If you read right to the end of the actual guidance from the ICO it says:
---
We only use analytical cookies – if nobody consents that will seriously restrict the amount of information we can get to improve and develop our website
The Regulations do not distinguish between cookies used for analytical activities and those used for other purposes. We do not consider analytical cookies fall within the ‘strictly necessary’ exception criteria. This means in theory websites need to tell people about analytical cookies and gain their consent.
In practice we would expect you to provide clear information to users about analytical cookies and take what steps you can to seek their agreement. This is likely to involve making the argument to show users why these cookies are useful. Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals. Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.
---
My interpretation of that is: tell your web site users clearly what you do with analytics and why and we are very unlikely to bother coming after you.
Frankly, their policy seems sensible and I'm having an hard time giving a fuck about the webmasters (is this still used?).
If you want to track, do it properly with a package installed on your own server. stop subjecting your users to Google's All-Seeing Eye just because using their Analytics is easier for you.
I am currently a webmaster (and I don't know if that's still used either, doesn't feel like it), and this is going to be a huge pain in the arse. The main reason it is a pain is the vagueness of the legislation, nobody has any idea what they can and can't do.
Sure we can follow the ICO and put a pop-up on the site asking to accept cookies or not (which if you select 'not' ironically creates a cookie), but as other people have pointed out that's laughable (for a huge number of reasons) and would push online trade away from uk sites. Easiest option for me would be to shift hosting outside the EU, take the SEO location hit and get back to work as usual (EDIT: it appears I am a little behind on the legislation as last time I read it hosting overseas was a loophole, looks like I need to refresh things).
Alternatively if I could dispense with cookies and shift tracking upstream to a CDN that would also save me the problem and at that point I should be getting even more data such as IP addresses.
Users need to take control of their browsing and privacy, they need to be aware of what they are giving away when they join a site or go online in general. Currently they are clueless and that is what needs to stop, force a prompt for all cookies regardless of country, evens the playing field and make people think for a change (if you're a chrome user "Edit this cookie" is an invaluable plugin for monitoring and removing what each site is placing on your machine).
It's also a bit rich saying that tracking cookies are bad whilst trying to pass a law attempting to track almost all communication:
On the ICO's site (http://www.ico.gov.uk) there is no "don't accept cookies" option. You can only select "accept" or not interact with the form at all. If you don't accept cookies then the form is shown at the top of every page.
Google's 'All-Seeing Eye' uses first-party cookies, just like anything you'd install on your own server. Just because something uses first-party cookies doesn't mean the data's not being sent to a third-party.
If this goofy law is more than sporadically enforced, future analytics probably won't use cookies at all - they'll just combine browser fingerprinting with server-side logs that get automatically sent to a third-party for processing. Individual end-users won't have any way of knowing whether it's there or not.
This isn't about third party cookies, it's about cookies period - with the exceptions listed in the article. If you use your own analytics package, the chances are it will use cookies, so user permission will still be required. Log parsing isn't sufficient to get user-based statistics.
Yes, but they also say "we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action."
So in theory all cookies are the same, in practice they're not - first party analytical cookies are mostly safe.
The law is the law as it's written and then as it's reflected in court decisions. We can't choose to do what is defined as illegal just because a FAQ says "we probably won't come after you". That's a risk that many businesses can't afford to take. It's a poorly written law, and as is often the case in laws as knee-jerk reactions to tech changes, throws the baby out with the bathwater. I do think this law shows that we need better tracking mechanisms to meet the needs and expectations of the site owners and the site users, but it shows us by trying to destroy instead of trying to help guide.
> The law is the law as it's written and then as it's reflected in court decisions.
That's true. While I'd welcome clearer law it's important to point out that it's the ICO who'll be enforcing the law, so if they say they're not going to go after people it's safe to say they won't.
If anything people want the ICO to be a bit tougher - there are plenty of actually dodgy privacy invading practices going on the the ICO seems to be powerless to stop.
> knee-jerk reactions
This law has been a long time in the making. Self-regulation would be ideal. But there are too many operators who are willing to ignore sensible privacy standards for self-regulation to be possible. Unfortunately some of those bad actors are going to ignore any laws.
