The EU cookie law and why you need to know about it
The EU Directive on Privacy and Electronic Communications initially caused quite a stir 12 months ago, but the UK's Information Commissioner's Office stepped in and said that UK firms would have a year to comply with the regulations. That year is up on 26th May and people are starting to talk about the EU Cookie Law again, however no-one seems to be exactly sure what the implications will be and the ICO is not offering answers to the questions people are asking.
What is the directive about?
The intention of the directive was to combat "tracking cookies
" and other similar techniques used by advertising networks to analyse your online behaviour and offer targeted ads to you. Cookies are small text files, stored on your computer by a website, that contain short pieces of information. These can range from the contents of your shopping basket to a unique (ish) identifier used by large ad networks to track your browsing history. Whilst the files themselves are harmless, many privacy groups object to the non-consensual tracking of an internet user's browsing habits. The "unique" identifiers used do not contain any real personal information and cannot track you across different computers or even different browsers on the same machine, however they allow ad networks to build up a profile on the person using that computer based on their browsing habits. By analysing what sites you visit that contain their adverts, they can make an educated guess of your age and gender and get an insight into what you read about, therefore allowing them to show you adverts that have more relevance to you, in turn allowing them to charge more for the placement of those adverts.
Seems like a great idea, no?
A huge number of website owners use statistical packages (such as Google Analytics
Many have reached out to the ICO in an attempt to get them to clarify and explicitly state whether cookies used solely for statistical analysis are allowed or not. The ICO have issued some clarification this month, except it still does not make the situation any clearer. The Register managed to get these quotes from the ICO
The Regulations do not distinguish between cookies used for analytical activities and those used for other purposes. We do not consider analytical cookies fall within the ‘strictly necessary’ exception criteria. This means in theory websites need to tell people about analytical cookies and gain their consent.
Which seems pretty clear, until you read on:
Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals.
The effect of complying
So website owners are left with a choice; ask all visitors to opt-in to allow cookies or stop using cookies entirely. The ICO started offering users the opportunity to opt-in to their analytics cookies, and it completely decimated their statistics
and bad data is often worse than no data at all. This leaves the only realistic option, to avoid confusing and worrying your users with prompts, is to ditch your statistics and lose that insight into how your website is working and how to improve it.
Or is it?
Before the likes of Google Analytics came along, packages like Urchin
Additional to this, another part of that quote from the ICO:
Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.
As Piwik is something you can install on your own servers, you can make these cookies "first party" and therefore not be "prioritised" for regulatory action. Whilst this is not the get-out-of-jail-free card that many website owners are looking for, it certainly reduces the risk of being singled out amongst the many thousands of websites using these analytical cookies.
How we can help
Wes have a very robust and powerful Piwik installation running for over a year now and the clients already using it are very happy with the reports it produces. We can therefore offer a number of options to our current clients or anyone else for maintaining their statistical data.
- Install and host Piwik on your own domain
- Add your site to our main Piwik install and give SBIT access to your webserver logs
This option requires the least setup and management your side, but it does mean there will be slightly less detail in the reports and a delay in statistical data. SBIT will fetch the logs from your server and process them into Piwik at regular intervals, meaning no modifications to your website are needed and no cookies are used, so your website is fully compliant.
- Host your stats on SBIT Piwik install under your own domain
It is unclear if this will be fully allowed, but it is almost undetectable against option 1. Data is segregated by client, indicating that it is still "first party" in a way and SBIT are acting as agents to help you manage that data.
If you would like any guidance on the matter, or you are interested in trialling Piwik, please get in contact via phone (01372 28 28 28), email