New EU
legislation means that all websites that use cookies need to get permission
from users first. Sarah Dobbs looks into how this affects how you can use
analytics tools on your website…
Cookies
sound pretty innocuous, don’t they? In many ways, they are: they're just
strings of text sent back and forth between a website and browser, used to
identify users and keep track of certain information about them. Cookies can
help websites remember user' preferences, as well as tracking whether they're
new or returning visitors, and what they're looking at on the site.
Best Real Time
Analytics Tools You Must Have for Web Tracking
Generally,
they don’t store any personal information; individual users are identified by
the cookie stored on their browser, so it the same person uses another computer
or browser, the site would identify them as the same person. Cookies can make
browsing the web more convenient for the user, as well as providing websites
with valuable information…but it may make you uncomfortable to know that
websites are storing files in your browser without your knowledge, and
sometimes using that cookie to serve you with relevant (and occasionally
intrusive-seeming) advertising.
On 26th May
2011, the EU passed new legislation – The Privacy and Electronic Communications
(EC Directive) (Amendment) Regulations 2011 – that meant that websites needed
to obtain explicit consent from users before tracking them with cookies. The
law is designed to protect privacy and to limit the amount of targeted
advertising websites can serve up. While some kinds of cookies, like the ones
that store items users have put into their shopping baskets on ecommerce sites,
are excluded from the law, it seems everything else, including cookies that
remember your username when you return to a website you’ve registered at, will
be affected.
Although
the legislation was passed last year, the Information Commissioner’s Office
(ICO) gave website owners in the UK a year’s lead-in period, in order to sort
out ways of obtaining users’ permissions. But time is ticking away, and not
many sites have yet implemented any ways of getting permission – worse, there
seems to be a lot of confusion surrounding what the law means, and how people
can comply with it.
What the law says
x
What the law says
Since 2003,
websites have been required to offer users information about the cookies they
use, and provide the facility to opt-out of storing cookies; the 2011 amendment
changed that last part, so that users need to opt-in, rather than opting-out.
Here's the exact wording:
1. Subject to paragraph (4), a person shall not
store or gain access to information stored, in the terminal equipment of a
subscriber or user unless the requirements ofparagraph (2) are met.
2. The requirements are that the subscriber or
user of that terminal equipment- (a) is provided with clear and comprehensive
information about the purposes of the storage of, or access to, that
information; and (b) has given his or her consent.
3. Where an electronic communications network is used
by the same person to store or access information in the terminal equipment of
a subscriber or user on more than one occasion, it is sufficient for the
purposes of this regulation that the requirements of paragraph (2) are met in
respect of the initial use.
3A. For the purposes of paragraph (2), consent may be signified by a
subscriber who amends or sets controls on the internet browser which the
subscriber uses or by using another application or programme to signify
consent.
4. Paragraph (1) shall not apply to the technical
storage of, or access to, information – (a) for the sole purpose of carrying
out the transmission of a communication over an electronic communications
network; or (b) where such storage or access is strictly necessary for the provision
of an information society service requested by the subscriber or user.
You can
read the whole thing at is.gd/MZZYyr. It’s not the most fun reading ever, but
basically, it says websites can’t use analytics cookies without getting
explicit informed consent from visitors.
What does that mean for website owners?
Many websites have already started the
process of gaining consent from their users – check out the ICO’s own website (www.ico.gov.uk) for one example of how
that can be done, or Delia Smith’s website (www.deliaonline.com)
for another. While the ICO did agree to a year’s grace period before enforcing
this legislation, it has been made clear that it will be enforced from May, and
no one’s off the hook.
If you run a website and you use Google
Analytics or similar analytics cookies to track your visitors, you might be
wondering how, or if, this applies to you. And the bad news is, yes, it really
does apply to you. It applies to all websites that use cookies, however
innocent your usage of those cookies might seem. (We’re going to assume you’re
no using extensive behavioural advertising on your site!) Don’t panic just yet,
though. The ICO has issued some guidance documents to help you figure out what
you need to do to comply; you’ll find it on their website at is.gd/0dN1jh.
There’ve been a lot of blog posts written
about this legislation, and a lot of knee-jerk reactions posted online, so to
get a bit more clarification on the situation, we spoke to Simon Rice,
Principal Policy Advisor (Technology) at the ICO. ‘The letter of the law says
that every website needs consent to use cookies, but it certainly doesn’t say
that websites can never use cookies,’ he says. ‘It’s really about getting
website operators to look at the cookies they’ve got, and find out what those
cookies are actually doing, and assess how privacy intrusive they might be.
Even in terms of analytics cookies, there are different analytics providers,
and there are different things that website owners can do within their
settings.’
The first thing to do is to take a look at
your website and see what cookies you’re using. If you’re using Google
Analytics, there are two kinds of cookies used: first-party (which means the
stats gathered are visible to you) and third-party (which means they’re passed
on to Google). The ICO considers first-party cookies less intrusive than
third-party cookies: Rice explains, ‘If you’re just trying to get a raw number of
visitors, that’s a lower level [of intrusiveness]. If you’re saying ‘right,
these are the visitors who came, these are the pages they looked at, and now I
want to choose which products are for sale, or, based on what they’ve read
before, I want to change the order my blog posts are displayed in, to show them
what I think might be more relevant to them, that’s getting higher up that
scale.’
