‘Unlikely to prioritise first party cookies used only for analytical purposes’ – United Kingdom’s New Guidelines for Cookie Use

The UK’s Information Commissioner’s Office published new guidance for website owners regarding cookie user and online privacy. As the UK moves towards compliance, they are already half way through the year that the ICO gave businesses to get their digital house in order, the prevailing attitude is that businesses ‘must try harder’.

A Ray of Hope – Analytics cookies are not a ‘priority’
The guidelines contain the following information, on their FAQ on Page 27:

ICO Cookie Guidelines

“unlikely to prioritise” – looks like the door is not completely shut on using Google Analytics then – I am cautiously positive. It remains to be seen what other European countries do. While we wait, in Sweden, for the PTS to produce guidelines we should make sure our own houses are in order, identify the cookies we use and give users clear instructions on why we’re using them – hasty implementations of consent boxes and banners may not necessarily be the best solution in the long term.

New recommendation on cookie use – browser settings rather than banners

The IAB in Sweden (the trade association for the digital and interactive marketing industry) have, this month, released a set of new recommendations on how website cookies should be used. These place the emphasis on the website visitor’s browser setting to determine whether cookie will be used, and move away from the website banners that have been previously promoted as a solution.

These recommendations are a response to the Electronic Communications Act (Sweden), which is itself a response to the EU directive concerning on-line privacy. This directive requires consent from a website visitor before cookies are placed on their computer;  but – as I’ve posted previously – this breaks many important tools for ensuring a good visitor experience. Not least, it directly impacts the use of Google Analytics.

The IAB guidelines say the following:

– Cookie use, and type, should be clearly identified on the site
– Clear information should be given about what cookies do and their purpose

The awesomeness (but also what I expect will be the controversial element):

– If a user’s browser is set to accept cookies this means they have granted consent for cookies to be used (if the website clearly identifies which cookies are being used)
– If a user’s browser rejects cookies, then this must be respected

They promote the use of a standardised badge, to help users find out what cookies are used and make their own choice.

I need cookies to do my job – that is, to make the user experience better; these recommendations seem like a sensible solution for everyone. Unfortunately, I doubt that the EU will entirely agree – particularly given the apparent disagreement between EU ministers on how this directive should be enforced.

(You can see this slow car crash unfolding by checking out all my posts on the cookie directive).

What do you think? Will this work – is this an alternative to the opt-in banners which seem to be popping up?

IAB recommendations in Swedish and English.

Swedish Government’s cookie opt-in banner has severe impact on their Google Analytics data collection

This is the data which Google Analytics collected, from the Swedish government’s website before, and after, they introduced a banner asking for visitors to accept cookies:

Impact on Google Analytics data of banner asking for opt-in - severe reduction in tracked visitors
With the introduction of the banner, at the end of June, 80-90% of their data disappears – just as we’ve seen in the UK, on the Information Commission’s website. Thanks to the Swedish authorities for sharing this data.

Why a banner?
Here’s what they say, on the banner:

Banner on Swedish government website Why does this matter?
The EU directive which this is based on is throwing the baby out with the bath water. In an attempt to protect our online privacy they have taken a crude approach to an issue which is more complicated than their directive recognizes. In this particular instance, the use of Google Analytics, there is not a privacy issue and the data is used to improve the website.

What’s the precedent for this?
In Sweden, right now, there is none. The PTS, the organisation responsible for making the directive a reality in Sweden, has nothing particularly specific (In Swedish); certainly nothing which directly requires a banner. Uppsala’s county website also sports a similar banner.

But there’s still some data being collected – all is not lost, right?
Wrong. One of the joys of the analytics data we can collect is that, from the start, we get a bucket of visitor data which represents everyone who has visited our site. Our job as analysts is to segment out different types of visitors and figure out how the site is performing for them. The opt in banner segments the data into people who accept cookies. I would hazard that the people who accept cookies are a rather unique demographic, who probably don’t represent most of your other visitors. In my humble opinion, your data is screwed from the start.

You could use this as an argument for the cookie directive. ‘See’ you can say, ‘no one wants cookies on their computer’. I would say that the lumping together of cookies as all universally bad has been lazy legislation; it does not reflect reality. Cookies which track visitor activity for improving the website are  a little different to those tracking your activity across the web. Without being able to gather data on what our visitors are doing on our site – which content works, which buttons get clicked, for example – we’re flying blind and the users’ experience will suffer.

