{{ searchResult.published_at | date:'d MMMM yyyy' }}

Loading ...
Loading ...

Enter a search term such as “mobile analytics” or browse our content using the filters above.

No_results

That’s not only a poor Scrabble score but we also couldn’t find any results matching “”.
Check your spelling or try broadening your search.

Logo_distressed

Sorry about this, there is a problem with our search at the moment.
Please try again later.

With just over a month until the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 is enforced, it was high time that an organisation with the weight to set a precedent got off the fence and took a serious position on the matter.

Who better than the UK's Government Digital Service? 

I’m not sure I expected the UK government to be the one to lead the charge on cookie law compliance, and I’m certain I didn’t expect them to be the ones to argue that web analytics are “essential”, but that’s exactly what they’ve done with their snappily titled Implementer Guide to Privacy & Electronic Communications Regulations (PECRs) for public sector websites.

So does it stand up to scrutiny? And more pressingly, does it get the rest of us out of a potentially difficult situation?

The government’s argument

The Government Digital Service (GDS) takes the view that web analytics are “essential to the effective operation of government websites” and that “at present the setting of cookies is the most effective way of doing this”.

Further, they feel that web analytics cookies are “minimally intrusive” and that “their usage tends to be controlled by the first-party” (emphasis theirs).

Finally they point to a statement in the Information Commissioner’s Guidance on the rules on the use of cookies and similar technologies which would appear to seal the deal:

Provided clear information is given about their activities we are unlikely to prioritise first-party cookies used only for analytical purposes in any consideration of regulatory action.

Does it stack up?

The title of the GDS’s blog post, It’s not about cookies, it’s about privacy, echoes sentiments expressed in my own recent article on privacy and the cookie law for the LBi bigmouthmedia blog: Joe Public does not, on the whole, have a firm grasp of online privacy, and we don’t have to look very hard to see stark contradictions between popular belief and patterns of behaviour.

So getting hung up on the technology isn’t the point; we must instead concern ourselves with the end result.

Still, laudable as it is, the GDS’s concern for the spirit rather than the letter of the law doesn’t stop them from protecting their own priorities, relying largely on the ICO’s statement that they’re “unlikely to prioritise first-party cookies used only for analytical purposes in any consideration of regulatory action” to justify doing little to change their current analytics implementations.

Like private sector website owners, they’re not terribly keen on obtaining informed consent, either, calling it “disruptive to the user experience”, by which they mean, of course, that practically nobody will consent.

They’re not explicit about how they’ll address this problem, but they will apparently seek to “raise the awareness levels amongst users of government websites about the uses and functions of cookies”.

The other sticking point is that elsewhere in the quoted Guidance document, the ICO advises that analytics cookies are “unlikely to fall within the exception” and defines “the exception” as applying only to cookies which are “for the sole purpose of carrying out the transmission of a communication” or which are “strictly necessary” (as distinguished from “reasonably necessary”).

In other words it could go either way and, like many organisations considering their cookie options, the GDS seems set to take a gamble that the ICO won’t crack down on analytics.

That's not a position I'd have expected the government to take and, as an ex-local government officer myself, I have some sympathy with whichever poor soul had to write the risk assessments.

Of course, one could take a view that their aims of assuring the “best possible user experience” and encouraging “citizens to use more cost-effective channels for accessing government services” means that what’s good for them is good for their users, but that seems like the thin end of a wedge and an argument that would be unlikely to cut much ice with the ICO were a private company to be the first to make it.

Where does this leave us?

In terms of understanding what a robust, long-term response to the law looks like, it seems we’re still at square one, but unless the GDS change their view (or are required to change it after May), the rest of us can at least continue to be hopeful that our analytics are safe for now.

So what do you think, government fudge or rational response to vague guidance?

The EU Cookie Law: A guide to compliance explains the legislation as far as it affects UK online businesses, sets out some practical steps that you can take towards compliance, as well as showing some practical examples of how websites can gain users’ consent for setting cookies.

Glynn Davies

Published 26 March, 2012 by Glynn Davies

Glynn Davies is Technical Account Manager at LBi and  a contributor to Econsultancy. 

1 more post from this author

Comments (63)

Comment
No-profile-pic
Save or Cancel
Avatar-blank-50x50

Tim Leighton-Boyce, Analyst at CxFocus

Interesting to see that they're taking this approach. But I think they're going out on a limb.

As you point out, the guidance is explicit about analytics.

The approach seems to be a very pragmatic one, based on the "unlikely prioritise" and maybe a shrewd guess at the resources available for enforcement. But a high profile commercial site might fall victim to someone lodging a complaint either out of malice or just to provoke a test case.

over 4 years ago

Matt Clark

Matt Clark, Analytics / CRO Consultant at Userflow

Hi Glynn,

Thanks for sharing this.

I've scanned the document and while it does recommend increased record keeping and risk analysis of cookie use, I don't see anything about prior consent mechanisms in there.

As you say, if internal departments within the government are not adhering to this draconian law than this certainly provides hope for the rest of us.

In my view the government would be more pragmatic than the ICO on realising the harm this would do vs the benefit and this document seems to confirm that could be the case.

