Credit: Mindmatrix
Over month late the Irish Government has brought into law the EU Cookie Directive, which requires websites to obtain express permission from each user when setting a cookie on their computer.
Late on Friday the country’s Data Protection Commission issued guidance, having itself received advice from the Attorney General, about the legislation. The Commission says that website owners and app developers must “identify means of obtaining user consent” for any cookie that does not expire after the user leaves the website. The Commission said,
“Any company or website placing information, usually by way of what is known as a cookie, on user equipment (computer, smartphone etc) must provide appropriate information to the user and collect their consent except in limited circumstances where the cookie is strictly necessary for the provision of the service in question. In practice this means that websites placing cookies on user equipment that are not deleted when the user leaves their website must identify a means of obtaining user consent.”
The Directive sets strict restrictions on the use of cookies by websites, smartphone apps, and other devices. As a directive each member state of the EU has can interpret the law as they wish; in the United Kingdom the Data Protection Commission has allowed for some lead time to allow website owners to come into line with the directive.
One of the biggest victims of this law will be Google Analytics, or at least all websites that use the application. As Google’s ubiquitous tracking system sets cookies on users’ machines which don’t expire for two years the law in Ireland makes any use of Google Analytics without first getting users’ permission illegal.
The enforceability of the law is questionable; most website owners will not know what type of cookies their sites or apps are setting on users’ machines or how to obtain user permission.
Discussing the concern and confusion many website owners are feeling Leo Moore, partner with William Fry Solicitors (@WFIDEA) who specialises in intellectual property, information technology, data protection, and commercial law, wrote on Friday,
“Website operators and other interested parties are keenly following how the Cookie Regulations will be interpreted and enforced in Ireland in light of the need to obtain website user consent each time a cookie is placed on a website user’s computer. Many such parties have concerns in relation to the practical implications of complying with such obligations.”
Irish websites may have to resort to similar measures taken by the UK’s Data Protection Commission who’s own interpretation of the law requires this messages to be displayed on their site, “The ICO would like to use cookies to store information on your computer, to improve our website. One of the cookies we use is essential for parts of the site to operate and has already been set. You may delete and block all cookies from this site, but parts of the site will not work. To find out more about the cookies we use and how to delete them, see our privacy notice.”
According to the Google Analytics forum there are ways of editing the tracking code to make it comply with various cookie laws around the world. It says one possible way of making Google Analytics compatible with such laws is by adding these lines of code above “_gaq.push([‘_trackPageview’]);” in each page’s Google Analytics code.
_gaq.push(['_setCampaignCookieTimeout', 0]);
_gaq.push(['_setVisitorCookieTimeout', 0]);
_gaq.push(['_setSessionCookieTimeout', 0]);
According to the forum this should delete the tracking cookie when the session is closed by the user. Although, we’re not lawyers, and this law has not been tested in Irish courts yet, so get professional advice to see if this does comply with the law.
Five years ago, Frank Chen posed a question that has stuck with me every day…
What happens when the world's richest man gets caught in the crosshairs of one of…
As companies that operate large vehicle fleets make the switch to electric vehicles (EVs), a…
A predictive government utopia would be a dystopian nightmare for constitutional republics: perspective Predictive government…
The finternet will merge into digital public infrastructure where anonymity is abolished, money is programmable…
After more than ten years on Elance / oDesk / Upwork, I dare to say…
View Comments
Leaving a website doesn't cause any cookies to be deleted. Only closing the browser will remove session cookies.
The guidance is a misinterpretation of the EU Directive - it requires consent to set a cookie - regardless of whether it is a session cookie or not.
For more visit: http://www.cookielaw.org
TheCookieCrunch
Leaving a website doesn't cause any cookies to be deleted. Only closing the browser will remove session cookies.
The guidance is a misinterpretation of the EU Directive - it requires consent to set a cookie - regardless of whether it is a session cookie or not.
For more visit: http://www.cookielaw.org
TheCookieCrunch
@TheCookieCrunch
As a directive each country can choose how they will interpret the law. The Irish view of the law is that no permission is needed if the cookie is necessary or will be deleted when the user leaves the site.
The code above deletes the cookie when the session is ended - the user closes the browser - so it remains to be seen if this will be acceptable for the courts, if it ever gets that far.
The vague interpretation of the law in Ireland could be down to the number of large international online companies here. We are sure the government was keeping Facebook, Microsoft, Amazon, and of course Google itself, in mind when working through the legislation.
@thesociable @TheCookieCrunch
I wouldn't be so confident that the big picture was taken into consideration. The Irish government's track record in this entire area is woeful.
@mneylon @thesociable @TheCookieCrunch All we can do is take the regulator's advice and wait for the inevitable test case. Either way it is very difficult to see how this law can be enforced. You do have to wonder how many government sites are in compliance with it.
@thesociable "The Irish view of the law is that no permission is needed if the cookie is necessary or will be deleted when the user leaves the site." - Not exactly.
The Irish view is that no permission is required where the cookie is essential AND is deleted on leaving the site (not closing the browser).
The current interpretation is that if the Cookie persists, unless the user closes the browser, even after they have left the site this would require consent if it is for anything other than a matter of hours (meaning this has impacts on the current set up of essential cookies on various sites, as well as the optional ones) even where it performs essential functions on the site.
