Google Analytics and the new EU privacy law #1

Following new EU laws aimed at protecting the privacy of online users, there has been much said about the death of web tracking as we know it. At present the wording of the law is stating that visitors to your website must explicitly consent to having cookies stored on their computers. As pretty much all web analytics tools rely on cookies for visitor tracking, there are clearly implications for anyone that uses these on their site. [ Update 16-Jun: see follow up post summarising this discussion ]

This law has been brought into place due to the failure of our industry to self regulate privacy properly. The EU law makers are targeting the surreptitious tracking of individuals that has been going on for many years. That is:

  1. Sharing cookie information collected on one website with another 3rd party website via 3rd party cookies.
  2. Identifying anonymous visitors – either by using data from a 3rd party cookie were personal information was entered, or back-filling previous visit data when a visitor later creates an account or makes a purchase.
  3. Tracking visitors even though they have set their browser privacy settings to block tracking cookies (used by Flash Shared Objects).

If you are using 3rd party cookies and/or Flash Shared Objects, this law is very much targeting you. Essentially you will need to provide explicit consent to continue doing this (or use any other similar technology). This law forces perpetrators of such tracking to either stop doing so, or suffer a poor user experience and declining web business by having to use pop-ups to gain visitor consent. Either way is a good thing for the web.

The impact on Google Analytics users

Google Analytics uses 1st party cookies to anonymously and in aggregate report on visits to your website. This is very much at the opposite end of the spectrum to who this law is targeting. For Google Analytics users, complying with the ToS (and not using the other techniques described above), there is no great issue here – you already respect your visitors privacy…!

I will agree the wording of the ICO document is “awkward” and gives rise to ambiguity. Essentially,  they do not wish to name the technologies this law applies to (3rd party cookies, Flash Shared Objects) as these can of course change. It is the method of invasive tracking they are quite rightly trying to stop, so I expect the wording of the document to be refined over time.

The ability to block 1st party cookies is built into every web browser (10+ years for IE), so I feel this para applies:

“(3A) For the purposes of paragraph (2), consent may be signified by a
subscriber who amends or sets controls on the internet browser which
the subscriber uses or by using another application or programme to
signify consent”.

The ICO document asks you (as the web site owner) to ask yourself – Is tracking the performance of your website strictly necessary? That’s straightforward to answer – Yes! In the same way tracking the performance of your business is strictly necessary.

The keywords for Google Analytics are: anonymously, in aggregate, and via 1st Party cookies.

I would be interested in your view on the EU privacy law and its impact on GA. Please add your thoughts via a comment. There is also a follow up post from me clarifying some points raised here.


Looking for a keynote speaker, or wish to hire Brian…?

If you are an organisation wishing to hire me and my team, please view the Contact page. I am based in Sweden and advise organisations in Europe as well as North America.

You May Also Like…

42 Comments

  1. Mark Steven

    Good work with the FIO request Vicky – makes for fascinating reading.

    As a result of concerns about this we’re re-implementing server-side analytics so that it’s ready before the May 2012 enforcement deadline (using PWIK if anyone’s interested: http://piwik.org/).

    CIVIC has developed an elegant solution for obtaining consent and making the giving of consent more attractive. My hope is that this will be widely adopted to the point where the icon can be counted on as enough of an alert that cookies are in play, without having the user interface pop up on page load. And we’ve created a configurator for it to enable users (webmasters) to decide this for themselves, along with the location of their privacy policy, styling options, etc.

    http://www.civicuk.com/cookie-law/

    Reply
  2. Franc

    I have a dsl provider, in the netherlands, that is kind enough to provide a fixed ip address so i consider my ip personal 😉

    With ipv6 it will probably change a lot as the mac address will be used in autoconfiguration
    http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_7-2/ipv6_autoconfig.html

    So this will potentially give google device specific information with location details. If they combine that with my andoid use/latitude/other google stuff i use they potentially have my location to the meter

    (as in they can, if they do i have no control over)

    Thanks for the _anonymizeIp tip!

    Reply
    • Brian Clifton

      Franc: This is moving away form the new EU privacy law, so I wanted to end on this point…

      To clarify your fixed IP address comment, having a fixed ip address corresponds to a router/firewall – not to an individual. This is the case in the eyes of the law in the vast majority of countries – there is simply too much doubt of who the actual end-user is for it to be legally sound . Germany appears to be the exception in the EU.

      In terms of Google linking up non-personal specific info with personal info provided by other G product logins – this is covered in the Google Terms of Service of each product. Essentially you need to explicitly “opt-in” to allow the sharing of your information in this way. Even so, they clearly state that information is shared on an anonymous basis. For example, a product team knowing that a GA user is also a GMail user is useful information for a company developing/integrating its products.

