: Google Analytics and the EU cookie directive. Who will fall foul of the law? Google or the developer? So Google uses cookies when performing its usual duties of tracking users on a website.
So Google uses cookies when performing its usual duties of tracking users on a website. That is just it though; Google are setting the cookies and not your website as such. This is by virtue of the fact that the JS is all hosted by Google and merely included into your web page.
Wolf Software who have released a jQuery plugin to ask for a users consent before allowing GA seem to imply that it would be the developers problem on their associated web page.
Is this then possibly Google's problem when the ICO comes knocking or should the developer not have implemented GA if they are aware of the potential cookie problem?
More posts by @Angie530
5 Comments
Sorted by latest first Latest Oldest Best
I have now had a response from the ICO although it is not entirely relevant any more given that the introduction has been pushed back and the law and guidance maybe refined in the mean time.
Thank you for your correspondence regarding the new Privacy and
Electronics Communications Regulations.
I would begin by pointing out that I will not be posting my response
on the website you suggest; however feel free to disseminate the
information contained here. I would also state that the rhetorical
first of your two questions is not one I am in a position to answer.
Moving on, you ask:
‘Google Analytics and the EU cookie directive. Who will fall foul of
the law? Google or the developer?’
As an introduction, the new rule relating to cookies is the UK
implementation of amendments to existing EU legislation. Prior to the
EU level legislation being passed, a consultation took place across
Europe. Following the passing of the EU Cookie Directive (Directive
2009/136/EC), all EU member states are legally obliged to pass
domestic legislation echoing the rules set out in that Directive. In
the UK, the amendments have been prepared by the Department of
Culture, Media and Sport (DCMS) and the ICO is the body tasked with
overseeing the new rules – which have been passed as amendments to the
existing Privacy and Electronic Communications Regulations 2003
(PECR).
If you have not already read it, you may find Ed Vaisey’s letter on
behalf of DCMS as Minister for Culture, Communications and Creative
Industries is helpful in explaining the approach adopted by the DCMS
in implementing this EU Directive. The open letter is available at:
www.culture.gov.uk/images/publications/cookies_open_letter.pdf.
In particular this letter best addresses your comments regarding the
use of a web browser to indicate a user’s preferences. Using a
browser in this way is something which the amended PECR allow,
however, it is our opinion that currently technology is not advanced
enough for this to be practicable (please see both the letter referred
to above, and our guidance: Read the ICO’s advice to organisations
about how to prepare for the new rules on cookies).
There is no specific exemption for analytics tools such as Google
Analytics. The only exception to the basic cookie rule is that which
relates to cookies which are ‘strictly necessary’ for a service
requested by the user. This exception is a narrow one due to the
second part (‘for a service requested by the user’) – and you will see
from our guidance that the exception would not apply to cookies which
collect statistical information about website users, or which have the
aim of improving the overall website look.
In respect of ‘other marketing network cookies’ – the same rules
regarding consent, and strict necessity, apply as set out above.
The PECR themselves do not set the definition of ‘consent’ for the
purposes of the cookie rule. The definition of ‘consent’ which we
therefore rely on is that given in Directive 95/46/EC – the Data
Protection Directive (which you can access online at:
eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML). The Directive defines consent at article 2(h)). At this point, we have
not issued additional guidance regarding what constitutes consent in
the context of the new rule on cookies – on the basis that this is no
different to the existing guidance on consent. You can find out more
about consent on our website at:
www.ico.gov.uk/for_organisations/data_protection/the_guide/conditions_for_processing.aspx (scroll down to the heading ‘consent’).
As you have no doubt already seen, our cookie guidance considers
various different ways of obtaining consent. As further advances are
made in respect of this new rule on cookies, we may add further
guidance to our existing guidance.
It doesn't really answer the question from what I can see. There is no distinction between cookies explicitly set by the developer and those set by other services on behalf of the developer in the response.
Interesting discussion - it does look like a simple Analytic tracking cookies falls under the law.
This is a really badly thought out bit of legislation. While a very small percentage of visitors are bothered, it is generally these people that know how to use browser cokkies settings. Everyone else just wants a web site to work.
I wonder how long it will be before there is a browser plug in that automatically clicks the 'accept' button on all the cookies warning pop-ups?
Before writing the plug-in for Wolf Software we actually contacted the ICO to check the position, and from that consultation we are of the understanding that GA should be considered to be non-essential and as such consent is required.
The issue about it being 1st or 3rd is moot as it is only the 'non-essential' part that makes it covered by the law.
We are not implying that the problem is the webmasters either as stated at the top, what we have done is give webmasters a simple solution to this problem should they want to use it. We are led to believe that it is the website 'owner' who is ultimately responsible.
We have also verified with the ICO that the plug-in we released was fir for purpose and met the new legislation requirements with regards to GA.
It is very much a case of, if you want it, it is there to use, we do not imply anything about the law, we just offer a simple free solution to one aspect of it.
ADDED:
With regards to the ICO, we sent them a link to demo and simply asked if they felt it was fit for purpose, we were told that in the eyes of the ICO, the plugin was "fit for purpose and compliant with the new law"
The above answer talks in detail about third party cookies and is right that the ICO has yet to give guidance on them. This is a moot point though as Google Analytics, contrary to the original post, uses first party cookies.
The short answer is that no-one knows yet.
The long answer is that 3rd party cookies are a hazy area; it's not clear from the directive (PDF) who would be prosecuted for failing to obtain consent when storing 3rd party cookies.
The ICO's current interpretation and advice, published in "Changes to the rules on using cookies...", admits that they don't know how the directive applies to 3rd party cookies:
"The process of getting consent for these [3rd party] cookies is more complex and our view is that everyone has a part to play in making sure that the user is aware of what is being collected and by whom."
Emphasis mine. They don't say who's responsible, only that someone is. Furthermore, they say that they're attempting to clarify these rules:
"[3rd party cookies] may be the most challenging area in which to achieve compliance with the new rules and we are working with industry and other European data protection authorities to assist in addressing complexities and finding the right answers."
They are expecting that these third party services
...will no doubt adapt to achieve compliance with the new rule...
One possible hint of the ICO's stance is that they list Google Analytics cookies as non-essential in their own privacy policy, and only use Google Analytics if you consent to storing cookies. I think that this sets the tone for any clarification they might offer. They may well say, 'you need to ask permission for 3rd party cookies too, because it's your choice whether you use those services or not'. But we don't know for sure yet.
This uncertainty is one reason for the compliancy deadline being extended to 25th May 2012. The best thing British webmasters concerned about the impact can do is to keep an eye on the ICO's website and wait for clarification from them. In the meantime, the rest of their advice outlined in their guidelines is worth following for cookies that you issue yourself.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.