If you read right to the end of the actual guidance from the ICO it says:
---
We only use analytical cookies – if nobody consents that will seriously restrict the amount of information we can get to improve and develop our website
The Regulations do not distinguish between cookies used for analytical activities and those used for other purposes. We do not consider analytical cookies fall within the ‘strictly necessary’ exception criteria. This means in theory websites need to tell people about analytical cookies and gain their consent.
In practice we would expect you to provide clear information to users about analytical cookies and take what steps you can to seek their agreement. This is likely to involve making the argument to show users why these cookies are useful. Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals. Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.
---
My interpretation of that is: tell your web site users clearly what you do with analytics and why and we are very unlikely to bother coming after you.
Frankly, their policy seems sensible and I'm having an hard time giving a fuck about the webmasters (is this still used?).
If you want to track, do it properly with a package installed on your own server. stop subjecting your users to Google's All-Seeing Eye just because using their Analytics is easier for you.
I am currently a webmaster (and I don't know if that's still used either, doesn't feel like it), and this is going to be a huge pain in the arse. The main reason it is a pain is the vagueness of the legislation, nobody has any idea what they can and can't do.
Sure we can follow the ICO and put a pop-up on the site asking to accept cookies or not (which if you select 'not' ironically creates a cookie), but as other people have pointed out that's laughable (for a huge number of reasons) and would push online trade away from uk sites. Easiest option for me would be to shift hosting outside the EU, take the SEO location hit and get back to work as usual (EDIT: it appears I am a little behind on the legislation as last time I read it hosting overseas was a loophole, looks like I need to refresh things).
Alternatively if I could dispense with cookies and shift tracking upstream to a CDN that would also save me the problem and at that point I should be getting even more data such as IP addresses.
Users need to take control of their browsing and privacy, they need to be aware of what they are giving away when they join a site or go online in general. Currently they are clueless and that is what needs to stop, force a prompt for all cookies regardless of country, evens the playing field and make people think for a change (if you're a chrome user "Edit this cookie" is an invaluable plugin for monitoring and removing what each site is placing on your machine).
It's also a bit rich saying that tracking cookies are bad whilst trying to pass a law attempting to track almost all communication:
On the ICO's site (http://www.ico.gov.uk) there is no "don't accept cookies" option. You can only select "accept" or not interact with the form at all. If you don't accept cookies then the form is shown at the top of every page.
Google's 'All-Seeing Eye' uses first-party cookies, just like anything you'd install on your own server. Just because something uses first-party cookies doesn't mean the data's not being sent to a third-party.
If this goofy law is more than sporadically enforced, future analytics probably won't use cookies at all - they'll just combine browser fingerprinting with server-side logs that get automatically sent to a third-party for processing. Individual end-users won't have any way of knowing whether it's there or not.
This isn't about third party cookies, it's about cookies period - with the exceptions listed in the article. If you use your own analytics package, the chances are it will use cookies, so user permission will still be required. Log parsing isn't sufficient to get user-based statistics.
Yes, but they also say "we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action."
So in theory all cookies are the same, in practice they're not - first party analytical cookies are mostly safe.
The law is the law as it's written and then as it's reflected in court decisions. We can't choose to do what is defined as illegal just because a FAQ says "we probably won't come after you". That's a risk that many businesses can't afford to take. It's a poorly written law, and as is often the case in laws as knee-jerk reactions to tech changes, throws the baby out with the bathwater. I do think this law shows that we need better tracking mechanisms to meet the needs and expectations of the site owners and the site users, but it shows us by trying to destroy instead of trying to help guide.
> The law is the law as it's written and then as it's reflected in court decisions.
That's true. While I'd welcome clearer law it's important to point out that it's the ICO who'll be enforcing the law, so if they say they're not going to go after people it's safe to say they won't.
If anything people want the ICO to be a bit tougher - there are plenty of actually dodgy privacy invading practices going on the the ICO seems to be powerless to stop.
> knee-jerk reactions
This law has been a long time in the making. Self-regulation would be ideal. But there are too many operators who are willing to ignore sensible privacy standards for self-regulation to be possible. Unfortunately some of those bad actors are going to ignore any laws.
> While I'd welcome clearer law it's important to point out that it's the ICO who'll be enforcing the law, so if they say they're not going to go after people it's safe to say they won't.