      There are lots of legitimate concerns wrt privacy and the amount of information G has (and other major web destinations e.g. Facebook, Bing, Yahoo etc). I do not wish to be a G cheerleader, just wanting to keep it factual and to the point of this post – i.e. specifically about the new EU privacy law.

      Reply
  3. Franc

    Brian,
    I think there is one flaw in your article

    “Google Analytics uses 1st party cookies to anonymously and in aggregate report on visits to your website”

    The reports we get are aggregate and anonymously but google will have detailed information available that is not so anonymous. So we may be safe from a website owner perspective but we use a third party that may (will?) be doing things outside the law.

    Reply
    • Brian Clifton

      Franc: The following from you is not correct “Google will have detailed information available

      The only information G has that you cannot see in your GA reports is the visitor’s IP address. This is required for geo-graphic mapping of visitor activity and is accurate to approximately 40 Km or 25 miles (country dependent). Every Internet connected machine in the world has to have an IP address, so the use of these cannot be avoided – in fact its a necessity…

      If you, or your country law, considers an IP address as personal information (such as Germany for example), then that can be partially removed form the information collected by GA using the function _anonymizeIp(). This tells Google Analytics to anonymize the information sent by the tracker objects by removing the last octet of the IP address prior to its storage. More info here: http://code.google.com/apis/analytics/docs/gaJS/gaJSApi_gat.html#_gat._anonymizeIp

      The collecting and logging of IP addresses is not apart of the new EU privacy law.

      Reply
    • Brian Clifton

      Rob: Thanks for clarifying. A readership of 2% actually seems quite high to me. I studied this years ago (~2005) and found T&Cs were read by something like 0.1% of visitors (based on multiple high traffic websites using GA). I wish I had written it up as a case study so we could see how that has changed compared to what you are seeing now…

      Reply
  4. Rob Jackson

    It’s a WOW from me too – the ICO page user experience, in my opinion is terrible but to see a 90% drop of is staggering.

    We conducted a survey a few weeks back asking how many users read Ts&Cs when they signed up to online services. Only 2% of people said they actually read them (even when there are financial aspects to them). This for me clearly shows that it is about how you position this:

    A) Short scary statement “The ICO would like to use cookies to store information on your computer…” 90% drop off

    B) Pages of boring legal terminology (58 pages in Apple’s case) – 2% drop off.

    Or go with the ICO’s original recommendation of pop-ups and drag the internet backwards 10 years…

    Reply
    • Brian Clifton

      Rob: did you mean to say 98% drop out…?

      Reply
  5. Tim Leighton-Boyce

    I think Richard points at one of the biggest contributors when he suggests the design of the site as a cause.

    This is an opt in, not an opt out. The wording is complex and hard to read. As a result there is no strong call to action. So people may well ignore it all and get on with what THEY want to do.

    I’m so grateful to Vicky for getting that data. Now we can see just how big the issue is.

    This serves as a good case study of how not to do it if you want that data. We have a year to find some better solutions…

    Reply
  6. Vicky Brock

    Hi Brian,

    My personal theory on why no one is opting in is pure inertia & a bit of “what’s in it for me?”

    The banner is in the blind zone, lots of words, boring, boring, who cares etc…

    Plus, nothing happens to my user experience if I don’t opt-in – it is not like I get any annoying pain or any additional benefits. So why bother?

    I think opt-in would be far higher for sites that essentially punish or reward the user with a different experience if they do opt-in. For example, will affiliate & advertising based sites really want to bother serving people who won’t opt-in and who therefore won’t earn them a commission. They will punish you for opt-out. Will people be happy to forgo the useful personalisation that Amazon etc give them. They will reward you for opt-in. I would wager for businesses like that the opt-in ration could be at least the other way round.

    But straight information based sites, b2b sites and government sites? Those that serve the same content to all. Perhaps this pattern will be typical for them.

    I must admit, the ICO data actually exceeded my worst expectations.

    Reply
  7. Richard

    That is a powerful image.

    The interesting question is – why? It could be becuase people don’t want to be tracked – or it could be the design of their message?
    It could also be peculiar to them – and the type of audience they attract.
    But if it turns out to be typical behaviour then its going to be rough ride.

    Reply
  8. Brian Clifton

    Wow Vicky: now thats what I call a powerful image…

    Why do you think there is such a high opt-out for benign tracking…?