> While I'd welcome clearer law it's important to point out that it's the ICO who'll be enforcing the law, so if they say they're not going to go after people it's safe to say they won't.
Until some group puts pressure on them to enforce against analytics sites. Or the top brass at ICO are switched out. Or a politician makes it their mission for a little while. Or...
"We are making this illegal, but we won't enforce it, really!" is not a trustworthy statement.
> The law is the law as it's written and then as it's reflected in court decisions.
That may not be as true as you think.
I don't really know how the modern UK legal system works in this regard, but in the US, the courts would A) defer to the interpretation of the agency (in this case the ICO) as to what a statute means, and B) greatly frown on any attempt to prosecute without warning people who reasonably relied on the agency's declarations.
§66 on page 20 of Directive 2009/136/EC at [1] uses the word "information", not "cookies".
Third parties may wish to store information on the
equipment of a user, or gain access to information
already stored, for a number of purposes, ranging
from the legitimate (such as certain types of
cookies) to those involving unwarranted intrusion
into the private sphere (such as spyware or
viruses). It is therefore of paramount importance
that users be provided with clear and comprehensive
information when engaging in any activity which
could result in such storage or gaining of access.
The purpose of the directive is to be as broad as possible to cover collection of any type of information without express permission or "strictly necessary and legitimate purpose".
Look, there are tons of data available in the browser, see http://panopticlick.eff.org/ for a good example. But they are non-stable for reasons outside of the user's control. So, if a user wants to kill her cookies every day, cool, they can. They can't randomly change their useragent+screen-resolution on a daily basis with the same ease. In addition, UA changes outside of user's control (a browser update pushed on them, for example) and that breaks tracking they may want.
So, no, these workarounds are not the right answer; we need mechanisms that let users control their data and let them choose to share it. It's up to us as product makers to give them a good reason.
Well, having made no special effort, the site claims my User-Agent is as unique as my set of 5,150 installed fonts. To be fair, I suppose WebKit nightly version numbers don't satisfy most definitions of "random".
As for mechanisms, to what end, if nobody bothers to use them? Especially things like "randomize User-Agent string" that'd break a great many "non-evil" sites?
There's a whole class of 'mom & pop' type websites out there that need analytics to function but:
* It's hosted in a way that precludes putting your own analytics in there (github pages, s3 etc.)
* The users lack the technical sophistication to install and manage their own analytics.
I've just finished moving my wife's site to github pages. It's awesome. The mac github client is pretty friendly, I set up the repo and jekyll and put a shortcut on her desktop to fire up a local server. She knows enough HTML to be able to update content on it. Analytics would be massively useful but it just won't be sensible for me to put them in.
I'm hoping what happens is that Google releases it's UK friendly analytics which does the following:
* Stops dropping cookies on UK based browsers
* Attempts to get consent through a different channel and then enables cookies for those users across the board
I don't know where on earth you picked up this conspiracy theory but it's not.
If you'd been following this whole mess you'd know it's just a typical EU nonsense legislation that no-one knows how to implement and the UK is once again implementing it too harshly in law but giving it absolutely no teeth by creating a practically powerless and massively underfunded enforcement vehicle while our EU brethren quietly ignore it.
No big conspiracy, just your bog standard bureaucratic incompetence from the EU.
No conspiracy intended! I know this started as the result of some-scaremongering-or-other on the Continent, as usual.
What I'm saying is that it's clear to everyone involved that the authorities (EU or UK or whatever) will never be able to enforce this law except for the largest targets, in the same way as they'll never go after anyone coupling their OS and browser except if it's as big as Microsoft.
How so? From what I understand, these regulations make the Like button illegal -- I believe that was the main target of this legislation, together with similar efforts from Google aimed at tracking users across websites.
You're right, and I think that's what my company will be doing, however: it's scary that there's a law against it and their advise is "break it, we probably won't care".
NoScript, RequestPolicy, Adblock Plus, RefControl, UAControl, Do-not-track cookie-disabled Mozilla Firefox user here.
