Can we use analytics with the new UK cookie law?

Update: We’ve since published a much more up to date guide to cookie law and started a protest against the cookie law.

It doesn’t look good for web analytics. Due to a new change in the law concerning cookies it is now illegal to set most cookies on UK websites, which suggests almost all analytics can’t be used without breaking the law. Soon this will affect the whole EU.

Currently no major analytics company appears to have a definitive answer (updated 27 May 2011):

Google Analytics No comment
Adobe Omniture This official comment, which advocates a wait-and-see approach
WebTrends This comment, which restates the facts but has no conclusive advice. Plus this rant before it became law.
Yahoo! Analytics No comment
Core Metrics No comment
ClickTale No comment
StatCounter A considered and detailed response, which unfortunately appears negated by the ICO’s official document on the issue
CrazyEgg No comment
OpenTracker No comment
comScore No comment
DoubleClick No comment
ClickTracks No comment

We can’t see how detailed analytics can work without cookies or an equivalent technology. Which means users must now choose to be tracked by analytics, for every website they visit.

How might analytics work with the law?

Let’s try really hard to ask users in the nicest way possible. Whatever we consider here is likely to get uglier in the real world of lawyers and naysayers.

Modal dialog: This example dialog would use a lightbox, meaning it wouldn’t be blocked by a pop-up blocker, and the developer would be able to control exactly how it looks:

This website would like to track your visit, so we can help improve your website. This information will not be used to personally identify you

Accordion: This approach is less intrusive, but less likely to get noticed (and hence clicked on). A message appears at the top of every page, typically scrolling down to draw attention to itself when the page loads. It may be difficult to make the text short enough to fit, yet informative enough to be legally binding:

This website would like to track your visit, so we can help improve our website

  • Update 25th May 2011: Wolf Software have coded a working plugin which does just this for Google Analytics.
  • Update 27th May 2011: Reddbridge media have also developed an accordion Wordpress plugin to ask for cookie consent.

 

Problems with these solutions

They may be possible, but honestly, we don’t think either of these solutions are viable.

  1. Anyone who is asked the question is unlikely to say yes. So you get a lot less information from your visitors.
  2. There’s a cost to asking the question – it annoys visitors, and will prevent some of them from using your site. So you lose business.
  3. There’s a cost to modifying your website. We hope analytics companies provide their own solution, but until that exists you’d have to code all of this yourself.
  4. You can’t use analytics on your first page, because you haven’t asked them this question yet. So you can’t log what website they came from, for example. (Actually this is possible, but only if your analytics software was rewritten by the company who provides it, or you used webserver logs – but neither solution is perfect).
  5. To remember if the user has clicked No, you have to set a cookie! We suspect that the law would permit this as “strictly necessary” and posing no privacy risk, unless they’re a masochistic bunch of clueless bureaucrats, and we’re almost certain they’re not.

Given these issues, we suspect the easiest route to compliance is simply disabling analytics for visitors from the EU. You would need to add a server-side detection script to do this, and of course you would lose a lot of information in the EU. (You could still measure traffic roughly with server logs, but that’s fraught with its own problems).

We don’t recommend abandoning analytics yet: the analytics companies themselves should have a chance to put forward their own suggestions, and analytics is too important to give up without an overpowering reason. However at the moment this is the only viable route we can see to compliance until browser technology advances (and even then, older browsers will still need to be accommodated in this way).

We’ll keep our fingers crossed.

UPDATE 25th May 2011: The ICO has unveiled changes to their own website which suggest analytics is indeed in trouble.

If you want to know more, see our definitive guide to the cookie law.

Watch quick video tour of Sitebeam

Test your website with

or learn more
  • Pingback: Cookie law makes most UK websites illegal: what you need to know | Silktide blog

  • http://www.facebook.com/oliver.emberton Oliver Emberton

    BBC News just updated us - http://www.bbc.co.uk/news/technology-13541250

    We’re writing a fuller article on this now.

  • Pingback: Cookie law delayed for one year + first example of new laws in effect | Silktide blog

  • http://www.facebook.com/oliver.emberton Oliver Emberton

    This working code shows how Google Analytics could ask for permission before being used. It’s quite slick, and about as seamless as you could hope for:

    http://cookies.dev.wolf-software.com/

    • James

      I like that approach – nice and familiar, but we just have to work out the best wording now…

      • Wolf

        Be very careful when changing the wording, the plug-in makes this nice and easy for you, however we did verify the wording with the ICO before we released it, if you change the wording you risk diluting your compliance.

