" />
Web

EU Cookie Directive guidance issued; bad news for Google Analytics users

EU Cookie Directive guidance issued; bad news for Google Analytics users

Over a month late the Irish Government has brought into law the EU Cookie Directive, which requires websites to obtain express permission from each user when setting a cookie on their computer.

Cookies by Mindmatrix

Credit: Mindmatrix

Late on Friday the country’s Data Protection Commission issued guidance, having itself received advice from the Attorney General, about the legislation.  The Commission says that website owners and app developers must “identify a means of obtaining user consent” for any cookie that does not expire after the user leaves the website.  The Commission said,

“Any company or website placing information, usually by way of what is known as a cookie, on user equipment (computer, smartphone etc) must provide appropriate information to the user and collect their consent except in limited circumstances where the cookie is strictly necessary for the provision of the service in question. In practice this means that websites placing cookies on user equipment that are not deleted when the user leaves their website must identify a means of obtaining user consent.”

The Directive sets strict restrictions on the use of cookies by websites, smartphone apps, and other devices.   As a directive each member state of the EU has can interpret the law as they wish; in the United Kingdom the Data Protection Commission has allowed for some lead time to allow website owners to come into line with the directive.

One of the biggest victims of this law will be Google Analytics, or at least all websites that use the application.  As Google’s ubiquitous tracking system sets cookies on users’ machines which don’t expire for two years the law in Ireland makes any use of Google Analytics without first getting users’ permission illegal.

The enforceability of the law is questionable; most website owners will not know what type of cookies their sites or apps are setting on users’ machines or how to obtain user permission.

Discussing the concern and confusion many website owners are feeling Leo Moore, a partner with William Fry Solicitors (@WFIDEA) who specialises in intellectual property, information technology, data protection, and commercial law, wrote on Friday,

“Website operators and other interested parties are keenly following how the Cookie Regulations will be interpreted and enforced in Ireland in light of the need to obtain website user consent each time a cookie is placed on a website user’s computer. Many such parties have concerns in relation to the practical implications of complying with such obligations.”

Irish websites may have to resort to similar measures taken by the UK’s Data Protection Commission who’s own interpretation of the law requires this messages to be displayed on their site, “The ICO would like to use cookies to store information on your computer, to improve our website. One of the cookies we use is essential for parts of the site to operate and has already been set. You may delete and block all cookies from this site, but parts of the site will not work. To find out more about the cookies we use and how to delete them, see our privacy notice.

According to the Google Analytics forum there are ways of editing the tracking code to make it comply with various cookie laws around the world.  It says one possible way of making Google Analytics compatible with such laws is by adding these lines of code above “_gaq.push([‘_trackPageview’]);” in each page’s Google Analytics code.

_gaq.push(['_setCampaignCookieTimeout', 0]);
_gaq.push(['_setVisitorCookieTimeout', 0]);
_gaq.push(['_setSessionCookieTimeout', 0]);

According to the forum this should delete the tracking cookie when the session is closed by the user.  Although, we’re not lawyers, and this law has not been tested in Irish courts yet, so get professional advice to see if this does comply with the law.

View Comments (15)

15 Comments

  1. TheCookieCrunch

    July 4, 2011 at 5:12 PM

    Leaving a website doesn’t cause any cookies to be deleted. Only closing the browser will remove session cookies.

    The guidance is a misinterpretation of the EU Directive – it requires consent to set a cookie – regardless of whether it is a session cookie or not.

    For more visit: http://www.cookielaw.org

    TheCookieCrunch

  2. TheCookieCrunch

    July 4, 2011 at 5:12 PM

    Leaving a website doesn’t cause any cookies to be deleted. Only closing the browser will remove session cookies.

    The guidance is a misinterpretation of the EU Directive – it requires consent to set a cookie – regardless of whether it is a session cookie or not.

    For more visit: http://www.cookielaw.org

    TheCookieCrunch

    • thesociable

      July 4, 2011 at 8:59 PM

      @TheCookieCrunch

      As a directive each country can choose how they will interpret the law. The Irish view of the law is that no permission is needed if the cookie is necessary or will be deleted when the user leaves the site.

      The code above deletes the cookie when the session is ended – the user closes the browser – so it remains to be seen if this will be acceptable for the courts, if it ever gets that far.

