In my quest to get to grips with the EU Cookie Directive I keep coming back to Google Analytics as an example of the dilemmas posed by the directive.
A sliding scale of naughtiness
So there are good and bad cookies, of that there is no doubt.
There are cookies that are 100% necessary for the functioning of a website and these are clearly good. There are other’s that track us as we go from site to site and seek to work out exactly who we are for marketing purposes and do so without our permission or knowledge. These are clearly bad.
If we were to create a 1 to 5 naughtiness scale for cookies the 100% necessary cookie would be a 1 (angelic), and the invasive marketing one a 5 (evil!)
Really “good” (the directive terminology is “strictly necessary”) cookies don’t need consent under the EU Directive, less good ones (those we score with a 2 or higher) do.
Why bother with a scale?
In the Information Commission Officer’s guidelines they indicate that the more intrusive your cookies are you, the more effort you need to put into getting consent.
…the more privacy intrusive your activity, the more priority you will need to give to getting meaningful consent.
Clearly this leaves a lot of grey areas which in some ways makes complying a nightmare, in other ways it’s good news because having any plan, even a misguided one, could well be the “get out of jail free card”.
So the ICO want us to assess our cookies as part of having a plan for compliance. My interpretation is that really intrusive cookies need definitive click-here-to-sign-your-private-life-away type pop-ups (yuck) whereas mechanisms for getting consent for nicer, politer cookies can be much softer.
So to determine what approach we might need to take to get consent, we need to grade our cookies “naughtiness”. Easier said than done.
The Direct Marketing Association have suggested categorising cookies as follows:
- Cookies necessary for the provision of service
- Useful but intrusive cookies
- Helpful non-intrusive cookies
- Obsolete cookies
We have to classify cookies somehow, I just happen to prefer a sliding scale to the above.
How evil is Google Analytics?
So where does this leave the online marketeer’s favourite tool: Google Analytics? Is Google Analytics in the firing line as part of this directive? Some, such as GA book author Brian Clifton think not. Whilst I’d love to subscribe to his point of view, I’m less confident.
Good or Evil Cookie?
In my mind tracking website use is to some extent invasive – it has great benefit to us as website owners but as a human, there is something slightly uncomfortable about cameras in shops being used to monitor me to help the shop improve future customers’ shopping experiences.
I love Google but the “do no evil” mantra has worn a bit thin with me. Others simply call them sleazy. So it wouldn’t surprise me if the directive was written with Google in mind.
The ICO guidelines in my mind are pretty clear on Google Analytics as they specifically state that tracking cookies are not exempt from the need to gain consent.
The exception would not apply, for example, just because….you decide to use a cookie to collect statistical information about the use of your website.
I am of the same opinion as the DMA that consent is required for Google Analytics cookies. How far we have to go to get that consent is something I’ll delve into next week (and that’s where the good news lies I think).
Of course there are much worse cookies than Google Analytics. The DMA categorisation would describe them as “Helpful non-intrusive cookies” (helpful to the website owner, not the user though IMHO) because the data is anonymised.
So we should consider whether the cookies are anonymous then? But in reality we are relying on a third party (Google) to do that anonymisation for us. Further the cookie is transferring that data to a third party without the users knowledge (you are surfing this site but we are passing on that info to Google without telling you – until now at least!) There’s definitely something cheeky about that, even if you wouldn’t describe it as naughty.
In my view you’d have to consider Google Analytics cookies as at least a 2, probably a 3 and possibly a 4 on my scale of cookie naughtiness.
What are the most evil cookies?
What else should we be considering in assessing cookies? Sensitivity of data such as whether we record or can imply gender, religion, sexual preferences etc? Length of time data is stored? The number of parties data is passed through? I’d be interested in your thoughts.
What cookies do you think the directive is eyeing up? What do you consider to be the very worst cookies? Please help me decide what cookies should get a naughtiness score of 5. Any input or examples appreciated. Please comment below.
Side note - I’m currently working on a simple free tool for auditing cookies. If you’ve got the time to test it and give me your opinion on it, please get in touch)