Regulating Internet technologies to this level of pedantic granularity will ensure that spammers, scammers, crackers and fraudsters have an effective monopoly on privacy-busting technology. The incentive for software to implement correct technological solutions will be taken away if an honesty box Do-not-track approach is considered adequate. I want my browser to have a maximal number of reasons (including a multi billion dollar advertising industry) to address the technical concerns highlighted by Panopticlick[1] or privacy experts that "get it"[2]. These technical problems will be exploited by unwanted parties on the Internet. Exploitation will occur legally in other jurisdictions out of reach of EU laws.
The full text of the directive can be found at §66 on page 20 of Directive 2009/136/EC at [3].
Disregarding the implementation details (which will probably evolve and adapt if this ever gets mandatory) I think it's a totally sensible thing as far as the user is concerned. I have the right to know how the information I send you is being used. If you'd like to track me, I'd rather have to optin than optout.
You have the ability right now, go to your settings and switch your cookie handling to "prompt me for all cookies", and tada! you are now in control.
It's a pain I admit, but such is the burden of maintaining your privacy online. Whenever I set up a computer for friends or family I always do this (as well as blocking flash and javascript as standard) and explain what it entails, because without that they cannot know what they are giving away.
I believe you are in the minority - most people, even on HN, are probably comfortable (or apathetic :-) ) enough to accept the status quo.
If you are really serious about protecting your privacy online, I imagine you already have your browser configured to deny all cookies except those which you explicitly accept. The tools to solve this problem already exist - either built in to the browser, or easily available as extensions.
I think you are seeing this from a limited viewpoint. There's lots of people out there who don't even understand what the internet is, you'd be lucky if they know what a browsers is. The EU is proactively protecting those people, much like has been done for decades with offline data protection.
I'm genuinely curious about this - what do you think gets done with a browser cookie that actually causes real harm to the user? Perhaps that should be regulated instead of the mechanism for it.
Protecting them from commercial use of their personal data - without explicit consent. In the US it's more of a free-for-all and businesses can get away with much more; in EU countries, their governments prefer to protect their populations from businesses (before anything bad happens). Just a different philosophy.
My company is going to ignore the law until someone pull's us up on it. This law will severely restrict our ability to analyse how users are interacting with our product. This law will compromise our ability to further improve our product and disadvantage us against foreign competitors.
Our company doesn't track users off the site, we anonymise data so it cannot be tracked back to an individual... as far as we are concerned the law shouldn't apply to how we make use of cookies.
The fine is up to £500k. Realistically.. the fine for a small company is more likely to a few thousand. It would be better to pay a few k a month in fines than lose 90% of our user data. If we implement this we might as well stop developing our product.
I'm not disagreeing with you, but you might want to reword this post. The internet doesn't forget, and you never know when some old post might be used against you.
There's still a risk. Assuming you have done a good job of keeping your personal information away from "JohnnyFlash", no one will find your company through your posts here.
However, what about the other direction? Suppose your company comes to their attention through some other means, and they start investigating. At some point, you could find yourself answering questions under oath. It's conceivable the questioner might go on a fishing expedition, and ask "Have you ever posted on HN under the alias Johnny Flash?" (he might ask that at every company he investigates).
Then you've got the annoying choice between telling the truth and making your company's case for accidental violation much worse, or lying under oath which, if that is discovered, could bring serious penalties.
They are paying attention, one of the companies I deal with used to manage a lot of other companies, and their main website was listed for all these other companies.
Who is forcing users to go to a website? I consider a website the same as someone's house. While I'm interacting with their server its obvious they'll want to know what I'm doing.
Its tracking people outside of a website's scope that should be allowed only with consent, such as facebook tracking people when they go to sites with a like button and so on
Even if that argument holds, and I want to analyze which sections of my shop or store are frequently visited, how often users buy goods, and effects of various changes that I make, I don't see why that should be illegal except in cases where I actually ask permission from every customer who walks into my shop.
This doesn't prevent you from analyzing which sections of your shop or store are frequently visited or how often users buy goods - that can be analyzed using the server logs.
Now, should e.g. Wal-Mart be able to put an RFID tag on you so that they know who you ware the next time you come in? And more importantly, should they be able to contract a third-party, which can then know when you enter any store with which they have a contract?