I own a website  (in Sweden) – what should I do?
Check out the PTS regulations, they say  the following:

PTS guidance for website owners
In essence, ‘you don’t have to change your website right now’. Maybe while we wait, we’ll get a browser opt-in option which could be satisfactory for the EU, as  Peter Hustinex (European Data Protection Supervisor) hinted at in a recent presentation. It’ll be interesting to see what comes out from Google on this.

Here’s some additional reading:

E-Consultancy reflects on the ICO’s banner and the implications for future use of cookies.
Brian Clifton’s most recent post on the implications of the EU directive for Google Analytics
IAB (Sweden) – Recommendation on cookie use (In Swedish, but English translation available on their site).

Swedish Goverment Introduces Cookie Opt-In Banner – there goes their Google Analytics data…

The Swedish Government has introduced a banner on their website asking visitors to explicitly accept having cookies placed on their website (click on the image to make it larger).

swedish government website cookie banner

It sure ain’t pretty, and will probably have the same catastrophic effect on the Google Analytics data they collect that the ICO, in the UK, experienced when they introduced something similar. Will the last analyst left in the building please turn the lights off when they leave….

Update: And here’s something similar from Uppsala kommun:

and here’s another Swedish site bearing a similar banner (I’ve chosen the English version here) msb.se:






Cookie Killer Law – EU Commissioner Smack Down: Things just got more confusing…

Confusing and bad news for website owners – EU Data Supervisor says that industry guidelines for cookie use are not sufficient and that consent for cookie use must be actively obtained – criticizing the softer stance of EU Commissioner. 

Rather than have the usual picture of biscuits, jars or muppets to go with this cookie post I thought I'd channel some Johnny Cash instead. Image: Flickr - Diogo A Figueira.

This is another of my posts about the EU directive which threatens life as we know it. This is an amendment to the EU’s Privacy and Electronic Communications Directive which forces website owners to obtain consent from a website visitor before cookies can be left on their computer. The upshot of this would be a sudden, and profound, hole in the data we collect on customer behavior on our websites.

No one really knows what the hell to do – since the Directive’s amendment, confusion has reigned supreme with some EU countries not getting round to implementing it while others, like the UK, bashing out a rapid response – and then giving organisations a year to respond to it.

Websites which have attempted to get visitor consent have screwed their site, and their data collection, with unwieldy solutions – the UK Information Commission’s Office, I’m looking at you.

Right now, there has not been any major indications that cookie use is being reduced.

In the background, marketing and advertising associations have been putting together guidelines for how cookie users can respond to this – use cookies, and yet still remain within the law. Check out the guidelines from the Swedish brand of the IAB here.

EU Data Protection Supervisor criticizes EU Commissioner – Advertising Association guidelines unworkable?

Neelie Kroes, the EU Commissioner behind this directive, had previously said that European companies have a year to comply with the directive and that she supported efforts by advertising associations (such as the IAB) to create some kind of standardized opt-in.

Not good enough, responded Peter Hustinex the European Data Protection Supervisor. In a recent speech he specifically said that the guidelines suggested by the IAB fell short of the requirements of the directive, despite them being welcomed by Kroes, the EU Commissioner.  He went on to say that Kroes’ support for a US ‘do not track initiative’ also fell short of the Directive’s requirements. One measure he suggested was a default browser setting of non-acceptance for cookies.

Read his whole speech here.

What Happens Now?

More confusion – even the EU can’t seem to agree on what this directive means. Germany and Denmark have aready got a ban on using Google Analytics (from earlier concerns about IP addresses), but many companies in those countries continue to use it, knowing that the risk of being penalized is relatively low. However, for those of us operating in the public sector there’s a risk that we could get some form of all-encompassing edict of ‘no cookie use without consent’ and boom, there goes our main method for collecting data for improving our websites. Sigh. Where do we go from here? I really don’t want to be saying ‘I told you so’ in a few years time.

Cookie Law Comes Into Effect In Sweden – PTS are reponsible and no detail available yet.

The new cookie law came into effect, in Sweden, on the 1st of July. It’s a response to the horrendous EU directive, widely seen as a cookie killer, which is an attempt to address online privacy issues. I’ve previously blogged about it here. The short version is that the directive requires consent from a website visitor, before a cookie can be placed on their computer. This impacts a whole bunch of website functionality, but not least Google Analytics. Brian Clifton has blogged about the implications for Google Analytics in two blog posts, shortly after the launch of the directive in the UK and then a little later.

