Google Analytics Cookies & EU Privacy Directive

Worried about the new EU Privacy directive, cookies and what it means for Google Analytics on your website? There’s been some new clarification from the UK Government.

“We talked about cookies (how could we not?) but we didn’t get hung up on them – other relevant technologies e.g. HTML5 Local Storage and web beacons came up too. We shared our experiences of comprehensively auditing our sites in order to be certain we knew which cookies were being set by us or via our sites (in the case of third-party cookies). We also discussed how best to probe the use of such cookies in order to correctly classify them (i.e. “moderately intrusive”, “minimally intrusive” or “exempt from changes to privacy legislation”)  in terms of their “privacy intrusiveness”. While we were at it, we touched on how best to be transparent about third-party cookies and their impact on visitors’ privacy.

Inevitably, analytics and the vital role analytics-related cookies play in allowing public sector websites to be held to account on the cost-effectiveness of the way we deliver government information and services came up.  Even more importantly, analytics are essential to our “continual improvement” approach to developing digital public services, which is critical to delivering the government’s digital by default agenda. The consensus was, especially in the case of first-party analytics cookies, these types of cookies are “minimally intrusive” (in line with the ICO guidance) and that the bulk of our efforts to rationalise our use of cookies should be focused on cookies classified as “moderately intrusive”.”

Quote from Google –

Google Analytics uses only first–party cookies. – Google Analytics uses a first-party cookie and JavaScript code to collect information about visitors and to track your advertising campaign data. Google Analytics anonymously tracks how visitors interact with a website, including where they came from, what they did on a site, and whether they completed any of the site’s conversion goals. Analytics also keeps track of your e-commerce data, and combines this with campaign and conversion information to provide insight into the performance of your advertising campaigns. Google.

The report goes on to say:

The ICO guidance supports this view as it states “…it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals. Provided clear information is given about their activities we are unlikely to prioritise first-party cookies used only for analytical purposes in any consideration of regulatory action”

The following are examples of existing good cookie policy pages:

● https://www.gov.uk/help/cookies
● http://www.culture.gov.uk/4902.aspx
● http://www.consumerfocus.org.uk/cookies

Time to get a cookies page up?

NOTE – The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 came into effect last year – and the UK Government have said they will start ‘policing’ this after a year – effectively ‘giving you a year to get your house in order’.

The EU Cookie Law

Here’s some clarification for website owners on the new EU law – the EU privacy directive on cookies –

What it is:

“The new law is an amendment to the EU’s Privacy and Electronic Communications Directive and will require UK businesses and other organisations to obtain consent from visitors to their websites in order to store and retrieve usage information from users’ computers.”

When Is It Law?

Today

What you need to do

You need to get consent from visitors to your site if you want to put a cookie on their computer. Lots of websites require cookies to operate – if you use Google Analytics, for instance, to track visitors on your site, your website uses cookies. A good place to start is to find out from your website developers what cookies you are currently using. If you use Wordpress (WordPress and WordPress plugins (the types of software that powers this blog) uses cookies if you are registering with the site, or commenting on the site. More about that here – http://codex.wordpress.org/WordPress_Cookies), for instance for your blog, then this software uses cookies too. So – as a start point – you might want to actually find out what cookies your website sets and add a note about them to your privacy policy notice – this is what we will be doing shortly.

When You Could Get In Trouble

UK companies which use cookies to track how their customers browse their website have up to a year to comply with new privacy laws, the information watchdog has said. The new EU rules came into force on 25/26 May 2011, mean firms which run websites in the UK will need to ask for permission to store and receive information on users’ computers in the form of cookies – a cookie is a small file that a website uses to track users’ actions online – and A LOT of websites use them.

Information Commissioner Christopher Graham announced UK companies will be given up to 1 YEAR to “get their house in order” before the new EU cookie law is enforced by the UK. That is 25 May 2012.

“I have said all along that the new EU rules on cookies are challenging,” Mr Graham said. “It would obviously ruin some users’ browsing experience if they needed to negotiate endless pop ups – and I am not saying that businesses have to go down that road. Equally, I have to remember that this law has been brought in to give consumers more choice about what companies know about them. That’s why I’m taking a common sense approach that takes both views into account. So we’re giving businesses and organisations up to one year to get their house in order. This does not let everyone off the hook. Those who choose to do nothing will have their lack of action taken into account when we begin formal enforcement of the rules.”

UK Companies could face a fine of up to £500,000 if they don’t comply with the new EU Privacy Rules. They are obviously taking this a lot more seriously (it seems) than accessibility or company act directives of past.

Communications MP Ed Vaizey added:

“This Europe-wide legislation will ultimately help improve the control that individuals have over their personal data and help ensure they can use the internet with confidence. But it will take time for workable technical solutions to be developed, evaluated and rolled out, so we have decided that a ‘phased in’ approach is right.”

I saw this comment as well from Yahoo news – I am not sure how accurate this is – I am still learning about this too.

Just a quick clarification for some of you confused. This covers all cookies that keep hold of user specific data, from tracking customer page views to remembering login details. Explicit consent does NOT need to be done on a per visit basis and for those of you who require logins or registrations it should be fairly easy to work round. This law does not cover things like shopping baskets etc.

Practical Use

This is the official message that is on the ICO website (who should know what they are doing) – and they do it through a pretty unobtrusive header message:

On 26 May 2011, the rules about cookies on websites changed. This site uses cookies. One of the cookies we use is essential for parts of the site to operate and has already been set. You may delete and block all cookies from this site, but parts of the site will not work. To find out more about cookies on this website and how to delete cookies, see our privacy notice.

…the ICO also go on to say about the EU law on cookies –

Organisations have 12 months to make sure they comply with the new rules (EU Privacy Directive On Cookies). In that time we expect websites to be looking at the cookies they use and where necessary putting in place steps to get your consent. If a website does not appear to be taking steps to comply with the new rules and we receive a complaint during this 12 month period we will provide advice to the organisation concerned on the requirements of the law and how they might comply.  Where we think it is appropriate we will also ask organisations to explain the steps they are taking to ensure that they will be in a position to comply by May 2012. We will continue to consider complaints about organisations that are not providing information about the cookies they use because this has been a requirement for several years. From May 2012 we will expect websites to be complying with the law and will deal with complaints about sites that are not complying in line with our normal procedures.

Why the reason for the 12 months grace for UK businesses? Well, it’s practically unworkable for a lot of sites at this time. The ICO will obviously lead the way and is an example of what you can expect but even they have run into problems:

Google Analytics FYI

I found this info quite interesting:

The impact on Google Analytics users – Google Analytics uses 1st party cookies to anonymously and in aggregate report on visits to your website. This is very much at the opposite end of the spectrum to who this law is targeting. For Google Analytics users, complying with the ToS (and not using the other techniques described above), there is no great issue here – you already respect your visitors privacy!

Though there is clearly some confusion about that interpretation as the question of whether or not GA is essential to the working of your website is probably going to be debated – and – I guess things will become clearer as the year goes on. Affiliate marketers are in for a torrid time at any rate.

FYI – http://digital.cabinetoffice.gov.uk/2012/03/19/its-not-about-cookies-its-about-privacy/