Until some group puts pressure on them to enforce against analytics sites. Or the top brass at ICO are switched out. Or a politician makes it their mission for a little while. Or...
"We are making this illegal, but we won't enforce it, really!" is not a trustworthy statement.
> The law is the law as it's written and then as it's reflected in court decisions.
That may not be as true as you think.
I don't really know how the modern UK legal system works in this regard, but in the US, the courts would A) defer to the interpretation of the agency (in this case the ICO) as to what a statute means, and B) greatly frown on any attempt to prosecute without warning people who reasonably relied on the agency's declarations.
§66 on page 20 of Directive 2009/136/EC at [1] uses the word "information", not "cookies".
Third parties may wish to store information on the
equipment of a user, or gain access to information
already stored, for a number of purposes, ranging
from the legitimate (such as certain types of
cookies) to those involving unwarranted intrusion
into the private sphere (such as spyware or
viruses). It is therefore of paramount importance
that users be provided with clear and comprehensive
information when engaging in any activity which
could result in such storage or gaining of access.
The purpose of the directive is to be as broad as possible to cover collection of any type of information without express permission or "strictly necessary and legitimate purpose".
Look, there are tons of data available in the browser, see http://panopticlick.eff.org/ for a good example. But they are non-stable for reasons outside of the user's control. So, if a user wants to kill her cookies every day, cool, they can. They can't randomly change their useragent+screen-resolution on a daily basis with the same ease. In addition, UA changes outside of user's control (a browser update pushed on them, for example) and that breaks tracking they may want.
So, no, these workarounds are not the right answer; we need mechanisms that let users control their data and let them choose to share it. It's up to us as product makers to give them a good reason.
Well, having made no special effort, the site claims my User-Agent is as unique as my set of 5,150 installed fonts. To be fair, I suppose WebKit nightly version numbers don't satisfy most definitions of "random".
As for mechanisms, to what end, if nobody bothers to use them? Especially things like "randomize User-Agent string" that'd break a great many "non-evil" sites?
There's a whole class of 'mom & pop' type websites out there that need analytics to function but:
* It's hosted in a way that precludes putting your own analytics in there (github pages, s3 etc.)
* The users lack the technical sophistication to install and manage their own analytics.
I've just finished moving my wife's site to github pages. It's awesome. The mac github client is pretty friendly, I set up the repo and jekyll and put a shortcut on her desktop to fire up a local server. She knows enough HTML to be able to update content on it. Analytics would be massively useful but it just won't be sensible for me to put them in.
I'm hoping what happens is that Google releases it's UK friendly analytics which does the following:
* Stops dropping cookies on UK based browsers
* Attempts to get consent through a different channel and then enables cookies for those users across the board
I don't know where on earth you picked up this conspiracy theory but it's not.
If you'd been following this whole mess you'd know it's just a typical EU nonsense legislation that no-one knows how to implement and the UK is once again implementing it too harshly in law but giving it absolutely no teeth by creating a practically powerless and massively underfunded enforcement vehicle while our EU brethren quietly ignore it.
No big conspiracy, just your bog standard bureaucratic incompetence from the EU.
No conspiracy intended! I know this started as the result of some-scaremongering-or-other on the Continent, as usual.
What I'm saying is that it's clear to everyone involved that the authorities (EU or UK or whatever) will never be able to enforce this law except for the largest targets, in the same way as they'll never go after anyone coupling their OS and browser except if it's as big as Microsoft.
How so? From what I understand, these regulations make the Like button illegal -- I believe that was the main target of this legislation, together with similar efforts from Google aimed at tracking users across websites.
You're right, and I think that's what my company will be doing, however: it's scary that there's a law against it and their advise is "break it, we probably won't care".
---
We only use analytical cookies – if nobody consents that will seriously restrict the amount of information we can get to improve and develop our website
The Regulations do not distinguish between cookies used for analytical activities and those used for other purposes. We do not consider analytical cookies fall within the ‘strictly necessary’ exception criteria. This means in theory websites need to tell people about analytical cookies and gain their consent.
In practice we would expect you to provide clear information to users about analytical cookies and take what steps you can to seek their agreement. This is likely to involve making the argument to show users why these cookies are useful. Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals. Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.
---
My interpretation of that is: tell your web site users clearly what you do with analytics and why and we are very unlikely to bother coming after you.