Share This
In my quest to get to grips with the EU Cookie Directive I keep coming back to Google Analytics as an example of the dilemmas posed by the directive.
A sliding scale of naughtiness
So there are good and bad cookies, of that there is no doubt.
There are cookies that are 100% necessary for the functioning of a website and these are clearly good. There are other’s that track us as we go from site to site and seek to work out exactly who we are for marketing purposes and do so without our permission or knowledge. These are clearly bad.
If we were to create a 1 to 5 naughtiness scale for cookies the 100% necessary cookie would be a 1 (angelic), and the invasive marketing one a 5 (evil!)
Really “good” (the directive terminology is ”strictly necessary”) cookies don’t need consent under the EU Directive, less good ones (those we score with a 2 or higher) do.
Why bother with a scale?
In the Information Commission Officer’s guidelines they indicate that the more intrusive your cookies are you, the more effort you need to put into getting consent.
…the more privacy intrusive your activity, the more priority you will need to give to getting meaningful consent.
Clearly this leaves a lot of grey areas which in some ways makes complying a nightmare, in other ways it’s good news because having any plan, even a misguided one, could well be the “get out of jail free card”.
So the ICO want us to assess our cookies as part of having a plan for compliance. My interpretation is that really intrusive cookies need definitive click-here-to-sign-your-private-life-away type pop-ups (yuck) whereas mechanisms for getting consent for nicer, politer cookies can be much softer.
So to determine what approach we might need to take to get consent, we need to grade our cookies “naughtiness”. Easier said than done.
The Direct Marketing Association have suggested categorising cookies as follows:
- Cookies necessary for the provision of service
- Useful but intrusive cookies
- Helpful non-intrusive cookies
- Obsolete cookies
We have to classify cookies somehow, I just happen to prefer a sliding scale to the above.
How evil is Google Analytics?
So where does this leave the online marketeer’s favourite tool: Google Analytics? Is Google Analytics in the firing line as part of this directive? Some, such as GA book author Brian Clifton think not. Whilst I’d love to subscribe to his point of view, I’m less confident.
Good or Evil Cookie?
In my mind tracking website use is to some extent invasive – it has great benefit to us as website owners but as a human, there is something slightly uncomfortable about cameras in shops being used to monitor me to help the shop improve future customers’ shopping experiences.
I love Google but the “do no evil” mantra has worn a bit thin with me. Others simply call them sleazy. So it wouldn’t surprise me if the directive was written with Google in mind.
The ICO guidelines in my mind are pretty clear on Google Analytics as they specifically state that tracking cookies are not exempt from the need to gain consent.
The exception would not apply, for example, just because….you decide to use a cookie to collect statistical information about the use of your website.
I am of the same opinion as the DMA that consent is required for Google Analytics cookies. How far we have to go to get that consent is something I’ll delve into next week (and that’s where the good news lies I think).
Of course there are much worse cookies than Google Analytics. The DMA categorisation would describe them as “Helpful non-intrusive cookies” (helpful to the website owner, not the user though IMHO) because the data is anonymised.
So we should consider whether the cookies are anonymous then? But in reality we are relying on a third party (Google) to do that anonymisation for us. Further the cookie is transferring that data to a third party without the users knowledge (you are surfing this site but we are passing on that info to Google without telling you – until now at least!) There’s definitely something cheeky about that, even if you wouldn’t describe it as naughty.
In my view you’d have to consider Google Analytics cookies as at least a 2, probably a 3 and possibly a 4 on my scale of cookie naughtiness.
What are the most evil cookies?
What else should we be considering in assessing cookies? Sensitivity of data such as whether we record or can imply gender, religion, sexual preferences etc? Length of time data is stored? The number of parties data is passed through? I’d be interested in your thoughts.
What cookies do you think the directive is eyeing up? What do you consider to be the very worst cookies? Please help me decide what cookies should get a naughtiness score of 5. Any input or examples appreciated. Please comment below.
