Return Of The EU Cookie Directive
Towards the end of yesterday, I noticed a new article on the Information Commissioner’s Office’s website entitled ‘Must try harder’ on cookies compliance, says ICO. And I realised yesterday that this change is inevitable, eventually, with time, we’re all going to have to implement this. The consequences have the potential to seriously damage our industry, destroying jobs and I think, possibly, have a significant slow down effect on the UK economy. Let me explain a bit more about that.
Why Analytics & Tracking Is So Important
The majority of digital marketers out there now how important it is to track stuff, it enables you to calculate ROI and determine where marketing budget is being wasted and where it is being well spent. With less tracking capability and highly inaccurate data, we’re going to see businesses (particularly small ones) start to cut back on their advertising online. If you’ve ever lost an SEO client when you know you were bringing in plenty of extra £’s but you haven’t been able to prove it, then you will understand what I mean. Also if you’ve had to reduce cost per clicks on AdWords because you weren’t getting high enough conversion rates despite you knowing that a % of visits will be phoning. So I think this is going to hit the industry quite badly.
Say Goodbye To 90%+ Of EU Analytics Data
People have complained about Google’s recent change that affected around 1-5% of organic searches, which as a proportion of overall traffic on most retail sites is even smaller than 1%. Well just imagine what this cookie directive could do, let’s say on average maybe 10% opt-in to let you use Google Analytics (and that’s optimistic I might add), that means we are all going to lose 90% of analytics data. I don’t know about you, but that scares me a lot – in a lot of cases, there won’t be enough data to do statistically significant analysis – bad decisions will be made on unreliable data.
More Guidance – Still Not Easy To Implement
They’ve released some better guidance, although it’s still not very clear on how to go about it – some technical guidance would have been useful. At the moment I’ve seen one person contact the David Naylor blog with a service that does this all for you, sadly I tried it out and it didn’t work, which was a bit of a shame. So even people creating a dedicated service are having difficulty implementing it.
Adoption – How Is It Going 6 Months In?
So you’d expect the big companies to be on this right now, I started off by checking Amazon in Google Chrome (I’ve cleared my cookies before visiting each website separately)…
Amazon – 4 First Party Cookies, 1 Third Party Cookie

Three of these cookies appear to be session related, however there is one cookie named “ubid-acbuk” – I’m not sure what this does, but if anyone recognises it please let us know in a comment. There was no cookie opt-in displayed to me.
A DoubleClick cookie is a bit of a nono really, I don’t see why they need to set a cookie for this, plus it is an advert, so it is definitely unnecessary.
BBC – 2 First Party Cookies
Again, not sure what these cookies do, I imagine “BBC-UID” is a session id of some sort and “s1” I’m not sure, but could be related to a server? Still not too bad, it looks as those these are necessary for the operation of the website – I didn’t have a cookie opt-in option.
Directgov – 7 First Party Cookies
As you can see Directgov is blatantly ignoring the rules, they have 4 cookies that are for Google Analytics, analytics packages have been mentioned as something you need explicit permission to use if you want to store cookies on their device. There are 3 other cookies, one is probably a session cookie, I’m not sure about the other two. Again I can’t see any cooke opt-in option anywhere.
Ebay – 2 Third Party Cookies, 7 First Party Cookies
I had a look at all of these, I can’t determine what they do, but they most certainly aren’t just session cookies, also a third party DoubleClick cookie was included like Amazon. Again I had not been provided a cookie opt-in.
The Sun – 102 Third Party Cookies, 11 First Party Cookies
Wow, when I first decided to have a look at the Sun homepage, thinking it might be a little bit worse than the others, I had absolutely no idea I would find something as shocking as this – 102 third party cookies!!! 113 cookies in total! The Sun are seriously taking the piss when it comes to this cookie law – not only was there no cookie opt-in, but there wasn’t even a mention of cookies on the site.