Matt

over 4 years ago

Glynn Davies

Glynn Davies, Senior Technical SEO Account Manager at LBi

Thanks Tim, Matt. I agree with you, Tim, that this is likely a calculated risk. I've speculated elsewhere - as have others - that resources are sure to be a decisive factor in how this law is applied in practice. Still, I'm a little surprised that their response isn't more substantial, though I can well understand why it isn't.

over 4 years ago

Rob Mclaughlin

Rob Mclaughlin, VP, Digital Analytics at Barclays

Whilst I'd love to think that this is the start of the UK government/authorities making a stand in defence of online commerce I feel it is just a pragmatic attempt by the GDS to avoid having to comply. Whether their position is sustainable will be key however.

If they can hold fast then business will have good precedent for maintaining analytics related cookie tracking. Alternatively, if they are forced to conform then we a 'test case' in a practical sense for business conforming also.

For my purposes there is still no other option than to continue down the path to compliance whilst keeping an open mind and ear for developments.

Glynn - any thoughts about this on a pan-European basis rather than just he UK?

over 4 years ago

Glynn Davies

Glynn Davies, Senior Technical SEO Account Manager at LBi

Thanks Rob. That's basically what I'm driving at: it feels like they're sidestepping the issue a bit, and if it works for them there's good reason to suppose it'll work for everyone else, too.

I'd be surprised if the response in Europe was much different. The complexity of compliance across multiple territories is one thing; but if local interpretations of the law differ, which seems probable, things start to get very messy indeed.

over 4 years ago

Avatar-blank-50x50

Tim Leighton-Boyce, Analyst at CxFocus

I agree with Rob that there is no alternative for any large or public company other than going down the path to compliance. Slowly but thoroughly documented.

Who could go on record to their board or shareholders with the line: "The law? Oh, we're knowingly breaking that."

over 4 years ago

Avatar-blank-50x50

Jim Barter

There's no 'crumbling' here as your article headline suggests, it's just that the cookie dough isn't baked yet, we're still deciding on the ingredients.

over 4 years ago

Avatar-blank-50x50

Marcus Stafford, Chief Executive Officer at Informed Choices Consulting Limited

I think quite a few organisations will be basing their compliance around the word 'unlikely' and I'm glad that a government department will be leading the charge.

over 4 years ago

Matt Clark

Matt Clark, Analytics / CRO Consultant at Userflow

Tim/Rob - Interested to hear what you say about compliance. To me the decision is not clear cut because there is also risk in 100% compliance too.

Imagine an e-com manager explaining to the board why they implemented an opt-in solution before anyone else, loosing 95% (or more) of their data and £X sales through the death of their MVT, merchandising and analytics tools. Only for the rules to be relaxed later down the line.

If it were me I wouldn't implement and opt-in solution until it became absolutely necessary. i.e. If you don't comply by X you will face X penalty.

A big part of UK law is set by precedence and a government team admitting this is not workable is a good precedence for the rest of us to hold fire IMO.

over 4 years ago

Steve Jackson

Steve Jackson, CEO at Quru OySmall Business

I was present at a panel discussion with the ICO at the eMetrics last year in London where this topic was debated. The ICO said at the time that they would not sue on the use of first-party cookies used only for analytical purposes where no personally identifiable information is passed and that cookies for this purpose weren't the issue they were trying to address.

This seems to back that up.

over 4 years ago

Avatar-blank-50x50

Tim Leighton-Boyce, Analyst at CxFocus

Matt,

To clairify: I wasn't advocating early adoption. I witnessed the data effects of implementing 3DS very early on. But do not say that you intend to break the law.

I was advising taking slow, careful and documented steps towards compliance.

The most obvious step is to conduct the audit. At which point you can demonstrate that you're not ignoring the law. No final implementation of opt ins etc until the process of investigating appropriate solutions is completed (aka waiting to see what emerges when the dust settles).

over 4 years ago

Avatar-blank-50x50

Nikolaj Bomann Mertz

I really hope that danish Government will take a look at this post. The point of the other post, is actually quiet interessting: "It’s not about cookies, it’s about privacy".

Thanks for a great post.

over 4 years ago

Rob Mclaughlin

Rob Mclaughlin, VP, Digital Analytics at Barclays

@Matt

Frankly if you can show me an ecom manager who can make that case in a credible way to the board I would be impressed.

More likely, it is Legal and PR who are representing this issue in front of most boards, most marketing functions have failed to engage in this area, meaning implementation will be put (scarily) in the hands of IT/dev.

By not taking this law seriously most marketing teams have denied themselves a position at the table when it comes to what to implement.

Just as you say 'if it were me', most of us would ride the gauntlet and see how this develops but 'me' can mean a small start-up or a public company - the stakes and priorities are very different!

over 4 years ago

Lord Manley

Lord Manley, Principle Strategist / Director at BloomReach

I agree with Tim. I believe that it is better to plan for complete compliance with a clear roadmap than to implement half-hearted measures.

Better to have a full plan in place than this kind of mechanism which clearly does not comply.

'Unlikely to sue' is not the same as 'compliant' and the government OUGHT to be first to recognise this.

over 4 years ago

Avatar-blank-50x50

Lawrence Shaw

Really in support of both Lord Manley and Tim - isn't it better to plan to do it properly, based on a proper audit and planning.