And shops do his there is an entire specialisation in market reaserch in doing footfall analysis ie where people walk in shops why do you think they know to put sweets next to the checkout in supermarkets.
The most likely impact it will have is that it will drive more advertisers to closed platforms like Facebook where gaining consent will be easier. That's not to say Facebook won't be impacted, given that they won't be able to passively collect analytics using the Facebook like button on sites.
In terms of workarounds, here are a couple that I have found:
* Don't be a UK based company
While non UK companies are encouraged to respect these guidelines, they are not required to do so. From the guidelines:
"An organisation based in the UK is likely to be subject to the requirements of the Regulations even if their website is technically hosted overseas. Organisations based outside of Europe with websites designed for the European market, or providing products or services to customers in Europe, should consider that their users in the UK and Europe will clearly expect information and choices about cookies to be provided."
Anyone care to guess what happens if a US company has a US based website but also a based UK presence?
* Get the 3rd party to get the consent. The following wording says that if the 3rd party cookie provider has gained consent from the user, it's the website will not also need to. As in:
"The key point is not who obtains the consent but that valid, well informed consent is obtained."
i.e. Facebook may only have to gain consent for it's Like button once for any particular user, same for Google analytics etc.
This is going to be bad for a whole bunch of folk:
* Display advertisers
* Sites that need analytics
* Sites that use 3rd party widgets that require state and those 3rd party providers (discus, Facebook like buttons, etc.)
It's a good point but the wording in the guidelines suggests that both the 3rd party and the site operator share responsibility to get consent (ignoring the fact that Facebook may just sidestep this, being a US based company):
"The person setting the cookie is therefore primarily responsible for compliance with the requirements of the law."
and
"Where third party cookies are set through a website both parties will have a responsibility for ensuring users are clearly informed about cookies and for obtaining consent."
It opens up an interesting liability issue. I suspect terms of service agreements for companies that provide services based on 3rd party cookies may be updated shortly.
I guess as Facebook deliberately designs the Like button to track this makes sense. Although maybe it will be ok as it will only track Facebook users, who will presumably have consented.
Facebook is legally an Irish company in Europe so cannot ignore this.
Stalking is illegal, for obvious reasons. Online stalking is equally illegal, for equally obvious reasons.
Just because said stalking is automated, used for commercial purposes and has been renamed with cool souding euphemisms doesn't suddenly make it acceptable. Neither is the fact that it currently happens on such a large scale that it affects virtually every website.
These laws aren't crazy, they are a gradual return to sanity. The EU isn't crazy either. The directive sets the baseline for what is and what isn't allowed in principle, allows for plenty of wiggle room and the way it is actually implemented and enforced will be a gradually process.
All this over the top ranting without showing any self-reflection or attempt at self-regulation is exactly why this is now forced upon us from above in the first place. The EU and various government en consumer organisations have repeatedly called for the industry to keep itself in check.
Instead, the industry has gone completely mental under the motto "we do it because we can", and as a result we now have a commercial surveillance network that surpasses anything any totalitarian government could have ever dreamed of. And which on top of that blatantly violates already existing privacy laws.
Congrats. Well done. We've awoken the beast of government regulation, and we only have ourselves to blame. You can't keep pissing all over consumers and civil rights without it resulting in some kind of backlash.
We went through all this in Sweden a while ago, based on the same EU-directive. What has happened since the law passed here?
Not much. A few government-related sites have started showing an explanation about what a cookie is and does, and gives the choice of accepting or declining the cookie.
Other sites, despite the law, continues to function like normal. It's simply unenforceable on a large scale.
The current best-practise guidance[1] suggests that you split your cookies up into 4 types: essential, performance, functionality and tracking. All types should be selectable, but the first three could be opt-out by default as long as you display a notice. Only tracking cookies need be opt-in, and I’m fine with that.
BT have a nice implementation of this, or at least would have if they’d turned off tracking cookies by default (hah). I assume that their code flexible enough that they can do this on the deadline. Look at the bottom right of http://www.bt.com/ (or any page on the same domain).
After you log them on, you can set a cookie for session management (it's allowed) and use that to remember a preference stored in your db (which you can get by default on registration).
