Share This Using Popular Bookmarking Services


Google ads

Recommended

network monitoring software




Programs & websites tailormade for you.

European cookie chaos - 3 countries approach to the new law 

Friday, March 04, 2011 4:43:00 PM

The European Union have passed a law about cookies, which each member country now has to implement in their own law.

But it seams like nobody really understands what the new European law actually says or means, and the result is that both Denmark and United Kingdom have copied the law text precisely, because they are afraid that any clarification of the law text would result in harm to their own countries' Internet business...

Germany on the other hand seam to go totally crazy and wants to give you fines if you use any kind of tracking like Google Analytics - no matter if you inform users about it and even no matter if the users accept it.

Here is 3 choosen articles about it:

Denmark: comon.dk/nyheder/her-er-cookie-kravene-til-danske-hjemmesider-1.397832.html (in danish)

United Kingdom: smartinsights.com/analytics-conversion-optimisation-alerts/cookie-privacy-law/

An a related from Germany: thenextweb.com/eu/2011/01/13/german-google-analytics-users-could-face-fines-in-privacy-row/

Here is a link to the actual danish law suggestion: borger.dk/Lovgivning/Hoeringsportalen/dl.aspx (PDF, in danish)

Besides that the law manages to not mention the Internet, Computers or cookies specifically by word one single time (!?), this short 2 page PDF is actually understandable to some degree...

So after reading website after website and comment after comments, here is:

My understanding of how to interpret the law

(Note: I am not a layer - I am just a website programmer who tries to figure out what to do about the websites I manage world wide.) - Article updated 5/3-2011.

No matter what, a privacy statement must exist that describe what kinds of cookies you have, how they are used, and if any kind of tracking or gray zone exist for a cookie, you must write how users can opt-out of having such cookies.

Technical cookies are okay: Such as session-state cookies that ASP.NET websites need to process server-postbacks correctly. Of course described in privacy statement.

Cookies that are a natural result for doing what he just asked the website to do is okay: Such as login-cookies after you login on a website, shopping basket cookies for when you add something to the shopping basket, language cookie for choosing to see the website in another language. Of course described in privacy statement.

Tracking cookies like Google Analytics - unknown gray zone: Google Analytics' privacy stamenent for visitors actually says that websites is required to have a privacy policy that discloses your use of it. I was not even aware of that rule despite using Google Analytics for years! Maybe the law means that we need to make a pop-up asking the users permission before we can activate Google Analytics? Or maybe it will be enough to describe it in the website privacy statement and there refer to Google's Opt-Out plug-in so that those who does not want to be tracked can avoid it? And maybe we need to check if the user IP address comes from Germany and automatically exclude Google Analytics for those???

Note: The reason Google Analytics is in the gray area for me is because I use it to understand the users that come to the website, but I am not totally sure if Google are also using the data for targeting advertisements to the visitor - and if they do, then Google Analytics will fall in the category that needs active user permission before we are allowed to use it. But if it is not used for tracking the users across the Internet - that is: only on my own site from click of my advertisement for my website to a goal on my website, and we don't misuse it for special rebates or similar unethical stuff, then there is really no difference between using Google Analytics or writing your own server-side tracking based on IP address or session cookies. Tracking does not have to be done on the client side - but having it on the client side actually gives the visitor the ability to knowingly opt out using the browser plugin.

Facebook like button - not okay without user permission: While browsing the subject of tracking, I found an article basically saying that the Facebook can collect data about how every person in the world visits those pages that contain a "Like" button (like this page), and the article claimed that Facebook sets a cookie even if you don't have a Facebook account, so that if you ever sign up on Facebook, they will be able to use your last 3 months of browsing history to customize their service to you... I have not seen this ID cookie myself yet, but if it is true, then it is definetly against the law to have "Like" buttons on your website without first giving a warning to the visitor! But if it is anonymous (that is: no personal ID) unless you are signed in to Facebook then you argue that it is no different than all the other third party tools like Google Analytics.

Other services like Twitter etc. - unknown, gray zone: It depends on if they store cookies on your computer or if they just count "X anonymous users visited page Y" or if they maybe do not count that information at all. But on konsulenter.dk I made my own Tweet button under each job, with a locally stored image and my own script to open the Twitter window, which means that there is no communication between the user's browser and Twitter unless they have actively pressed the Tweet button, and since the user wants to send a message via Twitter it should be implicitly okay that Twitter does whatever they do according to their own privacy statement. Maybe something similar could be made for Facebook and other social sites, so that there is no communication for them to track users on my website unless those users actually click on the button to open communication? That should satisfy the law, as I understand it, but it will require adjustment of all websites to no longer use the ready made scripts and images from those service providers, and they will not be able to show how many users liked or tweeted something before you press the button.

Visitor counters and similar that use third party cookies - probably need permission: It is unclear weather or not the users ability to block third party cookies in the browser is enough (earlier articles about the law said so, while later articles seems to require users prior permission). For sure the privacy statement need to offer users the hint that they can block these with a browser setting. But you should probably expect that anything that used third party cookies will be blocked more and more, until they are rewritten to use first party cookies (like Google Analytics is) which then will make it harder for users to block "only the tracking stuff"... Personally I think you might as well just clean up this garbage from the website.

Advertisements tracking cookies - not okay without user permission: But really - I am just pasting a bit of code from Google to show Google ads, and I have no control over how Google Ads work technically! Most of the websites I manage have no advertisement at all, so those are easy enough. But what about this website and all those websites that are based on income from advertisements? Unless Google (and other providers of ads) come up with a solution for us website owners, I guess we have 3 choices:

  1. Remove ads
  2. Pop-up to new users asking permission for ads-cookies before entering the website - and any who says no or who does not have a "I agreed" cookie is redirected to a page saying that "we are sorry you don't want to support the funding of our website, but since it is funded by ads you will not have access to it." How would that feel?
  3. Ignore the law until either Google or the big newspapers and other big ads-based websites figure out what to do, and then follow their solution...

If understanding of the law text fails, fall back to what I think they said was the purpose of the law: Protecting peoples privacy by limiting the amount of information that companies can have about individual users (where the "user" might either be the uniquely identified browser, or the actual physical person with name and address).

That is: If the technology you use can be used by someone to collect information connected to individual users, then it is definetly bad and needs the users permission before you use it. But if there is no data collected which can be referred back to individuals (browser or user), then it falls in a gray area where users should at least be able to opt out - just because the politicians made a law about the symptom (cookies/data on client machines) instead of the cause (companies wanting to target individuals with targeted ads, and building databases of collected information to do so).

 

Well, that was my understanding of the problem so far.

I will get busy writing suggestions for privacy statements for all those websites of mine that misses one, while following the news to see what happens with Google Analytics and advertisements.

If you have comments or disagree with my analysis of the law, please let me know!

 

Best wishes

Allan K. Nielsen

Allan K. Nielsen, Kindbergs Program Udvikling
Tweet This