Trying to justify 'analytics cookies' as essential isn't a very good starting point - if analytics are essential, why don't sites use a 'cookieless' solution - more so, I'd say that the only industry that analytics are essential for is that of the media (there business model relies on knowing visits etc).

Lots of providers share data - i dont think there can be any certainty about how intrusive cookies such as analytics could be - now or in the future.

The ICO have made it clear and there are enough issues / problems for all, in trying to good a good job, without some left field ideas that cause nothing but confusion and lack of understanding.

over 4 years ago

Avatar-blank-50x50

Sophie Relf

I think that GDS are hoping that user ignorance will save them; which is risky at best. If they at least published a cookie directive for all of the government sites that are affected by it, and made the directive indexable by Google (part of their site map)then users would feel more involved. They should also invite feedback.

over 4 years ago

Matt Clark

Matt Clark, Analytics / CRO Consultant at Userflow

@Tim

Makes sense. Knowing what cookies are being served and what they do is good practice IMO and it is no bad thing that the law is forcing that.

The GDS doc seems to recommend that also.

The crunch, is deciding to implement an opt-in before May or wait a little longer and see if something changes.

over 4 years ago

Alasdair Wightman

Alasdair Wightman, Digital Analyst at So What Analytics

As always a good debate here.

Firstly knowing how government departments work they are invariably risk averse so for the UK GDS to go public on their approach to dealing with analytics and the EU directive suggests (admittedly does not confirm)they have sought advise from the ICO and feel comfortable they will not be prosecuted.

Tim and Lord Manley are right to suggest that companies should have a full plan in place. The letter of the law is clear that analytics will require opt-in consent. Any decent lawyer or company secretary worth their salt would not allow themselves to be put in a position where they can be criticised by their own board for potentially breaking the law.

On the other hand Matt is right to suggest don't implement a full opt-in solution yet. Why implement something that may and I stress may not be needed and could cost your business or organisation significant amounts of money. My advice to a company at this stage would be to:

1) Perform a thorough audit of their site for all tracking functionality (not just cookies)

2) Review and rewrite their privacy policy where appropriate and make it much more available/visible to visitors to their site.

3) Make it as simple and clear as possible to opt-out of various forms of tracking and make it clear to visitors what that means when they do opt-out.

4) Have a credible technical solution and fully scoped out plan to move to opt-in if the ICO suddenly gets heavy with them.

Its been clear for a while now that analytics solutions that do not track PII are not the real issue for the ICO. Although the ICO have never been totally explicit about it they have on more than one occasion indicated they are highly unlikely to do anything which is in line with Steve's experience at eMetrics last year.

Finally I strongly suspect that this time next year companies/organisations will still be using GA and other non-PII analytics solutions without opt-in consent and wondering what all the fuss was about.

over 4 years ago

Matt Clark

Matt Clark, Analytics / CRO Consultant at Userflow

@Rob

Totally agree marketing should want to be involved in this. Every digital marketeer I have worked with has relied on data on a daily basis which might not be available if the decision were made purely on a legal basis.

I have seen 'IT solicitors' instruct clients there is no problem with implementing an opt-in, if it done in a way which doesn't interfere with UX. But what about the lost data?

We all know how important data is to so many functions of e-com where as legal, PR etc. can't understand that. I think we need to be the ones to make clear what a detrimental effect on the business an opt-in could have. Many people within the business might not even be aware there is a downside!

over 4 years ago

Malcolm Duckett

Malcolm Duckett, CEO at Magiq

@Glynn

Sanity prevails - It's about Privacy not cookies.

We need to learn to respect our visitor's data and privacy, and so we should not view attempts to legislate in this direction as "interference" or "a bad thing", but as documenting good practice. We at Magiq (and Celebrus and before that Speed-Trap) have believed this for a long time. That's why we implemented opt-out back in 2005 (from memory) and why we think the latest round of technology can (and must) be used to ensure protection of visitor's rights, privacy and interests.

From our perspective cookies, can perform an essencial function of "remembering users privacy preferences", and can be used to implement visitor's decisions on this, customers are even starting to look at using our LifecycleMAGIQ solution as a privacy TagManagement Solution...

over 4 years ago

Glynn Davies

Glynn Davies, Senior Technical SEO Account Manager at LBi

@Malcolm

I'm not sure if you mean to say that I think legislation to protect privacy is a bad thing, but for the avoidance of doubt that isn't my position. In fact, in my other article (linked above), I'm quite clear about my belief that we need to protect privacy on-line and enable the general public to make informed decisions about it.

over 4 years ago

Malcolm Duckett

Malcolm Duckett, CEO at Magiq

@ Glynn
No, I wasn't meaning to imply you were not in favour - it sounds like we are both on the same page...sorry if it came out wrong...

over 4 years ago

Glynn Davies

Glynn Davies, Senior Technical SEO Account Manager at LBi

@ Malcolm

Not at all, glad we agree!

over 4 years ago

Avatar-blank-50x50

Duncan Smith

We are heading for one almighty train smash.

There will be no winners (at least not for a long time)

The EU and the UK Government have 'painted themselves into a corner' and there is no way out.

Without doubt, the reasons for changing the law were honourable, applaudable and over-due. Personal privacy had been eroded to a point were regulation was a sensible option and perhaps the only way to change the balance of power in the privacy versus revenue 'game'.

