So this week the Information Commissioners office published their guidelines on cookies following their ratification into law. The outcome is that they’ve essentially said that you should get explicit consent from your users for all but the ‘essential’ cookies. Analytics and advertising cookies they explicitly point out are not essential, so there is some work needed (possibly). Here is a link to the report (pdf warning).
An analytic cookie might not appear to be as intrusive as others that might track a user across multiple sites but you still need consent
Shameless plug: Here are some links that will give you the full details based on stuff I’ve written:
How Slashdot saw the new Cookie ruling (August 2009)
EU cookie laws verified (July 2010)
What, Why and How of Cookies affecting your privacy (August 2010)
The UK needs to change its cookie policies (November 2010)
Cookies are the best way to track users Or are they? (February 2011)
So you don’t have to, I’ve decided that I’m going to give you a media round up. Aren’t I nice:
- Google Analytics blog – No comment
- Adobe Omniture blog – No comment. EDIT (25th May) – Adobe have put an updated post about this on their blog explaining the ruling with some suggestions on what to do.
- Webtrends blog – No comment (Although I’ll grant them a blog post from July 2010 – which in conclusion gives “Three Alternatives, All Bad” of which the new law is the second). EDIT (25th May): Webtrends released a short post on this several days ago which I missed (sorry).
- Yahoo! Analytics blog – No comment
- Core Metrics blog – No comment
- IAB blog – No comment. EDIT (26th May) – The IAB have updated us following Ed Vaizey’s ‘clarification’.
(I’ll update this table as and when they do make comments – I’m well aware we haven’t really put a full thought into it yet)
So that is fairly conclusive what the big analytics providers think. They think it is your problem. Your website, you sort it out.
Ok, ok, it was only a day ago that this was announced, but its not like hasn’t been coming (see the five blog posts I’ve posted) that they couldn’t have at least come up with some thought on the situation. They could have helped come up with some solutions, suggestions, hints. There will be a session to discuss at the Adobe summit in London next week (8:30am in the morning!) to discuss the new laws, so at least it is starting to move (anyone turning up, by the way, can come and say hello to me – I’ll be on the Adversitement stand in the main hall for much of the day!).
Well lets look at the mainstream press (who are going to be one of the industries screwed by this as they have to start revealing how many different types of advertisers and get consent – this could seriously affect their revenue streams):
Typically of an institution that is state funded – gives the facts with little opinion.
… from 26 May the ICO is obliged to investigate any complaints it gets about the use of non-compliant cookies
One solution, brokered by the Internet Advertising Bureau, might be the use of an icon on adverts that, when clicked, reveals information about data being gathered.
caught my eye as useful comments.
The Telegraph also just appears to deal in fact, in some cases not particularly useful fact either.
Many websites collect user data in the form of ‘cookies’ – small files that store information to help websites recognise regular visitors, sometimes including their name and address.
says the article, although it would probably be worthwhile caveating that statement to say that it only stores information given to it by the user.
This could mean significant changes for many websites, which typically publish a privacy page telling visitors to get in touch if they want to opt out of receiving cookies.
The article goes on. I’d contend that it affects all websites, not just many.
Jim Killock, executive director of the Open Rights Group, said: “The key thing is that people who are being tracked by cookies for purposes such as online advertising absolutely should give their their prior and informed consent. The ICO needs to help to draw a distinction between cookies that enable websites to work and cookies that are there to track people.”
Presumably Mr Killock dislikes using free websites and more to the point dislikes you using free websites.
The WSJ is no stranger to controversy from the analytics world, so they’ve taken a far more pragmatic approach:
If the U.K. Information Commissioner thought that publishing guidance on the implementation of the European Union privacy law was going to calm things down, he seriously miscalculated.
It appears that the actual website owners are fighting back too:
“Frankly that’s not good enough,” said Scott Allison, CEO of Teamly. “As a small self-funded startup we just don’t have the time to analyze and interpret the legislation, especially when given just over two weeks’ notice.”
At least it appears that the WSJ gets it (maybe the Telegraph should have attempted to keep hold of Ben Rooney!):
The most controversial area of the guidelines cover so-called “3rd party cookies”, cookies placed on a user’s computer typically by advertisers on a site. Almost all ad-supported sites use third party cookies.
Although I wonder if the author has mentioned this to his bosses who run the WSJ! Overall this was an informative read looking at the issues from both sides, although not really providing solutions. More please!
I think ZDNet see this as the start of something, rather than the end of it:
Businesses cannot yet rely on consent via browser settings, so must find alternative ways of gaining consent for cookies that store information on users’ machines, the advice stated.