    1. Visitors suddenly become aware of tracking when before they were not, and take the ‘safe’ option?
    2. Visitors fear the government connection of the ICO quango? i.e big brother analogy
    3. Visitors come to the ICO site to understand/complain about a privacy violation and are immediately faced with a privacy question they were not expecting?
    4. Visitors do not understand that the ICO are conducting benign tracking – thinking may be the fact that the site has to highlight this, surely means it must be invasive and have consequences?
    5. Spite – its a bad user experience for the visitor, so the visitor wishes to register there dissatisfaction by not allowing the ICO to collect data.
    6. Visitors really do not wish to be tracked all – benign or not
    7. all of the above?

    By using their “privacy header” (shown below), the ICO have certainly provided some great data on how wrong things can go if they are not properly thought through and worded correctly.

    Here’s what the ICO currently show on all landing pages of their website (click to enlarge):

    ICO privacy warning

    Reply
  9. Vicky Brock

    And now I have the data from my FOI request. Measured visits and unique visitors to the ICO website fell 90% after making the GA cookie opt-in, essentially rendering the measurement data useless. That’s just a one in ten opt in, with the current request format. Graphs here (feel free to grab them Brian, if useful): http://bit.ly/kFVeNL and http://bit.ly/lYlJVv

    Powerful image from Vicky Brock

    Reply
  10. Richard

    I agree that analytics is an essential tool to a website that needs to be competitive to understand its customers – and demonstrate the value of the investment – whoever owns the website.

    However, sadly, the ICO has made is clear that they are not ‘strictly necessary’ for the provision of a service ‘exlicitly requested’ by the user. As i have pointed out in an earlier post: http://cookiecrunch.co.uk/cookie-news/2011/5/24/the-analytics-crunch.aspx

    Richard

    Reply
    • Brian Clifton

      Richard: The ICO are still working on this. In particular the “strictly necessary” part, hence the 12 months grace period for further consultation. As I summarise in my follow up post, the ICO are on our side. That is, the side of businesses that wish to benignly and anonymously track website activity. I have discussed this with them directly.

      Reply
  11. Vicky

    I would like to add to Brian’s comment about the essential nature of analytics – this time in the context of government and Quango sites. The UK government’s recent cull of Quangos and government websites was based in part on web analytics data. It is by measuring the traffic and usage quality of government sites that they remain transparent to the tax payer and that it is ensured that we don’t go back to the old common place scenario where tens and hundreds of thousands of tax pounds were wasted on sites that no one used and that failed to deliver on their specific remit.

    I have no doubt that the ICO (which survived the last Quango cull) has just become unable to quantifiably prove the value of its own existence and lost the ability to demonstrate that its web investment delivers stakeholder/tax payer value. I have an FOI request in on this matter at the moment – so I don’t have the data yet – but I imagine they are having to go to their parent ministry and explain they can no longer measure their own website.

    That must matter to them as an organisation and it sure as heck matters to me as a taxpayer that government sites are investing web budgets as wisely as possible and are doing everything they can to maximise user experience and deliver on their egovernance objectives. I would say that makes
    anonymous analytics 1st party cookies as essential as CMS ones.

    Reply
    • Brian Clifton

      Vicky: great point on quangos. For those outside the UK following this thread who wonder that on earth a “quango” is, from Wikipedia:
      The term means ‘quasi-autonomous non-governmental organisation’.

      Essentially a government funded body that is independently run (i.e. not run by government). The ICO is a classic example – its funded by the government, but has to be independent as part of their remit is to protect the public’s privacy from the government as well…

      [ BTW, Also see my follow up post summarising this discussion ]

      Reply
  12. Brian Clifton

    Fishwick: I take your point about my use of “explicit consent”. However my article is intended to be read by web analytics/search marketer practitioners, rather than legal eagles.

    I am going to disagree with your statement:

    “As you know, websites function perfectly well without using analytics, and the user will not see any difference whatsoever when using your website whether it runs analytics or not.”

    That isn’t true. A website that is not optimised for traffic acquisition or visitor conversion is a poor user experience – lord knows, there are far too many of those around. Its like opening a gourmet restaurant with plastic tables and chairs, and plastic knives and forks to boot, and saying to potential customers – “hey its all about the food, not the experience”.

    Your restaurant business is not going to survive for long…

    Reply
  13. Fishwick Bananathon

    Your article says that the “wording of the law” is that visitors must “explicitly consent” to the use of cookies. It has already been pointed out that the law does not specifically refer to cookies, but more importantly, nor does it say that consent has to be “explicit”. This is a very significant error that you should correct. It is misleading because “explicit consent” is used specifically in data protection law to indicate a standard higher than just consent. For example, sensitive personal data cannot be processed on the basis of mere consent, but require (as one alternative) explicit consent.