If you can't log them on, well... I guess you should try to guess their country, and if it's UK, you don't track.
This is another case of well-intentioned but probably unenforceable legislation by our detached European elites.
I think the assumption is that you don't do any tracking by default and then the first cookie you set is to allow you to set other cookies in the future.
The ICO would have website owners pop up a box to new users asking them to give consent to using cookies.
§66 on page 20 of Directive 2009/136/EC at [1] seems to explicitly allow the use of Do-not-track header as an opt-in mechanism:
Where it is technically possible and effective,
in accordance with the relevant provisions of
Directive 95/46/EC, the user’s consent to
processing may be expressed by using the
appropriate settings of a browser or other
application.
That seems to imply that if you have 'accept cookies' and 'accept 3rd party cookies' checked, you can be tracked. Those boxes exist for precisely this reason, are they not consent?
That's true, but only (or at least, partly) because the sites can just ignore the header. If this became a standard HTTP hear and there was a requirement for it to be respected, browsers will quickly start supporting it.
>and it's not the default policy in any, AFAIK. It'd hardly have the same effect.
That's the whole point. It would still allow for analytics to be collected and made use of to improve web experience, while giving concerned users an easy way to opt out without being constantly hassled with "Will you allow us to track you?" question from each and every site they visit.
The site focuses on the UK implementation of the law, but unfortunately the directive is EU wide and individual member states are hence supposed to put it into law, too. I say supposed because as in typical EU style, the member states are lagging, or doing their own thing.
Who are screwed: Austria, Latvia, Lithuania, Sweden and the UK.
The actual law says that any non-strictly-needed cookie (or whatever you use to track users) MUST receive PRIOR opt-in from the user. It also clarifies that non-strictly-needed must be read in the narrowest sense possible, so that even saving user preferences is considered non-essential. As far as I can tell this means that even normal use of session cookies is outlawed.
There seem to be some posters here who think the law only matters for analytics, and hence as users it's not their problem. You couldn't be more wrong, there is no such restriction in the law! This will effectively make the internet unusable unless websites start grouping login/cookie access. Like with Google/Facebook/Twitter account login systems. If the intent of the law was to hamper those companies, it will effectively achieve the opposite by hurting the smaller players disproportionally.
And of course, you might not have to care because this will likely end up mostly unenforced. But as a site operator, it's still a Damocles' Sword hanging above your head if you ever get Kafka'ed. The fines are not small.
As some one who works on major sites having analytics is a strictly needed cookie - other wise how do we optimise the site and if we can't do that in a cost efective manner and the site loses trafic we have to make peopel redundant - and my employer has done that in both the USA and the UK
Are you going to ban in store CCTV and Footfall analysis next?
This really is crazy, most analytic applications track users anonymously anyway so there isn't really much privacy concern.
It's basically the same as keeping track of the number of customers a physical store gets in a day, or maybe the time customers spends in the store. This type of analytics is essential to offline and online businesses.
As a citizen of the UK I'm extremely disappointed.
The title is a little overly broad; as far as I can tell the only part of analytics that'll be impacted is setting cookies solely for tracking purposes. Lots of other kinds of web analytics will be fine. For example, you can do statistical analysis of your Apache logs, or of other cookies that you set in the regular course of operating the webapp.
For example, you can do statistical analysis of ... other cookies that you set in the regular course of operating the webapp.
That is a grey area at best.
For one thing, a cookie that has a dual purpose, controlling both logging in and analytics, appears to give up any exemption on the grounds of strict necessity that a cookie used only for logging in would be granted. You would probably be required to provide all kinds of explicit information about your use of the cookie to anyone before allowing them to log in and setting that cookie, adding at least one extra step to your sign-up process (or making use of a single sign-in service much less convenient for your visitors).
For another thing, that still restricts your analytics to cases where someone is already logged in or otherwise actively using your site. Often the more interesting things to know relate to visitors to your site who are not (yet) so active: what are your best traffic sources/keywords, where do new people come into your site and where do they go next, and where do they give up if they don't convert?
