The EU cookie law and why you need to know about it

Richard Benson20 April 2012IT Pros, Web, Consumerscomments

The EU Directive on Privacy and Electronic Communications initially caused quite a stir 12 months ago, but the UK's Information Commissioner's Office stepped in and said that UK firms would have a year to comply with the regulations. That year is up on 26th May and people are starting to talk about the EU Cookie Law again, however no-one seems to be exactly sure what the implications will be and the ICO is not offering answers to the questions people are asking.


What is the directive about?

The intention of the directive was to combat "tracking cookies" and other similar techniques used by advertising networks to analyse your online behaviour and offer targeted ads to you. Cookies are small text files, stored on your computer by a website, that contain short pieces of information. These can range from the contents of your shopping basket to a unique (ish) identifier used by large ad networks to track your browsing history. Whilst the files themselves are harmless, many privacy groups object to the non-consensual tracking of an internet user's browsing habits. The "unique" identifiers used do not contain any real personal information and cannot track you across different computers or even different browsers on the same machine, however they allow ad networks to build up a profile on the person using that computer based on their browsing habits. By analysing what sites you visit that contain their adverts, they can make an educated guess of your age and gender and get an insight into what you read about, therefore allowing them to show you adverts that have more relevance to you, in turn allowing them to charge more for the placement of those adverts.


Seems like a great idea, no?

Although the intention of the directive is good the wording is, intentionally for future-proofing, vague and does not cover the huge range of uses cookies can have.  There is a provision in the directive for cookies that are "strictly necessary for the delivery of a service requested by the user", such as shopping basket tracking, however what is deemed "strictly necessary" is not clear enough.
A huge number of website owners use statistical packages (such as Google Analytics or Piwik) to track users on their site, find out what pages are most popular, how users interact with the site and how they move through the purchase process. This data is not usually personally identifiable and mostly only viewed as aggregate data, however it uses cookies to achieve this and therefore falls foul of the directive.
Many have reached out to the ICO in an attempt to get them to clarify and explicitly state whether cookies used solely for statistical analysis are allowed or not. The ICO have issued some clarification this month, except it still does not make the situation any clearer. The Register managed to get these quotes from the ICO:
The Regulations do not distinguish between cookies used for analytical activities and those used for other purposes. We do not consider analytical cookies fall within the ‘strictly necessary’ exception criteria. This means in theory websites need to tell people about analytical cookies and gain their consent.
Which seems pretty clear, until you read on:
Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals.

The effect of complying

So website owners are left with a choice; ask all visitors to opt-in to allow cookies or stop using cookies entirely. The ICO started offering users the opportunity to opt-in to their analytics cookies, and it completely decimated their statistics and bad data is often worse than no data at all. This leaves the only realistic option, to avoid confusing and worrying your users with prompts, is to ditch your statistics and lose that insight into how your website is working and how to improve it.

Or is it?

Before the likes of Google Analytics came along, packages like Urchin, LiveStats and Sawmill generated statistical data by interrogating the logs created by the web server, rather than putting anything on the user's computer.  This sort of analysis is still allowed but it does not usually provide the same rich experience that Google Analytics and it's competitors do, until now. Piwik have announced that from the next version you can import webserver logs into your stats and get (most of) the same reports you get with the JavaScript and cookie based tracking.
Additional to this, another part of that quote from the ICO:
Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.
As Piwik is something you can install on your own servers, you can make these cookies "first party" and therefore not be "prioritised" for regulatory action.  Whilst this is not the get-out-of-jail-free card that many website owners are looking for, it certainly reduces the risk of being singled out amongst the many thousands of websites using these analytical cookies.

How we can help

Wes have a very robust and powerful Piwik installation running for over a year now and the clients already using it are very happy with the reports it produces. We can therefore offer a number of options to our current clients or anyone else for maintaining their statistical data.
  1. Install and host Piwik on your own domain
    This makes all cookies it generates "first party" and therefore you should fall into the "unlikely to prioritise" category.  It does mean that you will need MySQL and PHP hosting on your domain and a mid-level hosting package to cope.  You will also have to add text to your site indicating your use of cookies in this manner and allow users to opt-out, SBIT can provide a simple script to add to your site to achieve this.
  2. Add your site to our main Piwik install and give SBIT access to your webserver logs
    This option requires the least setup and management your side, but it does mean there will be slightly less detail in the reports and a delay in statistical data.  SBIT will fetch the logs from your server and process them into Piwik at regular intervals, meaning no modifications to your website are needed and no cookies are used, so your website is fully compliant.
  3. Host your stats on SBIT Piwik install under your own domain
    It is unclear if this will be fully allowed, but it is almost undetectable against option 1.  Data is segregated by client, indicating that it is still "first party" in a way and SBIT are acting as agents to help you manage that data.
If you would like any guidance on the matter, or you are interested in trialling Piwik, please get in contact via phone (01372 28 28 28), email, twitter or facebook.
comments powered by Disqus
Support Ticket
Remote Support
clever girl