However, the amended Directive with its requirement for consent has come too late in the evolution of the internet economy to achieve its ambitious goals without serious harm.

The divergent views of the US internet giants and the EU constitutional privacy lobby will only lead to confusion and obfuscation.

Without international agreement, the enforcement of UK/EU law on website owners in the EU will economically disadvantage those who seek to comply with the letter of the law.

As this latest guidance demonstrates, the economic drivers for non compliance are powerful enough for government organisations to publicly declare the law 'unworkable'.

Predictably there will be no repeal of the law, and the ICO will continue to 'bark on the end of a short leash'.

There will be ICO audits, there will be enforcement orders, there will be 'window dressing', and eventually we will come to an (uneasy) understanding of how to balance the three-legged stool of legal acceptability versus user acceptability versus financial acceptability.

In reaching this understanding, there will be casualties. Appalling user interfaces, lost ad revenue, lost sales revenue, infuriated web visitors, the commendable privacy strengthening ideology?

Right now the sensible option is to work fast and smart, preparing a 'bone to throw at the dog'; auditing your tags, adding words to your privacy policy, and dancing round the 'handbag of inferred consent' in the hope that over time we can ..

1. bring the web users 'intellectually along for the ride', getting them to grasp the economics of the WWW, why websites benefit from knowing more about someone, and how those benefits are RETURNED to the individual (the informed consent bit);

2. Unravel and expose the unnecessary invasion of privacy, singling out those 'analytic' business processes which serve only to profit from the user, give nothing back and care not for the concepts of data minimisation and the right to be forgotten.

3. create a 'mechanism of choice' (I'll take effective opt-out), with a user interface sent down from Steve Jobs, which works beyond a unique browser, beyond an individual browsing session, and across jurisdictions.

Guess we'll be waiting a while then ;-)

over 4 years ago

Phil Pearce

Phil Pearce, Senior Web Analyst at ConversionWorks.co.uk

This is a courageous move by digital.cabinetoffice.gov.uk and I thank them for stepping-up to the mark :)

The fact that they have started the process of enacting a cookie auditing, implementation plan and consequential updated their web privacy policy - means they are unlikely to get fined.

A grossly-inaccurate privacy policy (or worse a missing privacy policy), is actually more dangerous that not installing the opt-in choice (especially as privacy policies were covered by the 2003 regulations).

The reason for this is, that the privacy policy forms a visible "statement of intent", which will ultimately be used to hold organisations to account. Additionally, GDS are going an EXTRA-STEP and published their implementation plan, which is a good move.

From a Web Analyst point of view, I can see the dilemma:
a) Destroy 5years historic cookies-based visitor data, and move to ~10% opt-in popups, with no means of normalising back to statistically accurate levels for Yr-on-Yr or Mth-on-Mth comparisons due to fluctuating opt-in rates.
b) Fallback to legacy serverside tracking (which ignores AOL proxy visits, incorrectly clusters visits from static-IPs, excludes ecommerce revenue data, and is grossly inaccurate)
c) Stick with current GA default installation, but add prominent notification and opt-out links.
Thus, the selection option is obvious!

Additionally, if GDS are only using 1st party cookies combined with prominent notification and opt-out links...

..Then, I suspect the gamble is, that the ICO will target the dangerous fish first, then hunt for minimally dangerous offender.

Although there is no doubt that GDS is a Big fish and flagship website, so the scale of users browsing their website (and thus cookie-fied) may play against them.

Public funded organisations are in a unique position that they are able to play the "user-intent defensive" strategy i.e
* "that they are acting in the best interests of the user, by spending UK tax-payers money more efficiently, by using cookie-based continuous improvements mechanism and by using return visitor or ecommerce data for monitoring performance comparative to KPI targets.

Both arguments are of "good user intent":
* GDS - spend public money better.
* ICO - dont assume users are happy to be tracked.
I think tracking non-UK visitors (e.g. a Dutch visitor browsing the website, tracked by default) is the only flaw in GDS argument.

If a fine/settlement is applied, then it is feasible that the 1998 Data-Protection guidelines could be used as a template for mitigating risk, thus GDS would need to prove that they have:
* Taken "Reasonable" steps taken (e.g publishing their cookie compliance guidelines)
* Conducted a Risk Assessment (aka Cookie Audit)
* Have a clear allocation of Responsibility
* Have Processes & procedures in place
* Codes of practice in place (3rd party external audit, Member of Trade Body, or TrustMark ect).

Source pg11-13: ICO guidance on Monetary Penalties
http://www.ico.gov.uk/news/~/media/documents/library/Data_Protection/Detailed_specialist_guides/ico_guidance_on_monetary_penalties.pdf

It is also worth reading the ICO`s yearly report from last year, where it declares...

"We ended 2011 preparing for changes to the UK’s Privacy and Electronic Communications Regulations (PECR) which enable the ICO to issue monetary penalties (e.g. £500K) and extend our investigative and audit powers ... the changes include new rules for websites using cookies, which - while presenting challenges in implementation - will have positive benefits for individuals, providing more choice and control for consumers over what information is stored and accessed by the websites they use".