Well, yes, but presumably you would ask your users to set those. For example, if you use Gmail, presumably you will agree to let Gmail set your login cookie. Then Google can do web analytics keyed off that; the law doesn't actually ban doing analytics.
Right, so the majority of websites are now required to display the warning and request opt-in.
You don't see how this is a major pain?
You can already get this behavior in your browser by changing user settings. Just try to surf like that for a while. It's horrendous, and what's worse, it doesn't make the user any wiser, really.
It's about as unscary as the various disability and accessibility laws in the UK and EU. They make lots of demands too and have scary consequences for inaction, yet hardly anyone follows them to the letter and I've not heard of anyone getting punished either (although I'm not suggesting no-one has, it's just not common).
I suspect most companies, other than those with the budgets and public visibility to run scared, will just ignore this law until it becomes a problem. Indeed, they haven't done a good job of promoting it either - it's been in a few news stories.. woopty woo, I bet the majority of webmasters haven't even heard of it.
This was an option, and it seems the uk wanted do not track or browser settings to change in time for this but it didnt happen. If it does the guidelines will change.
The exactly same way there are attempting to regulate website owners - by passing a nonsense law that will do nothing to solve any real privacy concerns.
The ICO has the power to force browser vendors with a UK presence to implement this at the browser level. I wonder why they didn't? Short-sightedness? Or perhaps they knew that Google/Mozilla/Microsoft are more capable of presenting a unified front to fight this, compared to however many thousands of web developers are affected.
"An organisation based in the UK is likely to be subject to the requirements of the Regulations even if their website is technically hosted overseas. Organisations based outside of Europe with websites designed for the European market, or providing products or services to customers in Europe, should consider that their users in the UK and Europe will clearly expect information and choices about cookies to be provided."
So, as a UK-registered business, you will be subject to this law.
My startup is registered in the UK, but all servers are outside of the UK. I am actually planning to just ignore this ruling and see what happens. If it looks like they are seriously going to go after startups that don't follow these rules, I will simply register the business in a location with less idiotic rules.
"Check what type of cookies you use and how you use them"
"If the information collected about website use is passed to a third party you should make this absolutely clear to the user. You should review what this third party does with the information about your website visitors. You should tell people what you are collecting and how you are using this information."
"Even where the clear cookie rules do not apply you must consider the DPA [Data Protection Act] whenever you are collecting information that builds up a picture that could allow you to identify an individual."
"... the Commissioner is therefore unlikely to prioritize, for example, first party cookies used for analytical purposes and cookies that support the accessibility of sites and services, in any consideration of regulatory action."
"... we would expect you to provide clear information to users about analytical cookies and take what steps you can to seek their agreement."
"(25) However, such devices, for instance so-called "cookies", can be a legitimate and useful tool, for example, in analysing the effectiveness of website design and advertising, and in verifying the identity of users engaged in on-line transactions. Where such devices, for instance cookies, are intended for a legitimate purpose, such as to facilitate the provision of information society services, their use should be allowed on condition that users are provided with clear and precise information in accordance with Directive 95/46/EC about the purposes of cookies or similar devices so as to ensure that users are made aware of information being placed on the terminal equipment they are using. Users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment. This is particularly important where users other than the original user have access to the terminal equipment and thereby to any data containing privacy-sensitive information stored on such equipment. Information and the right to refuse may be offered once for the use of various devices to be installed on the user's terminal equipment during the same connection and also covering any further use that may be made of those devices during subsequent connections. The methods for giving information, offering a right to refuse or requesting consent should be made as user-friendly as possible. Access to specific website content may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose."
"(66) Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities."
---
We only use analytical cookies – if nobody consents that will seriously restrict the amount of information we can get to improve and develop our website
The Regulations do not distinguish between cookies used for analytical activities and those used for other purposes. We do not consider analytical cookies fall within the ‘strictly necessary’ exception criteria. This means in theory websites need to tell people about analytical cookies and gain their consent.
In practice we would expect you to provide clear information to users about analytical cookies and take what steps you can to seek their agreement. This is likely to involve making the argument to show users why these cookies are useful. Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals. Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.
---
My interpretation of that is: tell your web site users clearly what you do with analytics and why and we are very unlikely to bother coming after you.