The EU Cookie Law and Web Analytics

The EU Cookie directive will come into force in the UK imminently. To sum up as simplistically as possible what this means for website owners, it means that users of your website must opt in before you can store ‘non-essential’ cookies on their website.

If you want the full story, you can find a complete guide to the EU Cookie Directive here.

When Does This Come into Force?

It actually took effect on 26^th May 2011. However, the UK ICO gave UK website owners a 12 month grace period before it plans to start enforcing the regulation. This means it effectively comes into force in the UK on 26^th May 2012.

What’s the Problem?

The problem is Brussels sticking its nose in where not necessary that very few websites at present ask users to consent to cookies being stored before going ahead and storing them. So users are not accustomed to seeing any consent requests.

Asking users for their consent for something they may not even fully understand will be an interruption to the user experience and could even make them question the trustworthiness of the website.

Which Websites Use Cookies?

Most of them! If you have any sort of web Analytics (e.g. Google Analytics) then your website stores cookies too.

Essential and Non-Essential Cookies

The EU guidance stipulates that cookies essential for the functioning of a website will be considered essential and therefore are exempt from the regulation. This would include, for example, cookies stored during a checkout process on an ecommerce website.

However, the ICO has stated that web analytics are likely to be considered non-essential. With Google Analytics specifically, the cookies it stores are ‘first party’ cookies, thus consent to store them is only needed once. However, this would still mean getting users to opt in.

UK Government Stipulates Web Analytics are ‘Essential’

The UK’s Government Digital Service (GDS) has taken a contrary stance on Analytics to that of the EU. It issued guidance to public sector websites and also a blog post that refers to analytics cookies as ‘minimally intrusive’ and ‘essential.’

The most interesting excerpt from the GDS blog post is this:

“Inevitably, analytics and the vital role analytics-related cookies play in allowing public sector websites to be held to account on the cost-effectiveness of the way we deliver government information and services came up.  Even more importantly, analytics are essential to our “continual improvement” approach to developing digital public services, which is critical to delivering the government’s digital by default agenda.

The consensus was, especially in the case of first-party analytics cookies, these types of cookies are “minimally intrusive” (in line with the ICO guidance) and that the bulk of our efforts to rationalise our use of cookies should be focused on cookies classified as “moderately intrusive”.”

The GDS also made reference to a statement in the Information Commissioner’s Office (ICO) guidelines that says:

“Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals. Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.”

So What Does This Actually Mean?

Well, it means that the ICO is telling us we should technically be seeking consent to store web analytics cookies. However, it’s also saying they don’t consider such cookies to be high risk for users and are therefore not prioritising breaches relating to analytics cookies.

In reality, unless Google Analytics (and other 3^rd party solutions) issue workarounds, there are millions of sites technically likely to be in break of the regulations come 26^th May.  But it doesn’t seem like the GDS, ICO or, well, anyone, is all that concerned!

Panic over?