      The vague interpretation of the law in Ireland could be down to the number of large international online companies here. We are sure the government was keeping Facebook, Microsoft, Amazon, and of course Google itself, in mind when working through the legislation.

      • mneylon

        July 8, 2011 at 11:50 AM

        @thesociable @TheCookieCrunch

        I wouldn’t be so confident that the big picture was taken into consideration. The Irish government’s track record in this entire area is woeful.

        • thesociable

          July 9, 2011 at 8:05 PM

          @mneylon @thesociable @TheCookieCrunch All we can do is take the regulator’s advice and wait for the inevitable test case. Either way it is very difficult to see how this law can be enforced. You do have to wonder how many government sites are in compliance with it.

      • PaulPinnacle

        July 16, 2011 at 1:45 AM

        @thesociable “The Irish view of the law is that no permission is needed if the cookie is necessary or will be deleted when the user leaves the site.” – Not exactly.

        The Irish view is that no permission is required where the cookie is essential AND is deleted on leaving the site (not closing the browser).

        The current interpretation is that if the Cookie persists, unless the user closes the browser, even after they have left the site this would require consent if it is for anything other than a matter of hours (meaning this has impacts on the current set up of essential cookies on various sites, as well as the optional ones) even where it performs essential functions on the site.

        Google Analytics (or any similar tracking cookie) won’t fall under their guidance of ‘essential’, tracking cookies are specifically mentioned as not being essential. This means that GA will always require permission, or else a test case will be needed to force a reinterpretation of the rules there.

        The fact that the guidance goes as far as suggesting that browsers change their functionality in order to incorporate these new rules shows a certain naivety in the logic there and how difficult this will be to implement in the current environment. The fact that the dataprotection.ie site commented out their own Urchin tracking code in March, it’s still visible on the site, suggests that even they have issues with handling the implementation.

        • Arekibo

          July 17, 2011 at 7:04 PM

          @PaulPinnacle @thesociable Certainly the guidance shows some confusion on the side of the Information Commissioner; itself being rather vague in its directions (“identify a means of obtaining user consent”).

          The impact of the law goes beyond analytics, but also affects design, usability, functionality, and accessibility. And is going to be expensive for some sites to implement. When it comes to a test case, I can’t imagine too many Irish businesses will be happy that they cannot accurately measure their site’s performance in comparison to international competition.

          An FOI request to the ICO in the UK showed that only 10% of their users opted into accept long term cookies on their site. I can only imagine after commercial sites see this happen to their analytics that they will begin to get worried. http://bit.ly/nyb2KT

          It is interesting that Google has been very quiet on the issue.

        • pdscott

          July 17, 2011 at 7:05 PM

          @PaulPinnacle@thesociable

          Certainly the guidance shows some confusion on the side of the Information Commissioner; itself being rather vague in its directions (“identify a means of obtaining user consent”).

          The impact of the law goes beyond analytics, but also affects design, usability, functionality, and accessibility. And is going to be expensive for some sites to implement. When it comes to a test case, I can’t imagine too many Irish businesses will be happy that they cannot accurately measure their site’s performance in comparison to international competition.

          An FOI request to the ICO in the UK showed that only 10% of their users opted into accept long term cookies on their site. I can only imagine after commercial sites see this happen to their analytics that they will begin to get worried. http://bit.ly/nyb2KT

          It is interesting that Google has been very quiet on the issue.

  3. thesociable

    July 4, 2011 at 8:59 PM

    @TheCookieCrunch

    As a directive each country can choose how they will interpret the law. The Irish view of the law is that no permission is needed if the cookie is necessary or will be deleted when the user leaves the site.

    The code above deletes the cookie when the session is ended – the user closes the browser – so it remains to be seen if this will be acceptable for the courts, if it ever gets that far.

    The vague interpretation of the law in Ireland could be down to the number of large international online companies here. We are sure the government was keeping Facebook, Microsoft, Amazon, and of course Google itself, in mind when working through the legislation.

  4. CookieQ.com

    July 5, 2011 at 9:29 AM

    To comply with the EU directive no need for costly website redesign, just paste the HTML for a CookieQ button into your web pages from http://CookieQ.com

    It now includes customisable reminder banners, a choice of button styles, an option to keep analytics cookies, variable consent periods etc.

  5. mneylon

    July 8, 2011 at 11:50 AM

    @thesociable @TheCookieCrunch

    I wouldn’t be so confident that the big picture was taken into consideration. The Irish government’s track record in this entire area is woeful.