The Dave Naylor Website – 3 3rd Party Cookies, 4 1st Party Cookies
Ok so we’re not perfect, but not bad – at the moment I think we’re waiting to see what happens with the big boys such as Amazon, Ebay and even Directgov. If the Ico can’t get these large organisations to play ball, then why should the smaller organisations bother? But the shocking thing I noticed? The Sun’s cookie is still there! I’m not quite sure why… It seemed to get removed when I deleted it specifically.
Anyways, at the moment this is one of two reasons I want to leave Europe, it IS going to have an impact on our economy, until the browsers get themselves sorted that is.
Also, I asked Avinash Kaushik on Twitter what the Google Analytics team are doing about this to help us out in the EU, sadly I’ve not had a reply yet, but to be fair I only asked him about 12 hours ago! Turns out I’m a bit of a doofus and I actually tweeted his old account, apologies Avinash.
36 Comments
welshstew - http://welshstew.co.uk
The ICO published version 2 of its guidelines yesterday and within it the last FAQ was: We only use analytical cookies – if nobody consents that will seriously restrict the amount of information we can get to improve and develop our website.
To which they answer: In practice we would expect you to provide clear information to users about analytical cookies and take what steps you can to seek their agreement…. Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals. Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.
Therefore, carry on.
David W
Hmm good point. I like what you’re saying there – so basically we have to be clear about what our cookies are doing. So “The cookies on our website are tracking you anonymously, no personal data is being stored” with an opt out button at the bottom of the website might be reasonable.
Ciaran - http://ciarannorris.co.uk
I had much the same response from the Irish DPC – analytics aren’t going to be top of the list.
Tim Barlow - http://Www.attacat.co.uk
My interpretation of the new guidelines is that that ICO believe that prior opt-in is required for Google Analytics. However they will do there best to turn a blind eye and hope that if we all increase prominence of info and opt-out then they will do their best to turn a blind eye.
The ICOs guidlelines look very cleverly written. They come across as an organisation that has the EU breathing down their neck but realise that the legislation (in part) does not make practical sense. They seem to be giving us as much wriggle-room as they dare in the way they are writing the guidelines.
I believe they want to be able to ultimately make a case to the EU that in some instances prior consent will not be necessary.
Becky - http://www.beckynaylor.co.uk
One thing I noticed .. is that Amazon cookie really for 25 years .. expires 2036!!
David W
I didn’t notice that, that is *crazy*!
Hadi
If nobody implements this (especially online behemoths like Amazon, BBC, etc) and everyone simply ignores the new regs, won’t the problem just “go away”?
David W
Hmm I think the larger companies are going to have to implement it or face huge fines, at that point I think everyone will follow suit.
John Hughes
I notice that the ICO website is asking for consent it took me a while to notice the consent question (ironically, considering I was reading “Must Try Harder” article you link to!
I gave consent purely to see what cookies they set – Analytics and a cookie to remember I gave consent, as it happens. There was a seesion one, but they set that before I gave consent – it falls into the “essential” bracket, I imagine they’d argue.
It strikes me that the biggest hurdle we face is educating the public not only about what cookies are, but how common they are, and how they’ve been common for as long as most people have been using the Internet.
Google has some nice info about the cookies they use here: http://www.google.com/privacy/ads/. I wonder if all the major Ad networks should not consider creating similar content to this so that webmasters can give information with authority, linking to trusted (at least by consumers) branded content to help educate them of what information is gathered and used?
Phil - http://www.gadgetoid.com
Saying something like:
“it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals”
…is absolutely, positively absurd. It undermines the whole directive in the first place. As technically minded folk, we all pretty much understand that instances of cookies, or any other form of offline storage, being genuinely “harmful” are few and far between.
Who gets to define what “harm” is? Or what “intrusiveness” is? How are these terms, and these ridiculous guidelines actually being implemented in any clearly understandable and enforceable way?
Could I consider looking at a particular product, and suddenly finding similar products appearing in advertising across the web as “harm”? Logically such a definition is absurd because no personally identifying information has been stored, and such targeted advertising is often more beneficial than a spate of space-filling, default, punch-the-monkey ads.
