Since May 26th 2012, the ICO (Information Commissioner’s Office) have begun enforcing the Privacy and Electronic Communications Regulations law (commonly known as the EU cookie law). This law applies to all 27 members of the EU and makes it illegal for websites to track visitors using cookies without their explicit consent.
Thanks to a very open wording of the law, no one is exactly sure what the ICO is enforcing or what they can get away with. Does it apply to 3rd party cookies or just 1st party cookies? How explicit is explicit consent? Are cookies that don’t track private information exempt?
Due to this, the ICO gave webmasters a one year grace period to get their act together and start operating within the law. As the law was passed in May 2011, the ICO has only just begun enforcing it.
Google Analytics Cookies
Thanks to the murky wording on the official Privacy and Electronic Communications Regulations document, it is quite hard to work out what the official stance is.
90% Drop of User Data
What worries the majority of businesses is that most users are going to say no to opt-in tracking. Their concern is just – after seeking opt-in permission, only 10% of ICO visitors said yes. For a business that uses Analytics data to improve their site and market their brand more effectively, a 90% loss of data is huge – certainly worth the risk of inciting the wrath of the ICO.
So is Google Analytics tracking illegal without explicit consent?
There are two conflicting answers to this question – the first is that yes it is illegal, but the ICO is highly unlikely to punish you. However, Brian Clifton has spent the year researching the subject and talking to contacts at the ICO and believes that as long as your Analytics code does not capture personally identifiable information (PII) and you have a privacy statement on your site regarding cookies, you are in the clear.
The two key phrases in the document are describing low priority cookies as those with ‘a low level of intrusiveness and risk of harm to individuals’ and those ‘used only for analytics purposes’. Now I would say Google Analytic cookies fall safely into both categories. They are anonymous cookies and no personal information is captured or stored.
How Should You Handle Google Analytics Cookies?
You’re very unlikely to have any problems continuing to use Google Analytics, but you should definitely considering creating a privacy statement for your site or adding a section on cookies to your existing statement. Explain what cookies you use and what they track – try not to get too technical as it usually freaks people out and makes them want to opt-out!
The ICO are clearly set against cookies of any kind and it’s not surprising. Facebook’s cookies currently collect more information that any others, allowing them to build up a huge database of knowledge of their users which is then used for targeted advertising.
Thanks to scaremongering in the media & the ICO’s hardline stance, the average internet user is pretty scared of cookies right now – shown by the 90% opt-out on the ICO website. So could there be a world without cookies?
Well, online advertisers would be a bit stuffed, and you wouldn’t be able to ‘like’ pages, but what about less creepy uses such as Analytics? After all, they’re only there to make the web a better place for users.
I recommend reading (and trying your best to understand) Matt Clarke’s research into cookie-less tracking systems. He recognises that there are server-side tracking systems available but points out that none come close the Google Analytics. Go and have a read about the possibilities for server-side Google Analytics.
Personally, I believe that if web users understood cookies better (and knew which cookies were benign and which were up to no good) then they wouldn’t be so scared of cookies. Interestingly, AVG added a browser plug in called ‘Do Not Track’ around the same time cookies were in the news. It tells you who the cookie belongs to, what it’s tracking and allows you to turn it on and off at the click of a button.
If browsers, instead of webmasters, were forced to add this function then nobody would have to worry about opt-in systems at all and we could all go back to making our sites better (using visitor tracking data of course).