      • Wolf

        If you want any help with this James then feel free to contact us.

    • Mr Bester

      Requires JavaScript (and jQuery if you’re not using it). That is a deal-breaker for two reasons: inaccessible to those who browse with scripting off (more do this than you’d think) and extra bandwidth costs if the site doesn’t use jQuery.

      • Wolf

        This is very true, however Wolf Software also have a PHP implementation and are developing an ASPX version due for release soon.

    • David Ball

      Here’s another solution that someone posted: http://www.reddbridge.co.uk/cookie-consent

      Again, this uses JavaScript which means it won’t be shown to everyone. Also is this too easy to ignore as it appears at the bottom?

      • Wolf

        This is a nice looking implementation, but one of the key differences is they are charing for there implementation.

         http://www.reddbridge.co.uk/cookie-consent/

        • Wolf

          I talked to the ICO about this implementation (reddbridge) and although it is consider compliant it should also be considered back practice, as implied consent is harder to prove. And with the bar at the bottom it is much easier to miss and click through. (it also gives a javascript error in IE).

          I am not saying ours is better so don’t think I am, my advice to anyone is to check before you implement something that has legal ramifications, you need to make sure you are covered.

          We went the extra mile to get approval from the ICO before release to try to minimize the headache for people and also tested on as many platforms as we could, including mobile devices, windows, linux etc etc.

          We are also able to customise solutions on request.

          • Mark

            As per above, no javascript error and also the bar has been moved to the top. People can customise their cookies/toolbar themselves through their CMS.

      • Mark

        p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 13.0px Lucida Grande}
        p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 13.0px Lucida Grande; min-height: 16.0px}

        Hi Wolf/Oliver, 

        We have updated our plugin so that it now appears at the top of the page. While I much prefer having a footer bar, on consideration yes you are right it is better to have it at the top.

        A  note that the toolbar isn’t implied consent; The user is explicitly told that by clicking any link on the site they are in so doing actively giving their consent – in essence it turns every link on the page into the ‘I consent’ option, while at the same time providing them with an option to say no. This means they can just browse the site as normal and opt-in, retaining those crucial first-page cookies while fully respecting the visitor’s choice.

        I think this is a sensible solution to being able to continue to use cookies (as quite simply no-one is going to go the extra mile on any site and click a specific button to opt-in, even when having these cookies doesn’t bother them in the slightest, whereas they will happily carry on click on something they wanted to click on anyway if they do agree). Just one example, for an e-Commerce business having the vast majority of their visitors not take part in analytics would be devastating for them, so this issue goes well beyond just finding a technical solution – it’s vital for various UK industries that something that is right for business is created.

        Re pay vs open source: ultimately our plugin is meant either for people who run CMS installations and have no knowledge of or interest in editing PHP files (and in many cases won’t even know what those are, or how to access them), or CMS programmers who are looking for a simple configurable plug and play solution, and so the plugin goes beyond inserting standardised Javascript and instead allows people to configure it and their cookies as per their needs via their CMS interface. There are a large number of small businesses out there who have gone and got themselves WordPress websites, and got Google Analytics via a plugin, but their knowledge only extends to logging in and working inside the CMS; certainly for those people for just a tenner the plugin saves them the the expense and hassle of having to go and find someone they can trust to edit the site for them, and for many a layperson that is a big deal.

        Certainly if someone is competent enough to know how to edit their source files and they’re willing to do things manually then (provided they’re happy with the functionality it provides) then of course yes your free version will do them just fine, especially as they can edit it at will.

        As it will be businesses buying this we do feel that, for our extended products, giving them away to companies doesn’t make sense to us versus setting what is just a very low price that anyone could afford.

        No doubt the plugins will continue to evolve, and we will make any updated versions available to existing users.

        Mark

      • Mark

        Sorry for the inadvertent formatting below!

  • Eli

    It all depends on how you word it. Try asking users “Would you like a cookie?”. Of course they will say yes.

