Categories: Web

EU Cookie Directive guidance issued; bad news for Google Analytics users

Over a month late the Irish Government has brought into law the EU Cookie Directive, which requires websites to obtain express permission from each user when setting a cookie on their computer.

Credit: Mindmatrix

Late on Friday the country’s Data Protection Commission issued guidance, having itself received advice from the Attorney General, about the legislation.  The Commission says that website owners and app developers must “identify a means of obtaining user consent” for any cookie that does not expire after the user leaves the website.  The Commission said,

“Any company or website placing information, usually by way of what is known as a cookie, on user equipment (computer, smartphone etc) must provide appropriate information to the user and collect their consent except in limited circumstances where the cookie is strictly necessary for the provision of the service in question. In practice this means that websites placing cookies on user equipment that are not deleted when the user leaves their website must identify a means of obtaining user consent.”

The Directive sets strict restrictions on the use of cookies by websites, smartphone apps, and other devices.   As a directive each member state of the EU has can interpret the law as they wish; in the United Kingdom the Data Protection Commission has allowed for some lead time to allow website owners to come into line with the directive.

One of the biggest victims of this law will be Google Analytics, or at least all websites that use the application.  As Google’s ubiquitous tracking system sets cookies on users’ machines which don’t expire for two years the law in Ireland makes any use of Google Analytics without first getting users’ permission illegal.

The enforceability of the law is questionable; most website owners will not know what type of cookies their sites or apps are setting on users’ machines or how to obtain user permission.

Discussing the concern and confusion many website owners are feeling Leo Moore, a partner with William Fry Solicitors (@WFIDEA) who specialises in intellectual property, information technology, data protection, and commercial law, wrote on Friday,

“Website operators and other interested parties are keenly following how the Cookie Regulations will be interpreted and enforced in Ireland in light of the need to obtain website user consent each time a cookie is placed on a website user’s computer. Many such parties have concerns in relation to the practical implications of complying with such obligations.”

Irish websites may have to resort to similar measures taken by the UK’s Data Protection Commission who’s own interpretation of the law requires this messages to be displayed on their site, “The ICO would like to use cookies to store information on your computer, to improve our website. One of the cookies we use is essential for parts of the site to operate and has already been set. You may delete and block all cookies from this site, but parts of the site will not work. To find out more about the cookies we use and how to delete them, see our privacy notice.

According to the Google Analytics forum there are ways of editing the tracking code to make it comply with various cookie laws around the world.  It says one possible way of making Google Analytics compatible with such laws is by adding these lines of code above “_gaq.push([‘_trackPageview’]);” in each page’s Google Analytics code.

_gaq.push(['_setCampaignCookieTimeout', 0]);
_gaq.push(['_setVisitorCookieTimeout', 0]);
_gaq.push(['_setSessionCookieTimeout', 0]);

According to the forum this should delete the tracking cookie when the session is closed by the user.  Although, we’re not lawyers, and this law has not been tested in Irish courts yet, so get professional advice to see if this does comply with the law.

Ajit Jain

Ajit Jain is marketing and sales head at Octal Info Solution, a leading iPhone app development company and offering platform to hire Android app developers for your own app development project. He is available to connect on Google Plus, Twitter, Facebook, and LinkedIn.

View Comments

  • Leaving a website doesn't cause any cookies to be deleted. Only closing the browser will remove session cookies.

    The guidance is a misinterpretation of the EU Directive - it requires consent to set a cookie - regardless of whether it is a session cookie or not.

    For more visit: http://www.cookielaw.org

    TheCookieCrunch

  • Leaving a website doesn't cause any cookies to be deleted. Only closing the browser will remove session cookies.

    The guidance is a misinterpretation of the EU Directive - it requires consent to set a cookie - regardless of whether it is a session cookie or not.

    For more visit: http://www.cookielaw.org

    TheCookieCrunch

    • @TheCookieCrunch

      As a directive each country can choose how they will interpret the law. The Irish view of the law is that no permission is needed if the cookie is necessary or will be deleted when the user leaves the site.

