Google Analytics and the new EU privacy law #1Privacy and Accuracy May 20th, 2011
Following new EU laws aimed at protecting the privacy of online users, there has been much said about the death of web tracking as we know it. At present the wording of the law is stating that visitors to your website must explicitly consent to having cookies stored on their computers. As pretty much all web analytics tools rely on cookies for visitor tracking, there are clearly implications for anyone that uses these on their site. [ Update 16-Jun: see follow up post summarising this discussion ]
- Read the BBC News summary of the new law
- Read the UK’s Information Commissioners Office (ICO) guidance document
This law has been brought into place due to the failure of our industry to self regulate privacy properly. The EU law makers are targeting the surreptitious tracking of individuals that has been going on for many years. That is:
- Sharing cookie information collected on one website with another 3rd party website via 3rd party cookies.
- Identifying anonymous visitors – either by using data from a 3rd party cookie were personal information was entered, or back-filling previous visit data when a visitor later creates an account or makes a purchase.
- Tracking visitors even though they have set their browser privacy settings to block tracking cookies (used by Flash Shared Objects).
If you are using 3rd party cookies and/or Flash Shared Objects, this law is very much targeting you. Essentially you will need to provide explicit consent to continue doing this (or use any other similar technology). This law forces perpetrators of such tracking to either stop doing so, or suffer a poor user experience and declining web business by having to use pop-ups to gain visitor consent. Either way is a good thing for the web.
The impact on Google Analytics users
Google Analytics uses 1st party cookies to anonymously and in aggregate report on visits to your website. This is very much at the opposite end of the spectrum to who this law is targeting. For Google Analytics users, complying with the ToS (and not using the other techniques described above), there is no great issue here – you already respect your visitors privacy…!
I will agree the wording of the ICO document is “awkward” and gives rise to ambiguity. Essentially, they do not wish to name the technologies this law applies to (3rd party cookies, Flash Shared Objects) as these can of course change. It is the method of invasive tracking they are quite rightly trying to stop, so I expect the wording of the document to be refined over time.
The ability to block 1st party cookies is built into every web browser (10+ years for IE), so I feel this para applies:
“(3A) For the purposes of paragraph (2), consent may be signified by a
subscriber who amends or sets controls on the internet browser which
the subscriber uses or by using another application or programme to
The ICO document asks you (as the web site owner) to ask yourself – Is tracking the performance of your website strictly necessary? That’s straightforward to answer – Yes! In the same way tracking the performance of your business is strictly necessary.
The keywords for Google Analytics are: anonymously, in aggregate, and via 1st Party cookies.
I would be interested in your view on the EU privacy law and its impact on GA. Please add your thoughts via a comment. There is also a follow up post from me clarifying some points raised here.