    It also stretches credulity to suggest that analytics is “strictly necessary” for a service “explicitly requested” by the user. As you know, websites function perfectly well without using analytics, and the user will not see any difference whatsoever when using your website whether it runs analytics or not.

    Give the framers of the law *some* credit – they wanted to make it absolutely clear that this is a narrow exemption, so they said “*strictly* necessary” – not even just “necessary”!

    Quick note on the ICO – they have said that they don’t mean their version to be the model for compliance. It’s just the way they have chosen to do it, and of course, their needs and interests don’t reflect those of the majority of cookie uers.

    Reply
  14. Chris Williams

    Becka – I believe personal website owners will be affected by this too, although I would not be too worried unless you are using any sort of third-party service (such as Analytics or Advertising). An Audit is not too difficult to achieve, though. Simply clear the cookies currently in your cache, visit all the pages on your site and test all the functionality on your site (i.e. if you run a blog, test the reply features etc). Then you can have a look at the cookies that have been placed onto your computer. I have a WordPress blog, and found that cookies are only set when I respond to a post or when I log into the administration section – but I am not bothered about the administration section, as no-one but me should be using it, and anyway, those cookies are essential to keep me logged in. I will add a page explaining the current use of cookies on my site, and will have to do some coding to give the users option to save the cookies (or not) when they submit a reply – but I guess I dont actually have to have that done until next year. Hopefully, by then WordPress will have released a new version including this!

    Reply
  15. Becka

    1. It looks like analytics are not okay. At least it looks like the cookies you have to consent to are the Google Analytics ones (at least according to this http://blog.silktide.com/2011/05/cookie-law-delayed-for-one-year-first-example-of-new-laws-in-effect/ ) and their site is lying through it’s teeth to get you to say yes if it is just analytics cookies.

    What about us personal website owners? I don’t even know how to audit which cookies my site uses, let alone the rest.

    Reply
  16. Hugh Gage

    Interesting that in the ICO’s disclosure message they are non specific about all the cookies that they use and what they are individually used for, preferring to use a catch-all message and prevent any cookie (apart from the ASP.NET session id cookie) from loading until consent has been given.

    Also, that even if consent isn’t given users can still freely navigate the site albeit the parts that work.

    From a pragmatic perspective it suggests to me that a catchall message should suffice in most cases – I wonder if a rotating banner would do :-). I suspect when the ICO look at their web analytics data from now one they will view it as more of a sample than the total universe of visits that reach their site. As long as that still enables them to get a good idea of how their site is being used and where the problem(s) are, they may feel that is good enough…

    Reply
  17. Richard

    @ Steve Jackson

    Whilst I am not in favour of this Directive, I have to point out that I think your interpretation is incorrect.

    First of all – you quote the directive as using the word ‘cookies’
    Article 5(3) of the directive does not use this term. It talks about ‘purposes of the processing’
    In the same paragraph it states that storing or gaining access to information is only allowed if the user has given consent (past tense). Therefore I think that strictly speaking consent has to be given before a cookie (or similar file/device) can be placed on or retrieved from a machine.

    The issue is that the way cookies work in most cases is that they are placed or retrieved from a page before it has finished loading in the browser – making prior consent impossible in many cases. This is perhaps the key technological challenge laid down by the EU.

    Reply
  18. Simon

    I don’t see why their ASP session cookie is “strictly necessary”, surely that is just a technology choice issue, they could have implemented it without any cookies but chose not to.

    My browser indicates they set two cookies rather than the one they tell me about, before asking for my consent for more cookies.

    I think this sums up their guidance succinctly.

    Reply
  19. Vicky Brock

    Agree with Steve on this, if the ICO’s ugly example is really what they expect UK businesses to follow, it is a sad and unnecessary hindrance of user experience and UK business competitiveness – far beyond the EU’s original directive.

    I have always been keen to follow best privacy practices, but there is no way at present I can recommend people to do this one moment before they have to. As Tim suggested, I shall probably be advising clients to do the cookie audit and then wait up to a year.

    As Steve helpfully highlights, it is a frustrating and disappointing national interpretation – unnecessary, uncompetitive, not in-line with other nation states – and if followed will potentially reduce user experience and restrict open access to the web.

    Again I agree with Steve that now it comes down to how this will be enforced and punished (by authorities – and by customers). If customers actually demand this, rather than it being ill-informed petty bureaucracy – well that is a whole different matter.

    Cheers, Vicky

    Reply
  20. Steve Jackson

    Happy I don’t have a business in the UK today after looking at the ICO website and their teletext ad at the top of the page asking you to opt-in. http://bit.ly/ivKITz

    To those of you in the UK….Good luck with competing with the rest of the world if they really force this kind of legislation on you. It’s a great help after a recession being forced to spend more money on your website, lose valuable information about your visitors and lose a competitive advantage to global competitors within the next 12 months.