Source Pg19:
http://www.ico.gov.uk/about_us/performance/~/media/documents/library/Corporate/Research_and_reports/annual_report_2011.pdf

Please also read my note about EXEPTIONS to the CookieLaw "warning letter recived" before a fine is applied, for example:
* grossly negligence
* grossly deception
* exceptionally high level of consumer complains.
http://econsultancy.com/uk/blog/9298-82-of-digital-marketers-see-the-eu-cookie-law-as-bad-for-the-web-survey#blog_comment_88418

Thanks

Phil.

over 4 years ago

Avatar-blank-50x50

Meriel Lenfestey

This is interesting because it stems from the fact that here are several key differences between the law and the guidelines, and not only around analytics. Many companies will take the view that they will take a lite approach and see what happens. I wrote a piece about these contradictions on the Foolproof blog. http://www.foolproof.co.uk/eu-cookie-directive-could-make-the-web-less-accessible-for-all-2/

over 4 years ago

Rob Mclaughlin

Rob Mclaughlin, VP, Digital Analytics at Barclays

@Duncan
One of the best pieces of advice I have heard from yourself at Digital Cream regarding language:

~ "Tracking is a provocative concept, think measurement instead"

This is a subtle concept I will definitely be taking into all cookie related conversations going forward.

over 4 years ago

Avatar-blank-50x50

Mark Steven

Good, balanced post and some really informative comments here!

I too was surprised by the GDS approach. It clearly isn't following the letter of the law in terms of analytics, but it's also pretty clear that the chances of getting your wrist slapped for having running analytics cookies on your site are negligible.

That said, it is just a bit odd how wedded GDS are to Google Analytics. There are some pretty good cookie-less solutions out there, including the excellent, free, Open Source, Piwik.

The fact that we're discussing this at all demonstrates how poorly the legislation has been communicated: The ICO could have expressed this in black and white terms.

It's not the role of a regulator to say "it's OK, we'll let you get away with X, because we can't be arsed to deal with it."

As a result we're forced to worry about assessment of risk instead of just getting on with the task of compliance.

But maybe that's just me. I yearn for simple life. A gently babbling brook, skylarks... that kind of thing.

over 4 years ago

Lord Manley

Lord Manley, Principle Strategist / Director at BloomReach

To EVERYONE who thinks this legislation is unworkable or a train wreck I say this: Drivel.

Yes it means change, but not insurmountable change and if we fear change then perhaps we should all go back to working in print?

To John Harrison I say this: stop spamming ;)

over 4 years ago

Adam Tudor

Adam Tudor, Senior Digital Marketing Manager at The Black Hole

I find it interesting that we can walk into any store on the high street and be filmed and recorded without opted in consent. Our activities and actions can be monitored to the nth degree, analysed, and new sales and merchandising changes be made as a result of it.

On the web, we must get that approval opted-in before we can even take a peak at who might be doing what in any little detail. I understand non-cookie solutions exist but in my experience they have been too limited in functionality.

I understand this is about web privacy over shopping and cookies, I just find it interesting to draw those comparisons between the the online and offline high street.

over 4 years ago

Glynn Davies

Glynn Davies, Senior Technical SEO Account Manager at LBi

Absolutely agree Adam. It's not necessarily right that we're filmed etc. without consent, but it nonetheless highlights some inconsistencies in general attitudes to privacy.

over 4 years ago

Lord Manley

Lord Manley, Principle Strategist / Director at BloomReach

@Adam, you cannot. CCTV operators must let people know they are using CCTV. The signs must be clearly visible and readable, and should include the details of the organisation operating the system if not obvious.

Essentially CCTV operators are required to gain informed consent.

Whilst it does not have to be opt-in, the signs do need to be shown at the entrance, so that the customer is informed and has a specific option to opt out.

The reason that this difference is there is not due to a subtle high-street bias, but because it is not possible to turn off CCTV for each customer until they opt in. With cookies it is possible, easy and appropriate.

There are numerous ways to comply with this directive without it negatively impacting your website to any substantial degree, we need to stop trying to avoid it (as with the GDS), embrace it and move on.

over 4 years ago

James Gurd

James Gurd, Owner at Digital JugglerSmall Business Multi-user

Hi Glynn,

Thanks for an interesting article.

I'm torn on this subject. I agree with Tim et al that companies should take this seriously and go through the required process. Whether or not that ends with explicit opt-in is debatable and I think it is pragmatic to wait a while to see how this pans out. However, ensuring that privacy policies and disclosure of information on use of cookies are as clear and concise as possible is essential. The fact is, that should have been in place when the website was launched. Ignoring the law, no matter how strongly you feel about it, is a bit too head in the sand and we all need to be professional and responsible.

However, as to the necessity of this law and complete compliance, I'm sceptical. Just how concerned are non-industry people about privacy issues relating to web analytics cookies? How many even know what web analytics cookies do? How many people would complain if they did? I feel that we risk creating a problem where one doesn't really exist.

I personally think the best way forward (and this is not based on legal compliance per se) is to educate customers and enable them to make an informed choice but without explicit opt-in. When asked to opt-in, people are often put off as they think they might be committing to something bad. Take opt-in to t's & c's in checkout funnels, I've seen first hand how that can negatively impact conversion yet people are fine placing an order with the same t's & c's when they don't have to explicitly accept them. Give people the facility to opt-out if they so desire and easy access to the info needed to make that decision.