    (joking)

    • David Ball

      I know you’re joking but I think in spirit you’re right. If we are forced to justify the reasons why we’re using cookies, we have to let the user know it’s for their benefit, and we’re not just using them to track them like some evil Big Brother. Most cookies are intended to make the user experience better, we just have to convince users to see it that way. I worry that this law will give people the wrong idea about cookies.

      • Wolf

        The key thing is transparency as long as the user knows what you are setting and why it is of benefit to them then most will make a decent decision, it is only when you try to hide something that you have problems.

  • Alec Cochrane

    Hi Oliver,

    Just to add another point.  Adobe has a blog post on their site now and Google has lots of posts on its forums which have been answered by members of staff (but no official announcement).

    Interestingly the latest update implies ‘Informed consent’, not ‘prior consent’.  This reads to me that privacy policies are not good enough, but that pop ups and the like are too much.

    We discussed this at a Web Analytics Wednesday not long ago.  Privacy policies are too long and full of legal jargon.  Users won’t read it and probably won’t understand it so won’t be informed.  Privacy policies however are necessary for legal reasons.  This means that you’ll need something else as well explaining the use of cookies and giving methods of opting out.  Note that it is going to still be opting out.

    That is, of course, my interpretation!

    Shameless plug: I did a blog post on the media reaction last week:

    http://www.whencanistop.com/2011/05/new-cookie-law-reaction-round-up.html

    Cheers,
    Alec

    • http://www.facebook.com/oliver.emberton Oliver Emberton

      Thanks for the tip Alec – we’ve updated our article now and linked to yours in our main (more popular) cookie article. 

      I think the only thing I can conclude for sure is we don’t know what to conclude for sure!

    • Mark

      The dropping of ‘prior’ from consent in a certain part of the directive was in response to feedback relating to the impracticality of doing so in certain circumstances (ie. PHP or ASP session cookies which have to be set as soon as the page loads, in fact the ICO website itself sets one of these), however consent is still expected to be gained in advance in the majority of cases.

      In Ed Vaizey’s open letter the other day ( http://www.dcms.gov.uk/images/publications/cookies_open_letter.pdf ) he says “It is important that stakeholders are aware that in its natural usage ‘consent’ rarely refers to a permission given after the action for which consent is being sought has been taken.”

      In terms of getting prior consent versus just somewhere being clear as to what your cookies are and what they do, it seems to vary depending on how essential they are and what their behaviour is. If it’s just to perform an operational function on your site then it seems that simply informing people is good enough in a clear, easily found policy. If people choose not to read that then that’s their choice, it was there to be read.

      On the other hand, if you are collecting information that is not essential for use in marketing (ie Analytics) then it seems you are expected to give people a choice first.

      I say ‘seems’ a lot in the above, as unfortunately the ICO seems reluctant to stick their flag in the ground and endorse an approach. The method they have employed on their own website should see their analytics drop to zero!

      Put it this way, I’m certainly happy to put my own ‘seems’ words into action for my own company with confidence that I’m being compliant, but – due to the ICO’s vagueness – everyone has to reach the conclusions for themselves on their own!

      • Wolf

        If you contact the ICO and show them your solution they will tell you if they think it is fit for purpose and covers all the legal requirements, this is what we did to be 100% sure we are 100% compliant with the new law.

  • Anonymous

    Great link to the GA popup thank you. Not that it seems we’re all going to need it just yet, thank goodness.

    The extra year gives us, and more to the point the analytics vendors, time to come up with a solution. Maybe the recent fuss will get some activity on this at last. 

    But this way of doing it reflects badly on both sides, I think. It’s not just the law which is brought into disrepute. 

  • Tom

    Thw cookie law primarilly focuses on 3rd party cookies. Google Analytics is a 1st party cookie so even next year it will gave no impact on GA really. As long as any other cookies used are implemented according to law there should be no action taken against a site.

    • Wolf

      Actually Tom, this is not correct, GA although served as a 1st party cookie is still a tracking cookie and so is covered by the law.

  • Mark

    Hi on our site ( http://www.reddbridge.co.uk/web-design-and-digital-media/ ) we’ve followed a novel (and as far as I know unique) approach to this problem, by informing and getting consent without wrecking the visitor experience.