    I am very surprised at the UK authorities dictating such difficult measures to implement and police.

    I’ve heard from the chairman of the IAB in Finland that there will be no such measures required for 1st party cookies, only 3rd party behaviorally targeted ads will have an icon on the ad asking if you want to opt-out. The legislators in Finland have worked closely with the media/advertising community and privacy groups in Finland.

    Basically in Finland (and probably most other sensible EU states) it will be about giving the visitor clear control to opt out not about forcing them to opt-in. So as I discussed improved auditing of cookies, privacy policies and opt-out controls. Shame for the UK that they couldn’t do the same.

    If this law is enforced it will be interesting to see how the UK get creative and how many sites simply become closed “member/subscriber only” sites. That’s what I would do if I were forced. Only allow visitors that had agreed to a TOS agreement and persistent login to see all the content on my pages.

    It’s strange that countries can interpret the directives differently but according to the Finnish lawyers it is up to every country to define what they consider practical.

    This is why the UK can give a year for companies to “get their house in order”. I was assured that no matter what the UK is doing Finland will be asking website owners to be transparent and opt-out of 3rd party ads if they require it.

    It doesn’t say in the EU Privacy Directive that it has to be opt-in. The Directive actually legitimises the use of cookies but says (and I quote):

    “…on condition that users are provided with clear and precise information…about the purposes of cookies…”. It goes on to state that “Users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment.”

    That to me is ambiguous. It doesn’t say opt-in or opt-out. It just says visitors *should have an opportunity* so it could be either. This is why I was surprised at the move by the ICO today to decide that UK companies have to force visitors to opt-in.
    It will be interesting to see how this is policed and what punishments if any are issued or if the ICO see sense and change their stance.

    Reply
  21. Michael Dlugosch

    I basically agree with what was said here before. To what was known so far (before today), GA shouldn’t have posed a problem.

    However (@Peter): ICO’s web site has a new element on the top of every page now (unless you click “Accept”). Here: http://www.ico.gov.uk/news/current_topics/website_changes_pecr.aspx

    According to my understanding they are offering to accept or block all cookies at once – including their GA cookies.

    Cheers,
    Michael

    Reply
  22. Chris Williams

    Good article, but not in line with what the ICO has outlined – analytics are not “strictly necessary” and so will require a users consent to set GA cookies.

    The ICO website has now been updated, and if you will notice that while they do set a cookie automatically and without consent, this is a session cookie required by ASP.NET. If you consent to have additional cookies, the GA cookies are then added – but not before.

    Reply
  23. Peter O'Neill

    Enjoyed (and depressed) reading through this summary and discussion. I agree the directive should not affect GA as 1st party cookies but not confident that will end up being the case. Hopefully we will get a judge’s interpretation allowing GA which will over ride the guidence from the ICO as you suggest Brian.

    But do you have any updates now given the latest letter from the ICO and how they have handled the situation on their own website?

    Cheers

    Peter

    Reply
  24. Brian Clifton

    Great discussion going on here… thanks to all that have provided detailed feedback

    I just wanted to re-iterate my point here – the law (any law for that matter) is there to be interpreted by judges. This involves the legal system as a whole and regulators such as the ICO.

    Nobody wants to see the law look foolish or be ridiculed (esp. not judges), so common sense is what prevails *prior* to any legal action.

    So, as a site owner, if you have audited your cookies and all you have is Google Analytics setting its first party cookies, then you have performed the initial recommendation of the ICO. I don’t consider you have much to worry about and so I suggest you wait to hear the next iteration from the ICO…

    Richard: In terms of which jurisdiction applies, if you have an office in the UK then that business entity must abide by UK law – irrespective of where your website is hosted.

    Reply
  25. Ben Gott

    Brian,

    We’ve discussed this elsewhere but I thought I reiterate on your blog.

    I agree with your view of the way the directive should be applied, I think most people were expecting that kind of interpretation. However the wording from the ICO document does nothing to give me that impression. Could it be that the advice is just incredibly badly written?

    Specifically it doesn’t make a distinction between 1st & 3rd cookies party cookies in terms of the basic requirement for achieving ‘explicit consent’. (It does go on to point out that you should be particularly stringent in dealing with 3rd party cookies). This passage is the most explicit the document gets about the type of cookies that are included:

    “Does this consent rule apply to every type of cookie?
    The only exception to this rule is if what you are doing is ‘strictly necessary’ for a service requested by the user……….. “

    And then later goes on to explain in a bit more detail (although perhaps not enough) what constitutes ‘strictly necessary’:

    ……….“This exception needs to be interpreted quite narrowly because the use of the phrase “strictly necessary” means its application has to be limited to a small range of activities and because your use of the cookie must be related to the service requested by the user. Indeed, the relevant recital in the Directive on which these Regulations are based refers to services “explicitly requested” by the user. As a result our interpretation of this exception therefore has to bear in mind the narrowing effect of the word “explicitly”. The exception would not apply, for example, just because you have decided that your website is more attractive if you remember users’ preferences or if you decide to use a cookie to collect statistical information about the use of your website.”

