Frankly, their policy seems sensible and I'm having an hard time giving a fuck about the webmasters (is this still used?).
If you want to track, do it properly with a package installed on your own server. stop subjecting your users to Google's All-Seeing Eye just because using their Analytics is easier for you.
I am currently a webmaster (and I don't know if that's still used either, doesn't feel like it), and this is going to be a huge pain in the arse. The main reason it is a pain is the vagueness of the legislation, nobody has any idea what they can and can't do.
Sure we can follow the ICO and put a pop-up on the site asking to accept cookies or not (which if you select 'not' ironically creates a cookie), but as other people have pointed out that's laughable (for a huge number of reasons) and would push online trade away from uk sites. Easiest option for me would be to shift hosting outside the EU, take the SEO location hit and get back to work as usual (EDIT: it appears I am a little behind on the legislation as last time I read it hosting overseas was a loophole, looks like I need to refresh things).
Alternatively if I could dispense with cookies and shift tracking upstream to a CDN that would also save me the problem and at that point I should be getting even more data such as IP addresses.
Users need to take control of their browsing and privacy, they need to be aware of what they are giving away when they join a site or go online in general. Currently they are clueless and that is what needs to stop, force a prompt for all cookies regardless of country, evens the playing field and make people think for a change (if you're a chrome user "Edit this cookie" is an invaluable plugin for monitoring and removing what each site is placing on your machine).
It's also a bit rich saying that tracking cookies are bad whilst trying to pass a law attempting to track almost all communication:
On the ICO's site (http://www.ico.gov.uk) there is no "don't accept cookies" option. You can only select "accept" or not interact with the form at all. If you don't accept cookies then the form is shown at the top of every page.
Google's 'All-Seeing Eye' uses first-party cookies, just like anything you'd install on your own server. Just because something uses first-party cookies doesn't mean the data's not being sent to a third-party.
If this goofy law is more than sporadically enforced, future analytics probably won't use cookies at all - they'll just combine browser fingerprinting with server-side logs that get automatically sent to a third-party for processing. Individual end-users won't have any way of knowing whether it's there or not.
This isn't about third party cookies, it's about cookies period - with the exceptions listed in the article. If you use your own analytics package, the chances are it will use cookies, so user permission will still be required. Log parsing isn't sufficient to get user-based statistics.
Yes, but they also say "we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action."
So in theory all cookies are the same, in practice they're not - first party analytical cookies are mostly safe.
The law is the law as it's written and then as it's reflected in court decisions. We can't choose to do what is defined as illegal just because a FAQ says "we probably won't come after you". That's a risk that many businesses can't afford to take. It's a poorly written law, and as is often the case in laws as knee-jerk reactions to tech changes, throws the baby out with the bathwater. I do think this law shows that we need better tracking mechanisms to meet the needs and expectations of the site owners and the site users, but it shows us by trying to destroy instead of trying to help guide.
> The law is the law as it's written and then as it's reflected in court decisions.
That's true. While I'd welcome clearer law it's important to point out that it's the ICO who'll be enforcing the law, so if they say they're not going to go after people it's safe to say they won't.
If anything people want the ICO to be a bit tougher - there are plenty of actually dodgy privacy invading practices going on the the ICO seems to be powerless to stop.
> knee-jerk reactions
This law has been a long time in the making. Self-regulation would be ideal. But there are too many operators who are willing to ignore sensible privacy standards for self-regulation to be possible. Unfortunately some of those bad actors are going to ignore any laws.
> While I'd welcome clearer law it's important to point out that it's the ICO who'll be enforcing the law, so if they say they're not going to go after people it's safe to say they won't.
Until some group puts pressure on them to enforce against analytics sites. Or the top brass at ICO are switched out. Or a politician makes it their mission for a little while. Or...
"We are making this illegal, but we won't enforce it, really!" is not a trustworthy statement.
> The law is the law as it's written and then as it's reflected in court decisions.
That may not be as true as you think.
I don't really know how the modern UK legal system works in this regard, but in the US, the courts would A) defer to the interpretation of the agency (in this case the ICO) as to what a statute means, and B) greatly frown on any attempt to prosecute without warning people who reasonably relied on the agency's declarations.
§66 on page 20 of Directive 2009/136/EC at [1] uses the word "information", not "cookies".
Third parties may wish to store information on the
equipment of a user, or gain access to information
already stored, for a number of purposes, ranging
from the legitimate (such as certain types of
cookies) to those involving unwarranted intrusion
into the private sphere (such as spyware or
viruses). It is therefore of paramount importance
that users be provided with clear and comprehensive
information when engaging in any activity which
could result in such storage or gaining of access.
The purpose of the directive is to be as broad as possible to cover collection of any type of information without express permission or "strictly necessary and legitimate purpose".
Look, there are tons of data available in the browser, see http://panopticlick.eff.org/ for a good example. But they are non-stable for reasons outside of the user's control. So, if a user wants to kill her cookies every day, cool, they can. They can't randomly change their useragent+screen-resolution on a daily basis with the same ease. In addition, UA changes outside of user's control (a browser update pushed on them, for example) and that breaks tracking they may want.
So, no, these workarounds are not the right answer; we need mechanisms that let users control their data and let them choose to share it. It's up to us as product makers to give them a good reason.
Well, having made no special effort, the site claims my User-Agent is as unique as my set of 5,150 installed fonts. To be fair, I suppose WebKit nightly version numbers don't satisfy most definitions of "random".
As for mechanisms, to what end, if nobody bothers to use them? Especially things like "randomize User-Agent string" that'd break a great many "non-evil" sites?
There's a whole class of 'mom & pop' type websites out there that need analytics to function but:
* It's hosted in a way that precludes putting your own analytics in there (github pages, s3 etc.)
* The users lack the technical sophistication to install and manage their own analytics.
I've just finished moving my wife's site to github pages. It's awesome. The mac github client is pretty friendly, I set up the repo and jekyll and put a shortcut on her desktop to fire up a local server. She knows enough HTML to be able to update content on it. Analytics would be massively useful but it just won't be sensible for me to put them in.
I'm hoping what happens is that Google releases it's UK friendly analytics which does the following:
* Stops dropping cookies on UK based browsers
* Attempts to get consent through a different channel and then enables cookies for those users across the board
If you want to track, do it properly with a package installed on your own server. stop subjecting your users to Google's All-Seeing Eye just because using their Analytics is easier for you.