If a “Related Items” or “Last Viewed” cookie persists over two visits to a web store, and I return and purchase one of those items… have I been financially harmed by those evil, nasty, deceptive cookies? Or is that, again, a benefit?
My point is; how can we make any informed decisions and act upon guidelines as fuzzy as these? We could interpret “harm” and “intrusiveness” in an entirely different way, and implement methods that ultimately leave our clients in trouble. The only course of action one can safely and conscionably take, therefore, is to remove all but the most benign of cookies until the user has opted in; analytics, advertisements, preferences, everything.
This whole directive is utterly farcical, and it’s clear that it’s founded on a profound misunderstanding of what cookies, and other offline storage mechanisms are and do, coupled with an irrational fear of a generally quite benign technology. In a world bristling with cameras, recording our actual selves walking from street to street, why the hell are we suddenly so concerned about a bit of data gathering for targeted adverts?
Mark Steven - http://www.civicuk.com
The ICO’s updated guidance on cookies is reasonably clear: we must inform users what cookies are being used on the site and give them an opportunity to explicitly agree to this.
Where possible, we should not drop cookies until this permission has been given, but the guidance acknowledges that this could place an unreasonable burden on website owners and seems to excuse us from major reengineering works.
Non-compliance by the likes of Amazon and Direct.gov.uk is an acknowledged state of affairs, which is why the compliance deadline was set for May 2012.
At Civic we’ve developed a compliance solution which will be rolled out across government sites in Scotland over the coming months, in time to meet the deadline. I’d encourage your readers to grab it – it’s free!
http://www.civicuk.com/cookie-law
BTW – very interesting to see those sites audited for cookies in this way. The Sun is being outrageous!
David W
Mark I tried that but I couldn’t get it to work – any reason why it wouldn’t?
David W
Just noticed, I was having this problem in Google Chrome, but my colleague running Firefox found it was working.
In Chrome is messes up the styling and the buttons don’t work.
David W
In Internet Explorer it doesn’t appear to work and in Firefox it didn’t actually turn off any cookies – I take it it is encouraging people to turn off their settings in the browser? Has this been looked at and approved by the ICO?
Mark Steven - http://www.civicuk.com
Hi David,
Thanks for giving it a whirl! I’ve literally just unleashed this on the world so there may be one or two issues still.
There was a conflict with your stylesheet which we’ve resolved, and I’ve sent you the new code.
The configurator has been updated as well.
Any more problems – please let me know – we’ll give you as much support as you need.
All the best,
Mark
Mark Steven - http://www.civicuk.com
Regarding the ICO… the answer is “not yet”. We’ve had approval from the CIO of the Scottish Government, and will be talking to the ICO, but I suspect that they will not approve specific solutions as they are on the enforcement side and will need to be legally neutral.
Andy Dutson
I tried to raise this issue on a post Avinash wrote on Smarter Data Analysis of Google’s https (not provided). Ever the optimist he did reply but with no immediate technical answer but more of a way of thinking (see comment 67)
http://www.kaushik.net/avinash/google-secure-search-keyword-data-analysis/
Andy
Andy - http://laligablog.com
Call me pessimistic but is this cookie effectively going to kill off (at least part of) the emarketing and digital advertising industry. I rely on paid advertising for my site on a CPM basis but how am I meant to be able to sell this to advertisers once the cookie has been implemented to track visitor numbers to my site. I hope as previous comments suggest, analytics won’t be top priority and I also have concerns for affiliate marketing as this was something I wanted to go into in the near future. I really hope the likes of Amazon and BBC stand up for us little businesses because they will not go down without a fight on this ridiculous legislation. Thoughts David?
David W
Yeah I agree Andy, it’s really quite worrying.
Mark Steven - http://www.civicuk.com
The legislation will only really effect “personalised” advertising – the kind that seems to follow you around depending on your browsing history. Ad networks that do this rely on cookies to return information on what products / brands a user has seen, and serve closely matching ads accordingly.