    Uses Jquery but advantage to that is no javascript = no cookies = no breach of the law (Google sets its cookies with jscript anyway). As for download, jQuery is pulled off Google’s servers, so no additional overhead.

    If you have a WordPress based site we have a plug in available, including one optimised specifically for Google Analytics ( http://www.reddbridge.co.uk/cookie-consent ).

    • Wolf

      Hi Mark,

      Actually at Wolf Software we released a similar solution at the start of the week, after confirming with the ICO the solution was fit for purpose. Our solution is free and open source.

      • Mark

        Hi Wolf, I’ve written some stuff in a reply above about how ours works re getting consent via users clicking on existing links in the page, meaning the toolbar interferes with the operation of the site as little as possible – it’s this that makes it novel and I haven’t seen any other solution that works like it.

        Ours is also a full on CMS plugin rather than inserting Javascript, that allows people to customise everything on various levels (including being able to use it for more than Google Analytics) within their content management system – and this means of course that they don’t have to get down and dirty in the code.

        I know that your solution is hardly difficult to implement so if someone is comfortable editing their source then they may be happy to use what you’ve done, however our (quite honestly very cheap) plugin means that non-technical CMS users can also deploy a solution.

        • Wolf

          Hi Mark,

          yeah it is definitely horses for courses. It is also nice to see others taking a proactive approach to helping others solve this problems. I wasn’t having a go :)

  • http://twitter.com/TheOpsMgr Stephen Thair

    Or just do away with the javascript tag approach to analytics completely and do it server-side via the network? http://www.atomiclabs.com/pion-solutions/tagless-web-analytics.php 

    For sites that have “logged in” users then once they are logged in you can parse that from the HTML, set a flag and track them as much as you want. 

    You can track someone anonymously by a combination of IP address and user agent string but that’s not very accurate for obvious reasons. Add in the MAC address? 

    You could track someone within a single visit via application-specific sessionID’s (e.g. ASPSessionID or JSessionID)… it depends if the “cookies that are needed for a site to work without re-writing half of the CMS and application stacks in use on the internet today” are considered acceptable. Some sort of “grandfathering in” clause for these would be nice. 

    The other alternative is to move it to the query string? 

    Write the tracking number into a metatag in the HTML. Attach an onClick handler to every URL/action on the page (shudder…) and when someone clicks on a URL you intercept that, append the tracking number as a query parameter, and then parse that off server-side to link your analytics together, and fire that data off to webtrends, omniture, unica, GA etc. 

    Sadly none of those approaches really helps for cross-site behavioural tracking or repeat visit tracking…

  • Wolf

    We are currently working on solutions to this in PHP and ASPX, but we are also looking at versions for other analytics sites like yahoo etc etc, if anyone is using these and wants more information then please contact us. As always out solutions are free and open source for anyone to use.

  • Mark

    While I’m all for being able to analyse patterns on a site (and believe it is terribly important), there is a line between doing that and spying on people – and I think it is important to remember it was this suspicion that people are being spied on, without their knowledge or consent, for corporate gain is why we got lumbered with this law in the first place.

    It would concern me if, instead of seeking to try to re-balance people’s rights vs business needs, programmers merely sought to  find other ways of achieving the same ends without cookies – potentially using methods which are far more invasive, less transparent and give less user control than the old cookies approach.

    Although it does show the futility of this EU law in a global context, as a citizen in a democracy I would much rather see businesses and programmers at least inside the EU take a higher ground and seek to embrace people’s right to choose not be be tracked at all where they prefer this.

    I am sure that if any behaviours of cookies that so offended the EU are simply moved server side then this will only invite further regulation.

    • Wolf

      This is a good point and something I have been thinking about, we were considering writing an Analytics engine which worked without cookies, but I am sure more rules would follow if we did.

      • http://www.facebook.com/drball David Ball

        It’s risky! Although I’m sure if this really is going to be a massive problem, the big analytics companies will come up with a solution we can all use

  • Pingback: The stupid EU cookie law in 2.5 minutes

  • Pingback: What should we do about the cookie law? Time’s ticking away… | Silktide blog

  • Pingback: Are Your Cookie Compliant? Upto £500,000 Fine If Your Not!

  • Pingback: Cookie law makes most UK websites illegal: what you need to know | Silktide blog