      The code above deletes the cookie when the session is ended - the user closes the browser - so it remains to be seen if this will be acceptable for the courts, if it ever gets that far.

      The vague interpretation of the law in Ireland could be down to the number of large international online companies here. We are sure the government was keeping Facebook, Microsoft, Amazon, and of course Google itself, in mind when working through the legislation.

      • @thesociable @TheCookieCrunch

        I wouldn't be so confident that the big picture was taken into consideration. The Irish government's track record in this entire area is woeful.

        • @mneylon @thesociable @TheCookieCrunch All we can do is take the regulator's advice and wait for the inevitable test case. Either way it is very difficult to see how this law can be enforced. You do have to wonder how many government sites are in compliance with it.

      • @thesociable "The Irish view of the law is that no permission is needed if the cookie is necessary or will be deleted when the user leaves the site." - Not exactly.

        The Irish view is that no permission is required where the cookie is essential AND is deleted on leaving the site (not closing the browser).

        The current interpretation is that if the Cookie persists, unless the user closes the browser, even after they have left the site this would require consent if it is for anything other than a matter of hours (meaning this has impacts on the current set up of essential cookies on various sites, as well as the optional ones) even where it performs essential functions on the site.

        Google Analytics (or any similar tracking cookie) won't fall under their guidance of 'essential', tracking cookies are specifically mentioned as not being essential. This means that GA will always require permission, or else a test case will be needed to force a reinterpretation of the rules there.

        The fact that the guidance goes as far as suggesting that browsers change their functionality in order to incorporate these new rules shows a certain naivety in the logic there and how difficult this will be to implement in the current environment. The fact that the dataprotection.ie site commented out their own Urchin tracking code in March, it's still visible on the site, suggests that even they have issues with handling the implementation.

        • @PaulPinnacle @thesociable Certainly the guidance shows some confusion on the side of the Information Commissioner; itself being rather vague in its directions ("identify a means of obtaining user consent").

          The impact of the law goes beyond analytics, but also affects design, usability, functionality, and accessibility. And is going to be expensive for some sites to implement. When it comes to a test case, I can't imagine too many Irish businesses will be happy that they cannot accurately measure their site's performance in comparison to international competition.

          An FOI request to the ICO in the UK showed that only 10% of their users opted into accept long term cookies on their site. I can only imagine after commercial sites see this happen to their analytics that they will begin to get worried. http://bit.ly/nyb2KT

          It is interesting that Google has been very quiet on the issue.

        • @PaulPinnacle@thesociable

          Certainly the guidance shows some confusion on the side of the Information Commissioner; itself being rather vague in its directions ("identify a means of obtaining user consent").

          The impact of the law goes beyond analytics, but also affects design, usability, functionality, and accessibility. And is going to be expensive for some sites to implement. When it comes to a test case, I can't imagine too many Irish businesses will be happy that they cannot accurately measure their site's performance in comparison to international competition.

          An FOI request to the ICO in the UK showed that only 10% of their users opted into accept long term cookies on their site. I can only imagine after commercial sites see this happen to their analytics that they will begin to get worried. http://bit.ly/nyb2KT

          It is interesting that Google has been very quiet on the issue.

  • @TheCookieCrunch

    As a directive each country can choose how they will interpret the law. The Irish view of the law is that no permission is needed if the cookie is necessary or will be deleted when the user leaves the site.

    The code above deletes the cookie when the session is ended - the user closes the browser - so it remains to be seen if this will be acceptable for the courts, if it ever gets that far.

    The vague interpretation of the law in Ireland could be down to the number of large international online companies here. We are sure the government was keeping Facebook, Microsoft, Amazon, and of course Google itself, in mind when working through the legislation.

  • To comply with the EU directive no need for costly website redesign, just paste the HTML for a CookieQ button into your web pages from http://CookieQ.com

    It now includes customisable reminder banners, a choice of button styles, an option to keep analytics cookies, variable consent periods etc.