Old-school online advertising of the less clever sort won’t be effected, and you should still get data on the number of impressions and click throughs your ads get through server-side statistics, assuming of course that your ad networks and sites provide them.
But it could be a royal pain in the bum for the ad networks who will need to reengineer their reporting in order to continue providing their service.
Tim Barlow - http://Www.attacat.co.uk
IMHO it doesn’t spell the end of personalised advertising but the legislation will put power into the hands of the big boys – think Google, Facebook etc. They are the people who can gain the opt-in.
2nd and third tier ad networks that offer no other services that benefit a user however will struggle to persuade users to opt-in
I wonder how affiliate marketing will fair. So much affiliate marketing is arguably underhand (I.e. consumers are not told that commissions will be paid). My feeling is this is exactly the sort of behaviour the EU legislators would like to kill off.
Anonymised analytics is just getting caught up in the cross fire.
Dan Truman
Unfortunately I agree with you. As a digital analyst working across multiple sites I feel we’re going to struggle to maintain accuracy in terms of tracking (currently use Google Analytics). The main issues I think will be:
– Unlikely levels of acceptance by users (mostly due to lack of education of the public that these cookies are creating their user experience)
– Decrease in quality of website production and flexibility
Mark, thanks for your solution, I will take a look at this now.
Mark Steven - http://www.civicuk.com
We’re looking at rolling out Piwik as an analytics solution – they are at least adding a ‘no cookies’ feature to the software to enable tracking to take place even when users opt out.
And being Open Source, we can hack around with it to make it compliant.
I’m guessing Google will do something too, but wish they’d hurry up and tell everyone what it is.
Chris Peckham
Thanks for the pointer to Piwik – an interesting analytics solution. I read about their response to the Cookie Directive here:
http://forum.piwik.org/read.php?2,82741,82741
Tracking by IP + heuristics sounds a bit like what we all had to do back in the 90s – still, I guess that since it doesn’t depend data “written to the user’s device” then it bypasses the Directive.
Mark Steven - http://www.civicuk.com
Yeah it’s a bit Back to the Future isn’t it!
I can’t see a way around it unless they revisit the legislation, or simply don’t enforce it.
Tim Barlow - http://Www.attacat.co.uk
This just highlights the problem. I can understand the argument that users have the right to know that what they are doing is creating data that could be used in various ways.
However coming up with an analytics solution that does the same thing from a privacy perspective but doesn’t use cookies adds no value to anybody.
Mark - http://theWebalyst.com
Surely the logical response to the decimation of cookie based analytics is to not use cookies. Every website routinely collects data that used to be the main source of analytics (and still includes the IP address of every visitor).
So there will be a stampede to server side analytics, based on both the standard server logs, and various ways of extending that to include all the other useful stuff we love, but without ever storing a client side cookie.
The aims of the legislation will be undermined because, in fact users will be more at risk rather than less, because IPs are definitely identifiable.
Also, hackers will have a new target (helpfully concentrated server side analytics) and more scandals will irrupt. I don’t see a way they can legislate against server logs. Or rather if they did, the consequences would be boggling!
Mark (in London)
How will the EU cookie directive impact the digital media industry? | Nathan Levi - pingback
[…] *http://www.davidnaylor.co.uk/return-of-the-eu-cookie-directive.html […]
Chris Peckham
Similar to Civic UK’s Cookie Law compliance solution (above) is the Cookie Collective’s Cookie Law Toolkit – you can demo it on their site:
http://www.cookielaw.org/
It was mentioned in Nathan Levi’s blog comment, mentioned above/below/nearby (depending upon where this is going to post)
http://nathanlevi.com/display/how-will-the-eu-cookie-directive-impact-the-digital-media-industry/
Chris Peckham
Does anyone remember, and have experience of P3P:
http://en.wikipedia.org/wiki/P3P
It’s ticking a lot of boxes for me right now.
Mark Steven - http://www.civicuk.com
Not seen that for a long time!