    There are two important points in there for us:

    1. Only functionality that is ‘explicitly requested’ by the user can set cookies. Meaning that you cannot set cookies based on the argument that it is essential to your business alone.

    2. It labels the collection of ‘statistical information’ (web analytics) as being outside the remit of ‘strictly necessary’.

    Also regarding the browser settings being a method of achieving consent. They are explicit that this is not acceptable currently but may be in the future. Presumably because all of the mainstream browsers allow 1st party cookies by default and don’t ever pose the question to a user:

    “I have heard that browser settings can be used to indicate consent – can I rely on that?
    One of the suggestions in the new Directive is that the user’s browser settings are one possible means to get user consent. In other words, if the user visits your website, you can identify that their browser is set up to allow cookies of types A, B and C but not of type D and as a result you can be confident that in setting A, B and C you have his consent to do so. You would not set cookie D.”

    “At present, most browser settings are not sophisticated enough to allow you to assume that the user has given their consent to allow your website to set a cookie. Also, not everyone who visits your site will do so using a browser. They may, for example, have used an application on their mobile device. So, for now we are advising organisations which use cookies or other means of storing information on a user’s equipment that they have to gain consent some other way.”

    I hate to be a pessimist but I can’t see how we GA users can possibly be excluded from this directive given the above excerpts. Of course it may be that they refine this drastically to recast the role of the 1st party web analytics cookie in subsequent guidelines. If that is the case, why wasn’t it just written that way in the first place given that this advice was only released 2 weeks before the deadline.

    It will be interesting to see how the ICO themselves action this come the 26th – they have GA installed (traditional syntax only, tsk).

    With regards to the question: “is this the end of web analytics as we know it”.

    I don’t believe for a second that it is. I am hopeful that common sense (and some ingeniously creative ways to comply) will prevail. I do however think there is a real danger that until this is cleared up we are going to see a period of difficulty and insecurity in the world of web analytics – something we can scarcely afford. I say this because I know many companies will feel compelled to adhere to the letter of the law. Nobody can afford a privacy scandal at the moment.

    The question I keep asking myself is ‘are we burying our heads in the sand’? Do we need to stop hoping for a lenient interpretation and take some action?

    Hopefully Brian, you’re right and I’m wrong…..

    For a slightly7 more ranty take I did put a post up on our own blog a few days back: http://www.periscopix.co.uk/blog/new-cookie-regulations-latest-advice/

    Reply
  26. Steve Jackson

    Hi Brian (and all),

    I understand Vicky’s concerns but am leaning towards Brian’s interpretation of it. It will be interesting to see what the ICO does on the 26th. Currently they use Google Analytics as Vicky mentioned.

    That to me means that 1st party cookie tracking is just fine.

    Cheers
    Steve

    Reply
  27. Richard

    This has been coming for a long time – but its rally only now it is imminent that most people are taking notice.

    Agree with Vicky – lots of issues. What about non-EU websites that are serving EU citizens? Different laws for different countries – does it apply where the visitor is, or the company owning the website?

    We are building an association of interested people to work on simple ways to achieve compliance. Find out more at: http://www.cookiecrunch.co.uk

    The more that get involved the better.

    Richard

    Reply
  28. Vicky Brock

    Hi Brian,

    Your car counting analogy is a good one – and yet I would agree, the current guidelines would make it “not allowed” which is highly worrying (not least for UK business competitiveness & the web analytics sector).

    I too find hard to believe this is the true intent of the UK’s interpretation. Especially in a public sector and e-governance environment that has always taken a good lead in measurement and open data, and where there is such high GA usage amongst the public sector.

    But, the reality is that at the moment, there is only the written guidance to go by, and it is specifically saying analytics is opt-in. Plus there are the charming, sensitive quotes from the Information Commissioner himself, saying “Companies cannot stick their heads in the sand: these regulations are now law,” “There is a time for lobbying and a time for compliance, and the time for compliance is now. There’s no point fighting battles that you lost two years ago.” Source: http://www.pcworld.com/businesscenter/article/228041/uk_businesses_warned_to_comply_with_eu_cookie_law.html

    It is the tone that written guidance has taken that I see as most problematic – for it doesn’t just set the expectations of business but for the public interest groups. It has set up a conflict that was not necessary.