  6. thesociable

    July 9, 2011 at 8:05 PM

    @mneylon @thesociable @TheCookieCrunch All we can do is take the regulator’s advice and wait for the inevitable test case. Either way it is very difficult to see how this law can be enforced. You do have to wonder how many government sites are in compliance with it.

  7. PaulPinnacle

    July 16, 2011 at 1:45 AM

    @thesociable “The Irish view of the law is that no permission is needed if the cookie is necessary or will be deleted when the user leaves the site.” – Not exactly.

    The Irish view is that no permission is required where the cookie is essential AND is deleted on leaving the site (not closing the browser).

    The current interpretation is that if the Cookie persists, unless the user closes the browser, even after they have left the site this would require consent if it is for anything other than a matter of hours (meaning this has impacts on the current set up of essential cookies on various sites, as well as the optional ones) even where it performs essential functions on the site.

    Google Analytics (or any similar tracking cookie) won’t fall under their guidance of ‘essential’, tracking cookies are specifically mentioned as not being essential. This means that GA will always require permission, or else a test case will be needed to force a reinterpretation of the rules there.

    The fact that the guidance goes as far as suggesting that browsers change their functionality in order to incorporate these new rules shows a certain naivety in the logic there and how difficult this will be to implement in the current environment. The fact that the dataprotection.ie site commented out their own Urchin tracking code in March, it’s still visible on the site, suggests that even they have issues with handling the implementation.

  8. Arekibo

    July 17, 2011 at 7:04 PM

    @PaulPinnacle @thesociable Certainly the guidance shows some confusion on the side of the Information Commissioner; itself being rather vague in its directions (“identify a means of obtaining user consent”).

    The impact of the law goes beyond analytics, but also affects design, usability, functionality, and accessibility. And is going to be expensive for some sites to implement. When it comes to a test case, I can’t imagine too many Irish businesses will be happy that they cannot accurately measure their site’s performance in comparison to international competition.

    An FOI request to the ICO in the UK showed that only 10% of their users opted into accept long term cookies on their site. I can only imagine after commercial sites see this happen to their analytics that they will begin to get worried. http://bit.ly/nyb2KT

    It is interesting that Google has been very quiet on the issue.

  9. pdscott

    July 17, 2011 at 7:05 PM

    @PaulPinnacle@thesociable

    Certainly the guidance shows some confusion on the side of the Information Commissioner; itself being rather vague in its directions (“identify a means of obtaining user consent”).

    The impact of the law goes beyond analytics, but also affects design, usability, functionality, and accessibility. And is going to be expensive for some sites to implement. When it comes to a test case, I can’t imagine too many Irish businesses will be happy that they cannot accurately measure their site’s performance in comparison to international competition.

    An FOI request to the ICO in the UK showed that only 10% of their users opted into accept long term cookies on their site. I can only imagine after commercial sites see this happen to their analytics that they will begin to get worried. http://bit.ly/nyb2KT

    It is interesting that Google has been very quiet on the issue.

Leave a Reply

Your email address will not be published. Required fields are marked *

Web
@pdscott

Piers Dillon-Scott is co-editor of The Sociable and writes about stuff he finds. He likes technology, media, and using the Oxford comma (because it just makes sense).

More in Web

ssl securing website

You are losing business by not securing your website

Tim DearloveNovember 16, 2017

Cybercrime, America’s newest number one fear

Sam Brake GuiaNovember 13, 2017
zuckerberg president

Zuckerberg is running for president, even if he never runs: KU interview analysis

Ben AllenNovember 13, 2017
cryptocurrency, advertising, hacking, science, research, mining

Parasitic cryptocurrency mining, ad revenue and volunteer computing, a 3-sided coin

Ben AllenNovember 6, 2017
pawn friday

Pawn Friday will unite 1,000 shops to provide financial lifeline to underbanked

Jess RappOctober 26, 2017
latin america tech publication

Fiesta! Latin America’s geekiest tech publication turns 5

Tim HinchliffeOctober 13, 2017

New blockchain-SAP marketplace ushers in ‘second generation of the internet’

Nicolas WaddellOctober 6, 2017
advertising tech

Advertising in a tech-driven world

Boris DzhingarovOctober 6, 2017
blockchain p2p

Web 3.0: using blockchain to build a P2P internet

Ben AllenOctober 3, 2017