I'm not saying hide info away and deceive, just that pop-ups like the one on the ICO website are incredibly off-putting and intrusive. If companies lose a lot of analytics data, the user experience will be compromised as it will impede site optimisation and improvements. Hopefully a balance will be found but it's obvious from the feedback that a consensus of good practice is a long way off.

Thanks
james

over 4 years ago

Adam Tudor

Adam Tudor, Senior Digital Marketing Manager at The Black Hole

I would be happy with informed consent on websites, a simple 'cookies will be tracked if you visit this site' would be great!

It's unfortunate that cookies can selectively opt out, otherwise we wouldn't have this problem at all and work on the stores method. Curse the invention of flexible systems!

If technology was available that could selectively not film opted-out individuals through cctv in shops, I wonder if it would legally have to be implemented in all shops by default, an interesting thought that the retailers would love.

I might get to work on developing one.

over 4 years ago

Glynn Davies

Glynn Davies, Senior Technical SEO Account Manager at LBi

@Manley, exercising the right to opt-out of CCTV, FootPath, etc. seems impractical almost to the point of being impossible, and you're right to point out that it's fairly simple to do on the web. I think it's interesting that acceptance of CCTV etc. is widespread (arguably for lack of an alternative), and people willingly hand over a lot of very personal information to a certain targeted marketing website, yet people seem more circumspect about analytics, personalised search, etc.

@James, thanks, and I think you make a very good point. I keep banging on about contradictions in prevailing attitudes to privacy, and I agree with you that if the average web user properly understood analytics they probably wouldn't have much concern for it. As it is, I think some mainstream media coverage of web privacy issues over the last few years has inculcated a sense of indiscriminate fear.

over 4 years ago

Avatar-blank-50x50

Richard

Interesting that technically the recording and logging of *all* email communication and *all* private browsing activity is mandated by government already. So why the new bunch of draconian laws from unelected bureaucrats in the EU?

over 4 years ago

James Gurd

James Gurd, Owner at Digital JugglerSmall Business Multi-user

Hi Glynn,

It reminds me a bit of the 3D Secure shenanigans back in 2005/06.

I implemented this at Robert Dyas and some of our customers got worried and thought it was a hacking scam. It didn't help that mainstream media was obsessed with card fraud at the time, so fear increased.

We saw a sharp hit to the checkout conversion funnel and had to think carefully about educating customers to help them understand the benefit. We got there, as did many other retailers, but not without some major headaches, not to mention dev costs.

The fact is that if people don't understand something, they are instinctively more concerned by it and likely to react negatively. Education is important but we can't overwhelm people with info - if we make it sound intimidating, we'll help fuel the fear.

thanks and please keep the helpful articles coming.
james

over 4 years ago

Glynn Davies

Glynn Davies, Senior Technical SEO Account Manager at LBi

"Education is important but we can't overwhelm people with info". I think this is what's wrong with a lot of the privacy/opt-in/out text I've seen so far: too long, too dry, too unlikely to be read and understood. But then it's a difficult thing to explain well without being boring. Quite a conundrum.

over 4 years ago

Edward Weatherall

Edward Weatherall, Commercial Director at The IDM

The bit of advice I can offer is that whilst not jumping in with both feet it is importmat that you can demonstrate you are doing something. The simplest way, I have seen, is to do a cookie audit, so you know what cookies you are using across your digital assets.

The ICO has delayed enforcement for 12 months (this is law right now) and it will not be enough to say I'm waiting to see what happens.

over 4 years ago

Phil Pearce

Phil Pearce, Senior Web Analyst at ConversionWorks.co.uk

@Glynn - Just on the subject of Cookie EDUCATION, here is a playlist list of Cookie related videos (Press > Play-all button):
http://www.youtube.com/playlist?list=PL45AABD8BB96D3785

Thanks

Phil.

P.S I have converted the "GDS implementation guide" from .PDF to .DOC format here:
http://db.tt/C6zURSvH

over 4 years ago

Adam Cranfield

Adam Cranfield, Chief Marketing Officer at Mynewsdesk

The ICO says: "Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.”

So is there really no need to require opt-in for analytics cookies?

Simon Lande of Magus has written a nice post on this here: http://www.webmanagersgroup.com/2012/03/22/cookies-shedding-light-on-grey-areas/

over 4 years ago

Ashley Friedlein

Ashley Friedlein, Founder, Econsultancy & President, Centaur Marketing at Econsultancy, Centaur MarketingStaff

@ALL Glad to see continued vigorous debate (I think we call it 'engagement' these days? ;) ) on this topic.

For those who haven't filled their boots with cookie/privacy views then do read the 100 (!) comments on this earlier article: http://econsultancy.com/uk/blog/9202-eu-cookie-law-three-approaches-to-compliance

Personally I'm now less interested in the debate/nuances and much more interested in what people are actually *doing*. On that note:
1. Econsultancy are due to set live our 'solution' later today. And I can tell you now it won't be compliant ;)
2. Depesh from Tesco kindly pointed out this implementation from BT: http://www.productsandservices.bt.com - I don't think it's strictly-speaking compliant but it's one of the best I've seen so far (and easily goes far enough in my view).
3. And Magiq's (Malcolm's company, on this thread) selective opt out/in is also a good, practical example which, again, is arguably not 'compliant' but amply sufficient: http://v8test2.magiq.com/P3P_Options.html

over 4 years ago

Adam Cranfield

Adam Cranfield, Chief Marketing Officer at Mynewsdesk

@Ashley Look forward to seeing your 'solution'!