But they also state that:
Although the European Union set a deadline of 25 May for the implementation of its new web-tracking rules, and the UK transposition of those rules is supposed to take effect the following day, the Department for Culture, Media and Sport (DCMS) said in April that enforcement would be delayed “in the short term” while technical solutions are established for the gaining of consent.
I suspect this is many people’s views currently “Unless someone comes up with a good way of doing this without pissing off the user, the Government won’t do anything about it.”
From the rather intriguingly titled ‘Guardian Government Computing’ there was very little information.
“But we want to spread the net as wide as we can and would welcome further comments from others who have practical examples to share. This advice is very much a work in progress and doesn’t yet provide all of the answers.”
Says Information Commissioner Christopher Graham. It also states that:
Advice for the general public on what the new law will mean for them is currently being drafted by the ICO.
Which is interesting, because it suggests that different information is being given to businesses than to the general public. Why is this? How is it going to be different? Are they going to tell you that cookies are bad and that you should block them? I’m considerably more worried about this.
It amused me that the first time I tried to view this article I couldn’t (and you may not be able to – Google the title and you should be able to get in) because you have to have signed up to their website:
“The more privacy intrusive your activity, the more priority you will need to give to getting meaningful consent,” the ICO said. Only functional cookies – for example used to transfer a selected purchase to an online shopping basket – will be exempt.
The ICO has powers to fine companies up to £500,000 for breaching the rules, although Mr Vaizey has indicated that companies will be shown a short period of leniency after May 25 as they adjust to the new regime.
Fining people £500k seems a bit excessive. How much will I get fined for not having anything on my blog telling you that you are being tracked?
I wasn’t going to include this, but their first sentence made me laugh a bit:
SHOPPER STALKING ONLINE FIRMS in the UK have been given guidance on how to use tracking cookies.
That’s told me.
You’ll have noted that I’ve frequently linked to the Out-Law in the past around this issue and I’m bound to continue in the future.
“We would advise anyone whose website allows or uses third party cookies to make sure that they are doing everything they can to get the right information to users and that they are allowing users to make informed choices about what is stored on their device,” the ICO said.
Is probably the most sensible advice around
“The guidance leaves it up to organisations to decide how to get users’ permission for cookie usage, which means different companies will use different methods. Only once enforcement action starts will we really know which of these methods the ICO thinks are within the law and which are not. The guidance does list possible methods though, which will help companies, and may be updated when browser-based technical ways of giving permission emerge,” [Claire] McCracken [OUT-LAW lawyer at Pinsent Masons, the law firm behind OUT-LAW]said.
Interesting that a law firm would make these statements. It seems a bit pointless (to me) to have a law that is so ambiguous that we won’t know if every business is complying or not until one of them is fined and the rest have to follow suit
My friend Bob Mitchell has also posted on his blog about this. Bob is also the country manager for the UK for the Web Analytics Association (although they are yet to announce their stance):
Which is probably going a lot further than anyone else has suggested so far.
David has amused me in the past with his take on this and a page with multiple pop ups:
The new European Cookie Law comes into effect towards the end of this month, I’ve read it is the 25th May (26th May according to the BBC) and I still don’t know anyone who:
A) Is prepared for the change
B) Knows how they will technically deal with the problem.
Which probably sums it up very well.
Sorry if I’ve missed anyone out, but I think this has gone on long enough. Post your links in the comments if you find anything else!
Edit: 11th May 16:44 GMT:
A guest post from Milo Yiannopoulos, the Telegraph’s Technology editor, this is a little bit of a rant. But you can see why, because he is coming at it from a different angle to the rest of us:
Enforcing this legislation — if it can even be enforced, so unworkable and technologically illiterate is the basis on which it has been conceived — will have disastrous effects on innovation and entrepreneurship throughout Europe and it will dramatically affect the livelihoods of publishers whose incomes come from advertising.
I can see his point here. I can see many, many companies completely dissappearing as this destroys their business model. Alongside any business that runs advertising on its site, any business that runs an affiliate network (eg Money Supermarket and Confused). Milo also looks at the effect of foreign websites on the UK:
It’s not beyond the realms of possibility that the Wall Street Journal or New York Times will decide it’s simply not worth serving pages to the UK when it’s impossible to monetise them and the user experience is so poor. We should also expect British advertising technology firms — one of the hottest sectors in British tech — to decamp to the US, where the law is less restrictive.
So poor for the users and poor for British Tech. This appears to be a solution that doesn’t suit anyone.
It has been fuelled by campaigners and journalists who are apparently ignorant of both the mechanics and the economics of publishing and advertising.
Sadly this is true. My former colleague Ciaran Norris put it quite well:
… it’s still annoying that Google & Facebook target ads and emails at me, right? Well, no. Because that’s the cost of us receiving free content…