I remember trying to implement it for someone years ago and it being a pain in the proverbial. And pointless, as no one uses it at the client end.
As a browser implementation it was never very smart – depending as it does on your implementation of PPP meeting whatever it is you promise in your privacy policy.
It would be far better for the browser simply to intercept, block and require consent when an application attempts to drop a cookie. (And remember your preferences of course.)
Probably we need to exclude things like the default session cookies, but this approach would iron out 90% of compliance issues…
Chris Peckham
Internet Explorer (since v6?) uses a part of PPP called Compact Privacy Policy for its slider based privacy settings. I *think* these are particularly important for how IE decides to deal with 3rd party cookies.
Chris Peckham
Back to the Future II 🙂
If it wasn’t pointless because it was a legal standard and went hand-in-hand with a smart implementation of a policy editor on the client, then do you think PPP could live again? It looks like a much better approach than what we’re scrambling to achieve at the moment, and far better for the end user in terms of achieving transparency and really protecting his/her privacy.
Anonymous
Here’s the thing.
You put cookies onto my machine. This costs me in bandwidth, electricity, storage and CPU cycles. I get exactly zero back. Forget your arguments about all the wonderful products I can enjoy because of the cookie. You are imposing a cost onto me without my permission. In an abstract way that is breech of contract.
Lets not get hung up on a legal technicality.
You claim cookies are essential to commerce. Yet you – the cookie provider – deprive me – the cookie reciever – of the value of the data they collect. Cookies are not actually essential to website functionality. They are, primarily, an organisational requirement with no technical necessity. Websites can function without them. Forget the session, first party, third party – all night party even. There is no technical requirement for cookies. Cookies function purely as a convenience to the cookie provider.
So, here is the thing. You tell me what your cookie is for. You tell me what the information it gathers and stores means. Then I will consent to having them on my machine. When I get genuine value that increases my net worth then you get to put cookies on my machine.
So come on. Interpret this for me:
__cfduid
d1253ff542499562a15bf2f4d879518c61327909381
davidnaylor.co.uk/
1536
2954249216
30783979
3452534487
30203682
*
A short, concise data dictionary outlining each item would be fine. Just enough for me to analyse the sites I visit as effectively as they wish to analyse my visits.
You complain about ecommerce being crippled by lack of cookies. The truth is that the only thing compromised is the ability of cookie providers to get a free lunch. That free lunch is the cookie. The EU directives are predicated on the generator of the data being the owner of the data. You do see how recent changes in content providers rights under SOPA/ACTA could change that? Much more radically than the ICO changes.
The problem is that “analytics” is not very analytical. It really is a matter of getting a free lunch from visitors. Trouble is looming in that there is a generation now that has grown up with the internet. A technically more sophisticated generation who might just want to analyse their own data and behaviours. By failing to embrace open standards, the advertising industry is killing itself in the same way that corporate intellectual property holders are doing so with SOPA.
The approach of Cookie Providers has always been: wht are the compliance issues. Here’s the interesting thing: you can spend your entire time wrangling about ‘compliance’ and looking for ways to defect from the deal of a social web or you can cooperate. Share what you know. Because the truth is that cookies as a free lunch are coming to an end.
David W
Interesting view point, some valid points. I would argue by visiting the website you are getting something – the ability to view the website in question.
Either way, the law is the law, let’s hope the big companies like Google help us out with a solution.
alan - http://badlywired.com
Regarding loss of analytics data. I am not expert of the workings of Google Analytics or inded alternatives, such as Piwik, but I have read Avinash Kaushik’s books.
From my understanding of the data collected by analytics programs, the only useful data (significant) that does not NEED a cookie is ‘New versus Returning Visitors’ and ‘Number of Visits before Purchase’.
Of course a law designed to (effectively) stop the collection of such obtrusive data is nuts.
Laws that are nuts and unenforceable need to get amended or repealed. See http://en.wikipedia.org/wiki/Red_flag_laws