And I like that Magiq technique of using the 'anonymous' label for opting IN to standard analytics tracking.

The BT pop-up disappeared before I had a chance to read it. Nice! And it doesn't reappear on subsequent visits - due to that cookie that I didn't approve...

over 4 years ago

Avatar-blank-50x50

Tim Leighton-Boyce, Analyst at CxFocus

I've grabbed a screenshot of the BT overlay and stuck it on G+

http://bit.ly/H8r5KT

It's very good.

Tim

over 4 years ago

Avatar-blank-50x50

Neil Robertson-Ravo, Head of Technology for Marketing at Imago Techmedia

@all The fundamental problem (as we all know) is that teh "law" is ill conceived and will pretty much be poorly implemented - methinks that a vast majority of organisations will simply ignore it.

It isn't about privacy per se - it's about education - "what is a cookie" if you will. .

The bottom line with regards to compliance all you need to do explain is:

1. Explain what cookies you are setting and why (session cookies are exempt but worthwhile explaining)

2. Give them an option to "opt-out" such as using a service such as: http://www.civicuk.com/cookie-law/index.

3. Ignore it ;-)

There are also workarounds which mean you can still "track" etc i.e. http://cookies.dev.wolf-software.com.

I expect this adherence to disappear as quick as it came around.

Just my 2p.

over 4 years ago

Lord Manley

Lord Manley, Principle Strategist / Director at BloomReach

The BT slider is something which I think really is going above and beyond - I really like the privacy options made available there.

But then I would say that ;)

over 4 years ago

Avatar-blank-50x50

Tim Leighton-Boyce, Analyst at CxFocus

Could you persuade them to share some data on the impact at some point?

over 4 years ago

Phil Pearce

Phil Pearce, Senior Web Analyst at ConversionWorks.co.uk

@Tim and @Ashley

I have placed screenshots of the BT.com example here:
http://db.tt/wNvpduvk

Amazon.co.uk has also added an Evidon Notice JS file, but the popup is not enabled yet.

* I have added the BT example to this SlideDecks with 20 Implimentation examples and screenshots here:
http://db.tt/yYc182rv

Thanks

Phil.

P.S. Here is a copy of my "Recipe for a Cookie Law" presentation, enjoy:
http://db.tt/qKsie3YX

over 4 years ago

Simon West

Simon West, Chairman at Nett Sales LLP

Looking at the BT site slider (it worked for me!) I was fascinated by my instinctive reaction to want to drag it all the way to the left hand end - deny all cookies.

Even though I understand, use and welcome the benefits of cookies, as a "standard" user I instinctively wanted to deny access to track my activity even to a company doing the right thing.

This underlines for me the difficulties ecommerce sites are going to face in implementing changes.

over 4 years ago

Avatar-blank-50x50

Kevin Edwards

This is a quite an encouraging post as it focuses on the education piece. It's worth reiterating the changes between the original Directive and the latest iteration and how the focus is on information and not opt-out/in:

2003 rule
Requirement to provide information
You must provide clear and comprehensive information about any cookies you are using

Requirement to provide choice
You must provide the option for people to opt out of cookies being stored on their devices

2011 rule
Requirement to provide information
You must obtain consent to store a cookie on a user or subscribers device

Requirement to provide choice
You must provide clear and comprehensive information about any cookies you are using

The conversations I've had with the ICO and those dealing with the regulation has encouraged our part of digital (the affiliate industry, therefore not the more intrusive elements of behavioural advertising) to focus on the 'informed consent' piece: deal with educating consumers first and foremost.

I accept that the inference of informed consent is a mechanism for consumers to choose the information that is stored about them but the danger is we focus all our energies on opt-in/opt-out technical solutions that are premised on consumers knowing how to make informed decisions about their privacy settings.

over 4 years ago

Ashley Friedlein

Ashley Friedlein, Founder, Econsultancy & President, Centaur Marketing at Econsultancy, Centaur MarketingStaff

@ALL In case you haven't seen I've just posted an article on Econsultancy's 'solution' to the EU Directive at http://econsultancy.com/blog/9453-econsultancy-s-solution-to-eu-e-privacy-directive-compliance - do let us know what you think in the comments there!

over 4 years ago

Avatar-blank-50x50

Will

It's a confused situation alright! I don't think from what I've read that the BT slider is enough - on their site the user gives implicit, not explicit permission.

Some websites are beginning to implement this now in a more explicit way - see http://www.liquidmodules.com for example.

It's so late in the day now that I cannot see this law being clarified before the 26/05. I suspect your smaller companies are waiting to see what the bigger retailers do first.

over 4 years ago

Avatar-blank-50x50

Neil Robertson-Ravo, Head of Technology for Marketing at Imago Techmedia

Indeed. There is an interesting article here http://www.ukaop.org.uk/news/eu-privacy-directive-consent-opt-in-cookies-evidon3549.html which explains that it's all about "consent".

