It doesn’t look good for web analytics. Due to a new change in the law concerning cookies it is now illegal to set most cookies on UK websites, which suggests almost all analytics can’t be used without breaking the law. Soon this will affect the whole EU.
Currently no major analytics company appears to have a definitive answer (updated 27 May 2011):
|Google Analytics||No comment|
|Adobe Omniture||This official comment, which advocates a wait-and-see approach|
|WebTrends||This comment, which restates the facts but has no conclusive advice. Plus this rant before it became law.|
|Yahoo! Analytics||No comment|
|Core Metrics||No comment|
|StatCounter||A considered and detailed response, which unfortunately appears negated by the ICO’s official document on the issue|
We can’t see how detailed analytics can work without cookies or an equivalent technology. Which means users must now choose to be tracked by analytics, for every website they visit.
How might analytics work with the law?
Let’s try really hard to ask users in the nicest way possible. Whatever we consider here is likely to get uglier in the real world of lawyers and naysayers.
Modal dialog: This example dialog would use a lightbox, meaning it wouldn’t be blocked by a pop-up blocker, and the developer would be able to control exactly how it looks:
Accordion: This approach is less intrusive, but less likely to get noticed (and hence clicked on). A message appears at the top of every page, typically scrolling down to draw attention to itself when the page loads. It may be difficult to make the text short enough to fit, yet informative enough to be legally binding:
- Update 25th May 2011: Wolf Software have coded a working plugin which does just this for Google Analytics.
- Update 27th May 2011: Reddbridge media have also developed an accordion Wordpress plugin to ask for cookie consent.
Problems with these solutions
They may be possible, but honestly, we don’t think either of these solutions are viable.
- Anyone who is asked the question is unlikely to say yes. So you get a lot less information from your visitors.
- There’s a cost to asking the question – it annoys visitors, and will prevent some of them from using your site. So you lose business.
- There’s a cost to modifying your website. We hope analytics companies provide their own solution, but until that exists you’d have to code all of this yourself.
- You can’t use analytics on your first page, because you haven’t asked them this question yet. So you can’t log what website they came from, for example. (Actually this is possible, but only if your analytics software was rewritten by the company who provides it, or you used webserver logs – but neither solution is perfect).
- To remember if the user has clicked No, you have to set a cookie! We suspect that the law would permit this as “strictly necessary” and posing no privacy risk, unless they’re a masochistic bunch of clueless bureaucrats, and we’re almost certain they’re not.
Given these issues, we suspect the easiest route to compliance is simply disabling analytics for visitors from the EU. You would need to add a server-side detection script to do this, and of course you would lose a lot of information in the EU. (You could still measure traffic roughly with server logs, but that’s fraught with its own problems).
We don’t recommend abandoning analytics yet: the analytics companies themselves should have a chance to put forward their own suggestions, and analytics is too important to give up without an overpowering reason. However at the moment this is the only viable route we can see to compliance until browser technology advances (and even then, older browsers will still need to be accommodated in this way).
We’ll keep our fingers crossed.
If you want to know more, see our definitive guide to the cookie law.