If you’re in Sweden, then there’s a couple of things worth knowing. First, the Swedish Post and Telecom Agency (PTS) is responsible for the execution of this new directive, and its Swedish interpretation. When I posted this, they had some information for website owners, but nothing concrete. There’s certainly not a ‘cookies are the big bad’ message from them – so far, so good I say. Right now, they are saying that they are giving website owners time to figure out how to get consent for cookies from website visitors.

The other important thing to know is that the Swedish arm of the IAB has prepared guidelines for website owners and are looking for feedback. The guidelines are available in both English and Swedish. Their suggestion is that consent is based on the users browser settings. The IAB guidelines are a best practice suggestion which avoid killing our website functionality with ugly consent requests (check out the banner on the top of the ICO’s website from the UK – and then take a look at what this has done to the data they’ve been able to collect from Google Analytics).

Best thing you can do right now? Don’t panic, read Brian’s latest blog post and get your website’s privacy statement in order. Checking to see what cookies your website is leaving on people’s computers might not be a bad idea either.

Cookie Killer – New EU Directive on Cookies and Privacy – New Swedish Law

New privacy laws could impact on our ability to gather user data, potentially restricting the use of tools like Google Analytics.

The New EU Law

The EU will soon be enforcing a new directive which directly addresses the way cookies can be used – it’s a development of the EU’s ePrivacy directive. How will it affect your website? Well, no one seems to be totally clear but there’s certainly a ton of, what seems to be, well founded gloom.
Essentially the law requires website owners to get consent from website visitors to record and store information about them :

site owners need to get an explicit opt-in in order to deploy practically any cookie” – Wired

Photo from Jim Linwood - Creative Commons Licence - http://bit.ly/j7haTF

Sweden’s New Law ‘Bättre Regler för Elektroniska Kommunikationer’ – A response to the EU law

In a few day’s time the Swedish Government will be voting on a new law ‘Bättre regler för elektroniska kommunikationer’ which will enforce the EU law.

Using my second language with a legal document is not a happy combination, but cookies are under the spotlight in this new law. For example, page 317 of the law says:

“Abonnenten eller användaren ska inte längre bara ges tillfälle att hindra lagring eller åtkomst, utan måste lämna sitt samtycke till åtgärden”

This sounds like the opt-in which the Wired Article, and several other commentators have described (Techcrunch have come out of the corner fighting on this one ‘Stupid EU Law‘). However, the Swedish law just does not seem clear enough.

“Vissa menar att samtycket måste inhämtas innan man besöker själva hemsidan, det vill säga i praktiken kommer man till en ”för-sida” där informationen om cookies ges till den enskilda användare som får godkänna dessa för att sedan länkas vidare till själva hemsidan.”: Ny lag för Cookies – Mathias Berggren

The EU law states that cookie use is acceptable where it is absolutely mission critical, but opinions will no doubt vary on what is critical.

Google Analytics – Can we still use it?

My sector, and many others, rely on using 1st party cookies to gather data on what our visitors do on our websites. This enables us to optimize the user experience – for a content rich website, like a university website, it’s a vital tool. This new law could very well prevent the use of Google Analytics, and thus leave a potential gap in our ability to understand how people use our websites.

There’s discussion about this on the Google Analytics forum.

Our search optimization efforts, measurement of YouTube success and use of adwords would, presumably, also be impacted. So, can we still use Google Analytics?  It would be nice to get some kind of  measured response from e-delagationen or Datainspketion (who have previously commented on the use of Google Analytics).

In the UK, the Information Commissioners Office’s guidelines do not include the use of cookies to gather statistical data as sufficiently mission critical to allow their use, without first getting consent.

A Final Word

Several commentators consider this law simply to be unworkable, as to police it would be extremely difficult. Germany has banned Google Analytics, but do German sites continue to use it? It would be interesting to find out how such a ban actually works in practice.  This law could be a massive blow to our ability to manage websites, a blanket  enforcement of ‘do not track’ (or ‘do not track without consent’) could result in some bizarre user experiences with opt in messages plastering websites. Alternatives do exist when it comes to data collection, it’s true, and making sure we only collect aggregate data could defuse privacy issues at a stroke.

Let’s see where this lands – Don’t Panic.

I’ll be at the Google Analytics conference in Stockholm tomorrow, no doubt more light will be shed on this subject there.

Please feel free to leave comments on the new law, and particularly the Swedish law – be nice to get a lawyers input on this.