Google Analytics (or any similar tracking cookie) won't fall under their guidance of 'essential', tracking cookies are specifically mentioned as not being essential. This means that GA will always require permission, or else a test case will be needed to force a reinterpretation of the rules there.
The fact that the guidance goes as far as suggesting that browsers change their functionality in order to incorporate these new rules shows a certain naivety in the logic there and how difficult this will be to implement in the current environment. The fact that the dataprotection.ie site commented out their own Urchin tracking code in March, it's still visible on the site, suggests that even they have issues with handling the implementation.
@PaulPinnacle @thesociable Certainly the guidance shows some confusion on the side of the Information Commissioner; itself being rather vague in its directions ("identify a means of obtaining user consent").
The impact of the law goes beyond analytics, but also affects design, usability, functionality, and accessibility. And is going to be expensive for some sites to implement. When it comes to a test case, I can't imagine too many Irish businesses will be happy that they cannot accurately measure their site's performance in comparison to international competition.
An FOI request to the ICO in the UK showed that only 10% of their users opted into accept long term cookies on their site. I can only imagine after commercial sites see this happen to their analytics that they will begin to get worried. http://bit.ly/nyb2KT
It is interesting that Google has been very quiet on the issue.
@PaulPinnacle@thesociable
Certainly the guidance shows some confusion on the side of the Information Commissioner; itself being rather vague in its directions ("identify a means of obtaining user consent").
The impact of the law goes beyond analytics, but also affects design, usability, functionality, and accessibility. And is going to be expensive for some sites to implement. When it comes to a test case, I can't imagine too many Irish businesses will be happy that they cannot accurately measure their site's performance in comparison to international competition.
An FOI request to the ICO in the UK showed that only 10% of their users opted into accept long term cookies on their site. I can only imagine after commercial sites see this happen to their analytics that they will begin to get worried. http://bit.ly/nyb2KT
It is interesting that Google has been very quiet on the issue.
@TheCookieCrunch
As a directive each country can choose how they will interpret the law. The Irish view of the law is that no permission is needed if the cookie is necessary or will be deleted when the user leaves the site.
The code above deletes the cookie when the session is ended - the user closes the browser - so it remains to be seen if this will be acceptable for the courts, if it ever gets that far.
The vague interpretation of the law in Ireland could be down to the number of large international online companies here. We are sure the government was keeping Facebook, Microsoft, Amazon, and of course Google itself, in mind when working through the legislation.
To comply with the EU directive no need for costly website redesign, just paste the HTML for a CookieQ button into your web pages from http://CookieQ.com
It now includes customisable reminder banners, a choice of button styles, an option to keep analytics cookies, variable consent periods etc.
@thesociable @TheCookieCrunch
I wouldn't be so confident that the big picture was taken into consideration. The Irish government's track record in this entire area is woeful.
@mneylon @thesociable @TheCookieCrunch All we can do is take the regulator's advice and wait for the inevitable test case. Either way it is very difficult to see how this law can be enforced. You do have to wonder how many government sites are in compliance with it.
@thesociable "The Irish view of the law is that no permission is needed if the cookie is necessary or will be deleted when the user leaves the site." - Not exactly.
The Irish view is that no permission is required where the cookie is essential AND is deleted on leaving the site (not closing the browser).
The current interpretation is that if the Cookie persists, unless the user closes the browser, even after they have left the site this would require consent if it is for anything other than a matter of hours (meaning this has impacts on the current set up of essential cookies on various sites, as well as the optional ones) even where it performs essential functions on the site.
Google Analytics (or any similar tracking cookie) won't fall under their guidance of 'essential', tracking cookies are specifically mentioned as not being essential. This means that GA will always require permission, or else a test case will be needed to force a reinterpretation of the rules there.
The fact that the guidance goes as far as suggesting that browsers change their functionality in order to incorporate these new rules shows a certain naivety in the logic there and how difficult this will be to implement in the current environment. The fact that the dataprotection.ie site commented out their own Urchin tracking code in March, it's still visible on the site, suggests that even they have issues with handling the implementation.
@PaulPinnacle @thesociable Certainly the guidance shows some confusion on the side of the Information Commissioner; itself being rather vague in its directions ("identify a means of obtaining user consent").
The impact of the law goes beyond analytics, but also affects design, usability, functionality, and accessibility. And is going to be expensive for some sites to implement. When it comes to a test case, I can't imagine too many Irish businesses will be happy that they cannot accurately measure their site's performance in comparison to international competition.
An FOI request to the ICO in the UK showed that only 10% of their users opted into accept long term cookies on their site. I can only imagine after commercial sites see this happen to their analytics that they will begin to get worried. http://bit.ly/nyb2KT
It is interesting that Google has been very quiet on the issue.
@PaulPinnacle@thesociable
Certainly the guidance shows some confusion on the side of the Information Commissioner; itself being rather vague in its directions ("identify a means of obtaining user consent").
The impact of the law goes beyond analytics, but also affects design, usability, functionality, and accessibility. And is going to be expensive for some sites to implement. When it comes to a test case, I can't imagine too many Irish businesses will be happy that they cannot accurately measure their site's performance in comparison to international competition.
An FOI request to the ICO in the UK showed that only 10% of their users opted into accept long term cookies on their site. I can only imagine after commercial sites see this happen to their analytics that they will begin to get worried. http://bit.ly/nyb2KT
It is interesting that Google has been very quiet on the issue.