    I do understand why the ICO might have wanted to keep it vague and not point out specific offending technologies, but I think they have to get more precise in order for anyone to be able to comply with anything and for non-compliance to have any meaning or be enforcable.

    And there are so many open questions that have to be resolved in order to comply (and not just the ones we’ve been discussing). For example, does this just apply to UK visitors to UK owned websites, or is it UK visitors to all websites, or EU visitors to UK websites, or all visitors to UK websites?

    Is storing a cookie to say not to store cookies permitted?

    Will businesses be permitted to “refuse entry” to those who do not agree to be tracked, or is that somehow seen as discriminatory?

    Right now I think we’re getting a whole lot of “you must comply” – and this is filtering through to clients, who are looking to us for advice. And yet there is absolutely none of the necessary detail on making an implementation decision.

    And of course, there is no possible advantage to any online business being first mover here. The lone guys that go first will drive their customers nuts and lose competitiveness, while those that wait until the complaints come in stand to win.

    So those companies most committed to privacy and best practices stand to lose most.

    Sorry to run on so much – you can tell I’ve been stewing on all this whole topic for a while 😉

    Cheers,

    Vicky

    Reply
  29. Brian Clifton

    Tim L-B: you make a good point and I want to emphasise that just because you are a GA user you should not do nothing. On the contrary, every website owner needs to know what cookies are being set, by what tool, collecting what information and for what purpose i.e. a cookie audit. That in a nutshell is what the ICO are advocating at this stage.

    If the result of the audit is that only GA cookies are being set, then you have done your duty and I do not see an issue with you continuing to use GA.

    Tim Wilson: to answer your question “you are disagreeing with the ICO’s guidance there?”

    I am interpreting the ICO advice as broad guidance for all websites that deploy cookies – web tracking or other uses. As you point out, thats the difficulty regulators are facing i.e. finding suitable text to cover all scenarios. Once you drill down into the specifics of GA tracking, it quickly becomes apparent that user control via browser settings are sufficient.

    Although 3rd party cookies can also be controlled via browser settings, the practice should be outlawed on privacy grounds in my view – as the visitor to the website is totally unaware of any 3rd party relationships that may exist – unless explicitly informed.

    Reply
  30. Tim Leighton-Boyce

    I know from conversations at the WAW last Wednesday that a lot of people are adopting a “do nothing” attitude to this. It might be safer to make a start and to document the fact that you have made a reasonable attempt to comply. The guidance seems to suggest starting with a cookie audit. That seems a wise move.

    My friends at Screen Pages have shared a bit of advice from a law firm on their blog which seems to suggest the same thing (apologies for the link-dropping but we can do with every bit of guidance right now): http://www.screenpages.com/ecommerce/archives/000671.html

    No responsible company is likely to want to be open to accusations of defying or ignoring the law. Acknowledging the change and taking preliminary steps to comply seems sensible.

    Reply
  31. Matthias

    I cross my fingers that you are right with your interpretation, Brian. However, I have concerns that -coming back to the car analogy- the counting could be practically forbidden only because it has a potential to be abused.

    I never understood why this truly important discussion is often focusing on moreorless harmless issues compared to what else actually happens. Let me give three examples:

    1) Why blaming Google for a potential abuse of aggregated anonymous data but at the same time totally ignoring intransparent handling, sharing and exploration of by-default very personal data, like on Facebook?

    2) Why do (German) data protection officers recommend e.g. Piwik as a “safe tool” only because one can configure it according a restrictive data-protection guideline? as it is open source it can also be configured to a harmful spy tool, if this is someones intention.

    3) Why was only Apple under fire a few weeks ago due to the geo-tracking of their phones, but in parallel droids do this not only every 12 hrs but in realtime and with less options for a user to control/stop this?

    Unless obvious mis/bad-behavior is not stopped or targeted meanwhile only potential/theoretical threads are in focus the whole discussion is not likely to become constructive. Any regulations which are coming out of that selective view on the topic are unlikely fulfilling their intention.

    Reply
  32. Tim Wilson

    Thanks for taking a crack at this, Brian. I tend to agree with Vicky that the wording in the ICO document clarifies “strictly necessary” pretty clearly…and web analytics is technically out.

    As for relying on browser settings for “consent,” the ICO doc advises against interpreting the Directive as such: “we are advising organisations which use cookies or other means of storing information on a user’s equipment that they have to gain consent some other way.” Am I reading your post as that you are disagreeing with the ICO’s guidance there?