Side note - I’m currently working on a simple free tool for auditing cookies. If you’ve got the time to test it and give me your opinion on it, please get in touch)
Tags: Cookie Directive, Cookies, DMA, Do No Evil, Google Analytics, ICO, Legal, Scale of Naughtiness
Always go the horses mouth – This is what the ICO website says as of 23.05.11. I don’t think this complies with theuir Guidance but they’ve got a few days to change it . . .nnWe use Google Analytics to help analyse use of our website. This nanalytical tool uses ‘cookies’, which are text files placed on your ncomputer, to collect standard internet log information and visitor nbehaviour information in an anonymous form. The information generated byn the cookie about your use of the website (including your IP address) isn transmitted to Google. This information is then used to evaluate nvisitorsu2019 use of the website and to compile statistical reports on nwebsite activity for the ICO. To find out more about cookies, including nhow to control and delete them, visit http://www.allaboutcookies.org, or to opt out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout.
Nice post. I would share your view that GA Cookies do not fall into the “good” category. My question would be once you have analysed cookies against a scale – what next ?nn If we take your site as an example you have 37 cookies (which can go higher) I cannot see how many of your cookies are in the “good” class but the majority look to be generated by 3rd party solutions which enhance the function of the site (sharethis, discuss, facebook etc.) but aren’t probably “good”. Many of the 3rd party solutions use their own GA cookies which makes life more complex.The issue is that you (we all) have no control over the 3rd party site add ons, therefore if you/we wish to continue using them we have to get opt-in permission for all of them (unless the 3rd party changes their functionality).nnHow do you think you will handle this on your site? Could you add to your post with an analysis of your own your rating on their goodness/naughtiness and how you plan to address opt-in for those that aren’t “good”?
Hi Simon,nnThanks for your comment. I’ll certainly be looking to expand on how we intend to go about trying to comply and certainly we will put up an audit of our own site in the next few days.nnMy next task is to create a scale of “opting-in strength” (need a better name) where pop-ups are the safest way of guaranteeing consent and small notices in the footer could be acceptable for cookies with a naughty score of 2)nnOut of interest what did you do to detect our site’s cookies?
Certainly the ICO site will be one to check come Thursday morning. I’m really interested to see if they go for a pretty soft “consent” option or not. nnThanks also for posting the privacy policy info – this is the example of the sort of level of detail that I think we are going to have to develop
The uncontrollable element of cookie usage (WordPress etc) is part of the cost of free. Providers who ‘give’ plug-ins etc need some form of payback if they are not given payment. So they imprint inherent advertising or backdoor metrics. We either prepare to pay for a ‘clean’ service for shiny cookies or go free with string connecting data rich cookies. My site uses many free plug-in and some offer a donate or pro option which I intend to use if I find them useful. Perhaps they can add a cleanliness guarantee to traceability and usage too.
Absolutely, I am up for some government cookie surveying on Thursday, almost tempted to build a robot which checks all cookies (on governement sites) and posts complaints on ICO.
I think your idea of automating audit is a really good one especially in your business.nnI use web developer toolbar forefox plugin which is extremely useful even for non developers, I highly recommend it for website owners who need to test their user experience with all kinds of conditions (screen size, user agent, cookies/non cookies, javascript/non javascript, web standards, css compliance, etc.)
Hi,
Just tried this and found more cookies then i expected..
anyway.. it would be a nice tool if you can enable a download of the table that is generated when you click on show all cookies..
this way I can put it into the “cookie” extensive list via a link on the privacy policy im writing
for now i looks all 95 cookies i have to type myself
EG it be nice if it can download something like this but in columns:
Site: Website name here
cookies from this site : list of cookies
More information about these cookies/what they do
.
This would be a fantastic way of easily complying with the law by stating all the cookies and what they are used and why they are there in the privacy policies.
(its even on the ICO privacy policy with all the cookies and what they use and why)
thanks for the useful tool, and i hope that this comment can help improve this for everyone in the near future if it is possible!