  • @thesociable @TheCookieCrunch

    I wouldn't be so confident that the big picture was taken into consideration. The Irish government's track record in this entire area is woeful.

  • @mneylon @thesociable @TheCookieCrunch All we can do is take the regulator's advice and wait for the inevitable test case. Either way it is very difficult to see how this law can be enforced. You do have to wonder how many government sites are in compliance with it.

  • @thesociable "The Irish view of the law is that no permission is needed if the cookie is necessary or will be deleted when the user leaves the site." - Not exactly.

    The Irish view is that no permission is required where the cookie is essential AND is deleted on leaving the site (not closing the browser).

    The current interpretation is that if the Cookie persists, unless the user closes the browser, even after they have left the site this would require consent if it is for anything other than a matter of hours (meaning this has impacts on the current set up of essential cookies on various sites, as well as the optional ones) even where it performs essential functions on the site.

    Google Analytics (or any similar tracking cookie) won't fall under their guidance of 'essential', tracking cookies are specifically mentioned as not being essential. This means that GA will always require permission, or else a test case will be needed to force a reinterpretation of the rules there.

    The fact that the guidance goes as far as suggesting that browsers change their functionality in order to incorporate these new rules shows a certain naivety in the logic there and how difficult this will be to implement in the current environment. The fact that the dataprotection.ie site commented out their own Urchin tracking code in March, it's still visible on the site, suggests that even they have issues with handling the implementation.

  • @PaulPinnacle @thesociable Certainly the guidance shows some confusion on the side of the Information Commissioner; itself being rather vague in its directions ("identify a means of obtaining user consent").

    The impact of the law goes beyond analytics, but also affects design, usability, functionality, and accessibility. And is going to be expensive for some sites to implement. When it comes to a test case, I can't imagine too many Irish businesses will be happy that they cannot accurately measure their site's performance in comparison to international competition.

    An FOI request to the ICO in the UK showed that only 10% of their users opted into accept long term cookies on their site. I can only imagine after commercial sites see this happen to their analytics that they will begin to get worried. http://bit.ly/nyb2KT

    It is interesting that Google has been very quiet on the issue.

  • @PaulPinnacle@thesociable

    Certainly the guidance shows some confusion on the side of the Information Commissioner; itself being rather vague in its directions ("identify a means of obtaining user consent").

    The impact of the law goes beyond analytics, but also affects design, usability, functionality, and accessibility. And is going to be expensive for some sites to implement. When it comes to a test case, I can't imagine too many Irish businesses will be happy that they cannot accurately measure their site's performance in comparison to international competition.

    An FOI request to the ICO in the UK showed that only 10% of their users opted into accept long term cookies on their site. I can only imagine after commercial sites see this happen to their analytics that they will begin to get worried. http://bit.ly/nyb2KT

    It is interesting that Google has been very quiet on the issue.

Recent Posts

How a former Wall Street exec is saving your plants and the planet 

Jeanna Liu’s love for nature is rooted in her childhood. As a young girl, Liu…

2 days ago

New initiative announced to accelerate cloud, GenAI adoption in Latin America

The arrival of generative artificial intelligence (genAI) into the mainstream at the end of 2022…

2 days ago

Deborah Leff to join Horasis Advisory Board in boost to machine learning and data initiatives 

Data analytics and machine learning models deliver the most powerful results when they have access…

2 days ago

37, Emotionally Stuck, and Why the Journey Didn’t Change Me

I’ve been on the road for almost a year now. Chasing freedom, adventure, and purpose.…

4 days ago

Will iPhones Get Pricier Under Trump’s Leadership?

As technological use increases, so may the cost of innovation due to the global movement…

4 days ago

The Science of Gift-Giving: 10 Functional Gifts for the Holidays

Have you ever asked yourself why some people are amazing at picking gifts, while others…

5 days ago