    And, when it comes to “browser-based consent,” wouldn’t this apply to 3rd party cookies as well? Browsers have the ability to do that as well (and, as I recall, actually have enabled that ability for longer than 1st party cookie blocking). Your point that 3rd party cookies for cross-site tracking and data sharing are what these regulations are targeting (although there are certainly cases where 3rd party cookies make the most sense for web analytics, but those are corner cases) is totally true, but it calls out the difficulty of trying to lay down black-and-white regulations.

    A lot of this boils down to the fact that there is *ethical* behavior (and the WAA has been at least trying to work that angle), and then there is *legal* behavior. In a perfect world, the two would align. In reality, they seldom perfectly do. I’m generally loathe to drop links to my own blog posts into comments, but I tried to capture that perspective in diagrammatic form: http://www.gilliganondata.com/index.php/2011/04/26/privacy-its-a-2-5-dimensional-issue/.

    It’s a messy, messy, complicated, scary, not-particularly-fun issue. I applaud anyone in our industry who publicly grapples with it to try to drive the conversation, as it’s going to take a village to get us through it, so thanks for taking a crack at this!

    Reply
  33. Richard

    I’m not sure I agree with this analysis.

    The wording of the regulations indicate nothing about intention, as of course they can’t.

    Consent is only really not needed if the cookies are ‘strictly necessary’ for the provision of a service. Though GA is undoubtedly valuable for understanding your web visitors – it is hardly be strictly necessary for the functioning of the website.

    Reply
  34. Vicky Brock

    Hi Brian,

    I have always agreed with you that the law was targeting 3rd Party cookies and indeed their original statements were relatively reassuring on this. But I think the wording of the ICO guidelines document is more than awkward.

    Unlike their original statement, they now specifically spell out that measurement is not deemed strictly necessary:

    “This exception needs to be interpreted quite narrowly because the use of the phrase “strictly necessary” means its application has to be limited to a small range of activities and because your use of the cookie must be related to the service requested by the user. Indeed, the relevant recital in the Directive on which these Regulations are based refers to services “explicitly requested” by the user. As a result our interpretation of this exception therefore has to bear in mind the narrowing effect of the word “explicitly”. The exception would not apply, for example, just because you have decided that your website is more attractive if you remember users’ preferences or if you decide to use a cookie to collect statistical information about the use of your website.”

    I realise that the guidelines will get more refinement, but right now, it seems pretty clear that they are explicitly expecting opt-in to apply to web analytics cookies, due to their stated interpretation quoted above.

    I’m usually an annoying optimist on all matters, but I am depressed as heck about our industry’s silence on this. The fact this interpretation is a sledgehammer to crack a nut doesn’t simply make it go away.

    Given the ICO are GA users themselves, I have contacted and asked them if they are willing to share their planned next steps for handling this, but they have not replied.

    My concern is that as the wording in the document stands now, I would expect any concerned member of the public/privacy group to justifiably feel they have the right to complain about sites not requesting explicit consent for measurement. A fudge period is built in by the ICO, but that isn’t fully clarified to the public or privacy groups. Worst case scenario this ends up as a test case in court, and then, who knows.

    I personally feel we’re about to be hit with a big stick, which while silly and very poorly aimed, will still hurt.

    Just my personal thoughts!

    Best wishes,

    Vicky

    Reply
    • Brian Clifton

      Vicky: Thanks for your detailed thoughts.

      I really don’t think the ICO/government or individuals what to hit companies that take privacy seriously with a big stick… If anonymous, aggregate tracking via first party cookies was the only tracking method available to website owners today, I feel certain this law would never have come to fruition.

      So while the ICO guidelines can be interpreted as the end of web tracking as we know it, I don’t view it in those terms. In my experience, UK judges and lawyers go by intent rather than the exact verbatim of a law. Of course the verbatim will have to change in due course, so that courts don’t waste time and money on cases where there is no intent to infringe a persons privacy.

      I like to use a car analogy for this…

      • Counting cars that drive past the entrance of your child’s school in order to assess the safety of school exits is not strictly necessary for the running of the school – after all, we already have laws that govern road safety
      • However, such car counting is still important and does not invade anyones privacy
      • Following car drivers home (or systematically tracking license plates) and identifying the individual drivers is clearly invading privacy. This is what this new law is trying to stop…

      I appreciate, that the general car counting case is still captured as ‘not allowed’ by this law. Hence, I feel why the ICO are treading tentatively on this to get a firmer grip on it.

      Reply

Trackbacks/Pingbacks

  1. Last Exit Westend » Blog Archive » How the cookie crumbles - [...] of the most thriving discussions I have followed happened and happens at Brian Clifton’s blog (with a follow-up post…

Submit a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Share This