I am not sure it is 100% on its interpretation though.

over 4 years ago

Ashley Friedlein

Ashley Friedlein, Founder, Econsultancy & President, Centaur Marketing at Econsultancy, Centaur MarketingStaff

@Will - http://www.liquidmodules.com is an interesting implementation. It is quite a 'strict' implementation that is much more obviously compliant than most in as much as you have to 'allow' cookies with them being blocked by default. However, it's interesting that:
a. You can only allow them all or not at all. So you can't choose which types of cookie you will allow e.g. 'functional' ones only.
b. They are blocking cookies currently which don't need permission under the Directive i.e. the 'compliance' and 'functional' cookies as these would count as 'strictly necessary'.

over 4 years ago

Avatar-blank-50x50

Tim Leighton-Boyce, Analyst at CxFocus

It would be very interesting to see some data for the http://www.liquidmodules.com/ implementation to see if it matches Vicky Brock of the DAA's classic ICO "Freedom of Information" collapse:

http://www.flickr.com/photos/vickyb/5859873960/in/photostream

over 4 years ago

Avatar-blank-50x50

Neil Robertson-Ravo, Head of Technology for Marketing at Imago Techmedia

@ashley - we will get into way too much detail if most go down the route of what cookies do what etc - why would you bother - it's an unwanted barrier.

There are only 2 rules to adhere by:

1. Provide info on what Cookies you are using

2. Allow them to opt-in/opt-out (which is the same as consent) of storing them.

Again, this is a classic case of a board of people idiotically coming up with a "law" with loose boundaries and definition.

over 4 years ago

Avatar-blank-50x50

woof

This coming from the government that wants to approve a UK version of CISPA? The one that signed ACTA? From the same government in bed with corporations that wants to track bittorrent usage?

They're just worried money will leave them and flow into the internets. The internet will become the fifth nation state by what was it, 2016? And they're seeking revenge on it because unlike other advertising media, they don't see the return in their taxes. So they invent this crap to terrify the internets and allow more of their lawyers into it.

Whenever you change browser, have to clean a buggy browser by cleaning your cookies, which happens all the time, every single time you would have to go on redefining cookie entry on each of this ridiculous law's websites.

over 4 years ago

Avatar-blank-50x50

Will

@Ashley - I just looked at what they're ACTUALLY doing re: all cookies being disabled or enabled using Google Chrome's developer tools. Functional cookies *are* enabled from the start, it's only the analytics cookies which don't kick in unless you click allow. The top area is slightly confusing from that point of view.

over 4 years ago

Avatar-blank-50x50

Kindaian

To: Lord Manley

It is easy to say drivel... but if you have to tackle the issue into 2k websites in 1 month... and hugelly under-resourced...

To: Neil Robertson-Ravo

You can't track people using other means but cookies, because the law doesn't state cookies at all, but "information". Additionally it affects all sites, not only business sites, yes, even the your mom's facebook page... or godaddys "holding page" for a newly registered domain.

To: All

The "Cookie Law" has also an additional ramification. 3rd party cookies. Say you include a youtube video on your webpage. It creates a cookie inside the iframe. It's a 3rd party cookie that is created by your site. You need to ask authorization from the user ALL the time, not just the first time.

over 4 years ago

Lord Manley

Lord Manley, Principle Strategist / Director at BloomReach

Ah, but we have had a year already, so the problems are not with the legislation, but rather with ignoring the fundamentals of the 7Ps.

Re: the YouTube cookie - once you have gained consent for your site to set a third party YouTube cookie, there is no requirement to gain that consent again, or am I missing something in your statement?

over 4 years ago

Avatar-blank-50x50

Stephan Sokolow

The sad thing is that the law probably won't even work. Google and Facebook will just integrate Panopticlick-style "Fingerprint people via IP and headers. Track them by watching the Referer header." tracking via /var/log/apache2/access.log into Google Analytics and then track people via embeds of justifiable stuff from Google Font Library, their AJAX CDN copy of jQuery, the raw text/images of Google ads, the reCAPTCHA embed used on this site, the raw resources for Facebook buttons they offer to host for you, etc.

(If anyone has enough data to know how to design a fingerprint that gracefully follows people across minor changes like browser upgrades, it's Google and Facebook.)

Meanwhile, smaller businesses will agonize over whether a big company might bankrupt small competitors in court over whether PHPSESSID use is acceptable based on how it could theoretically feed an analytics database (the way software patents are used in America) while they coast right through. (I'm just glad I live in Canada and host in the U.S.)

over 4 years ago

Avatar-blank-50x50

Kondomer

I agree with Stephan. There is so many good things in the law, but it may never see the light. People may not realize it, but there are a lot of obstacles that make the applying of such a law slightly unrealistic, such as the above mentioned ways to "get around" the problem.

But really good article, and I hope this is just the beginning. Maybe this could be the foundation to a more robust law in the future. Crossing my fingers for it.

over 3 years ago

Morten Arbejde

Morten Arbejde, Marketing at Personal

Very nice article - thanks - never really understand all this stuff about the cookies :)

about 3 years ago

Comment
No-profile-pic
Save or Cancel
Daily_pulse_signup_wide

Enjoying this article?

Get more just like this, delivered to your inbox.

Keep up to date with the latest analysis, inspiration and learning from the Econsultancy blog with our free Daily Pulse newsletter. Each weekday, you ll receive a hand-picked digest of the latest and greatest articles, as well as snippets of new market data, best practice guides and trends research.