Worried about the new EU Privacy directive, cookies and what it means for Google Analytics on your website? There’s been some new clarification from the UK Government.
“We talked about cookies (how could we not?) but we didn’t get hung up on them – other relevant technologies e.g. HTML5 Local Storage and web beacons came up too. We shared our experiences of comprehensively auditing our sites in order to be certain we knew which cookies were being set by us or via our sites (in the case of third-party cookies). We also discussed how best to probe the use of such cookies in order to correctly classify them (i.e. “moderately intrusive”, “minimally intrusive” or “exempt from changes to privacy legislation”) in terms of their “privacy intrusiveness”. While we were at it, we touched on how best to be transparent about third-party cookies and their impact on visitors’ privacy.
Quote from Google –
The report goes on to say:
The ICO guidance supports this view as it states “…it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals. Provided clear information is given about their activities we are unlikely to prioritise first-party cookies used only for analytical purposes in any consideration of regulatory action”
Time to get a cookies page up?
NOTE – The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 came into effect last year – and the UK Government have said they will start ‘policing’ this after a year – effectively ‘giving you a year to get your house in order’.
The EU Cookie Law
Here’s some clarification for website owners on the new EU law – the EU privacy directive on cookies –
What it is:
“The new law is an amendment to the EU’s Privacy and Electronic Communications Directive and will require UK businesses and other organisations to obtain consent from visitors to their websites in order to store and retrieve usage information from users’ computers.”
When Is It Law?
What you need to do
When You Could Get In Trouble
Information Commissioner Christopher Graham announced UK companies will be given up to 1 YEAR to “get their house in order” before the new EU cookie law is enforced by the UK. That is 25 May 2012.
“I have said all along that the new EU rules on cookies are challenging,” Mr Graham said. “It would obviously ruin some users’ browsing experience if they needed to negotiate endless pop ups – and I am not saying that businesses have to go down that road. Equally, I have to remember that this law has been brought in to give consumers more choice about what companies know about them. That’s why I’m taking a common sense approach that takes both views into account. So we’re giving businesses and organisations up to one year to get their house in order. This does not let everyone off the hook. Those who choose to do nothing will have their lack of action taken into account when we begin formal enforcement of the rules.”
UK Companies could face a fine of up to £500,000 if they don’t comply with the new EU Privacy Rules. They are obviously taking this a lot more seriously (it seems) than accessibility or company act directives of past.
Communications MP Ed Vaizey added:
“This Europe-wide legislation will ultimately help improve the control that individuals have over their personal data and help ensure they can use the internet with confidence. But it will take time for workable technical solutions to be developed, evaluated and rolled out, so we have decided that a ‘phased in’ approach is right.”
I saw this comment as well from Yahoo news – I am not sure how accurate this is – I am still learning about this too.
Just a quick clarification for some of you confused. This covers all cookies that keep hold of user specific data, from tracking customer page views to remembering login details. Explicit consent does NOT need to be done on a per visit basis and for those of you who require logins or registrations it should be fairly easy to work round. This law does not cover things like shopping baskets etc.
This is the official message that is on the ICO website (who should know what they are doing) – and they do it through a pretty unobtrusive header message:
…the ICO also go on to say about the EU law on cookies –
Organisations have 12 months to make sure they comply with the new rules (EU Privacy Directive On Cookies). In that time we expect websites to be looking at the cookies they use and where necessary putting in place steps to get your consent. If a website does not appear to be taking steps to comply with the new rules and we receive a complaint during this 12 month period we will provide advice to the organisation concerned on the requirements of the law and how they might comply. Where we think it is appropriate we will also ask organisations to explain the steps they are taking to ensure that they will be in a position to comply by May 2012. We will continue to consider complaints about organisations that are not providing information about the cookies they use because this has been a requirement for several years. From May 2012 we will expect websites to be complying with the law and will deal with complaints about sites that are not complying in line with our normal procedures.
Why the reason for the 12 months grace for UK businesses? Well, it’s practically unworkable for a lot of sites at this time. The ICO will obviously lead the way and is an example of what you can expect but even they have run into problems:
Our priority has been complying with the law from 26 May. The biggest change is that we are providing users with a choice to accept cookies from our site before they are set. We ask this question only of users who haven’t disabled cookies at the time they arrive at our site, or where we can’t tell if they’ve disabled them or not. We are setting our analytics cookies only when a user provides their consent. Currently our website contains one cookie that we do not use, but is essential for part of the site to operate. At present we have left this in place across the site, as we’re unable to remove it from one part of the site without affecting another. This session cookie is set on a user’s arrival to the site – at which time they’re informed that the cookie has been set – and is deleted when a user leaves the site. We are continuing to look at ways to provide users with choices about this and all the cookies we use on our site. Finally, we have updated our privacy notice to provide more information about the cookies we use, as well as directing users to detailed information about how to delete and manage cookies.
Google Analytics FYI
I found this info quite interesting:
The impact on Google Analytics users – Google Analytics uses 1st party cookies to anonymously and in aggregate report on visits to your website. This is very much at the opposite end of the spectrum to who this law is targeting. For Google Analytics users, complying with the ToS (and not using the other techniques described above), there is no great issue here – you already respect your visitors privacy!
Though there is clearly some confusion about that interpretation as the question of whether or not GA is essential to the working of your website is probably going to be debated – and – I guess things will become clearer as the year goes on. Affiliate marketers are in for a torrid time at any rate.
FYI – http://digital.cabinetoffice.gov.uk/2012/03/19/its-not-about-cookies-its-about-privacy/