permission before you run them. It’s an option, but it’s kind of clunky to block video embeds and form submissions until the user opts in to the necessary scripts. And arguably most users can’t provide “informed” consent because the whole concept with IP addresses and third-parties is too technical.
So that leaves legitimate interest. LI is harder to define. It’s intentionally a bit more open-ended, and is the most flexible of the options; although the ICO is keen to point out that this flexibility doesn’t make it a handy catch-all for whatever PII processing you want to do.
It may fit the bill here, though. From the ICO website
[Legitimate interest] may be the most appropriate basis when:
- the processing is not required by law but is of a clear benefit to you or others;
- there’s a limited privacy impact on the individual;
- the individual should reasonably expect you to use their data in that way; and
- you cannot, or do not want to, give the individual full upfront control (ie consent) or bother them with disruptive consent requests when they are unlikely to object to the processing.
The last of these, in particular, seems like it’s the right fit for some of the more functional third-party scripts. Blocking features like video with consent requests will only annoy users, who are unlikely to be able to provide meaningful consent anyway, because they may not understand the detail of the issue and are – largely – unlikely to care.
- Using third-party scripts will leak user’s IP addresses to third parties.
- Minimise use of third-party scripts where practical, and where the intent is decorative rather than functional – e.g. self-host fonts.
- Where the scripts are providing key functionality, it may be reasonable to rely on legitimate interest as a legal basis for the PII processing.
- Each third-party script should be assessed on its own merits in terms of functionality provided and alternative options.
Lastly: why do we care?
As we’ve established previously, GPDR doesn’t provide clear guidance on specifics and is – somewhat intentionally – open to interpretation. It can be as confusing as it is boring, we’re not legal experts, and it’s tempting to say that nobody really cares. However, as a web user myself, I don’t want my personal data to be handled carelessly – or worse – for corporate gain. So at Freshleaf we do attempt to follow the spirit of website privacy legislation, understand the implications and build websites which are compliant.