
Web Analytics Illegal in UK after 26 May? Crazy - richij
http://h30565.www3.hp.com/t5/UK-Edition-start-here/Richi-s-Rant-Web-Analytics-Illegal-after-26-May-Crazy/ba-p/2892
======
jgrahamc
If you read right to the end of the actual guidance from the ICO it says:

\---

 _We only use analytical cookies – if nobody consents that will seriously
restrict the amount of information we can get to improve and develop our
website_

The Regulations do not distinguish between cookies used for analytical
activities and those used for other purposes. We do not consider analytical
cookies fall within the ‘strictly necessary’ exception criteria. This means in
theory websites need to tell people about analytical cookies and gain their
consent.

In practice we would expect you to provide clear information to users about
analytical cookies and take what steps you can to seek their agreement. This
is likely to involve making the argument to show users why these cookies are
useful. Although the Information Commissioner cannot completely exclude the
possibility of formal action in any area, it is highly unlikely that priority
for any formal action would be given to focusing on uses of cookies where
there is a low level of intrusiveness and risk of harm to individuals.
Provided clear information is given about their activities we are highly
unlikely to prioritise first party cookies used only for analytical purposes
in any consideration of regulatory action.

\---

My interpretation of that is: tell your web site users clearly what you do
with analytics and why and we are very unlikely to bother coming after you.

~~~
icebraining
Frankly, their policy seems sensible and I'm having an hard time giving a fuck
about the webmasters (is this still used?).

If you want to track, do it properly with a package installed on your own
server. stop subjecting your users to Google's All-Seeing Eye just because
using their Analytics is easier for you.

~~~
wardenclyffe
I am currently a webmaster (and I don't know if that's still used either,
doesn't feel like it), and this is going to be a huge pain in the arse. The
main reason it is a pain is the vagueness of the legislation, nobody has any
idea what they can and can't do.

Sure we can follow the ICO and put a pop-up on the site asking to accept
cookies or not (which if you select 'not' ironically creates a cookie), but as
other people have pointed out that's laughable (for a huge number of reasons)
and would push online trade away from uk sites. Easiest option for me would be
to shift hosting outside the EU, take the SEO location hit and get back to
work as usual (EDIT: it appears I am a little behind on the legislation as
last time I read it hosting overseas was a loophole, looks like I need to
refresh things).

Alternatively if I could dispense with cookies and shift tracking upstream to
a CDN that would also save me the problem and at that point I should be
getting even more data such as IP addresses.

Users need to take control of their browsing and privacy, they need to be
aware of what they are giving away when they join a site or go online in
general. Currently they are clueless and that is what needs to stop, force a
prompt for all cookies regardless of country, evens the playing field and make
people think for a change (if you're a chrome user "Edit this cookie" is an
invaluable plugin for monitoring and removing what each site is placing on
your machine).

It's also a bit rich saying that tracking cookies are bad whilst trying to
pass a law attempting to track almost all communication:

[https://www.eff.org/deeplinks/2012/04/uk-government-
proposes...](https://www.eff.org/deeplinks/2012/04/uk-government-proposes-law-
monitoring-every-email-phone-call-and-text-message)

~~~
dave1010uk
On the ICO's site (<http://www.ico.gov.uk>) there is no "don't accept cookies"
option. You can only select "accept" or not interact with the form at all. If
you don't accept cookies then the form is shown at the top of every page.

~~~
wardenclyffe
I stand corrected, sorry about that, originally it did, which was the cause of
much amusement for a while. Obviously they fixed it.

~~~
dave1010uk
It's amusing that the "fix" is making the user experience much worse.

------
dhx
NoScript, RequestPolicy, Adblock Plus, RefControl, UAControl, Do-not-track
cookie-disabled Mozilla Firefox user here.

Regulating Internet technologies to this level of pedantic granularity will
ensure that spammers, scammers, crackers and fraudsters have an effective
monopoly on privacy-busting technology. The incentive for software to
implement correct technological solutions will be taken away if an honesty box
Do-not-track approach is considered adequate. I want my browser to have a
maximal number of reasons (including a multi billion dollar advertising
industry) to address the technical concerns highlighted by Panopticlick[1] or
privacy experts that "get it"[2]. These technical problems _will_ be exploited
by unwanted parties on the Internet. Exploitation will occur legally in other
jurisdictions out of reach of EU laws.

The full text of the directive can be found at §66 on page 20 of Directive
2009/136/EC at [3].

[1] <https://panopticlick.eff.org/>

[2] <http://33bits.org/>

[3] [http://eur-
lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2...](http://eur-
lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:337:0011:0036:EN:PDF)

------
mapleoin
Disregarding the implementation details (which will probably evolve and adapt
if this ever gets mandatory) I think it's a totally sensible thing as far as
the user is concerned. I have the right to know how the information I send you
is being used. If you'd like to track me, I'd rather have to opt _in_ than opt
_out_.

~~~
mryan
I believe you are in the minority - most people, even on HN, are probably
comfortable (or apathetic :-) ) enough to accept the status quo.

If you are really serious about protecting your privacy online, I imagine you
already have your browser configured to deny all cookies except those which
you explicitly accept. The tools to solve this problem already exist - either
built in to the browser, or easily available as extensions.

~~~
ticks
I think you are seeing this from a limited viewpoint. There's lots of people
out there who don't even understand what the internet is, you'd be lucky if
they know what a browsers is. The EU is proactively protecting those people,
much like has been done for decades with offline data protection.

~~~
gyardley
Protecting them from what exactly?

I'm genuinely curious about this - what do you think gets done with a browser
cookie that actually causes real harm to the user? Perhaps that should be
regulated instead of the mechanism for it.

~~~
ticks
Protecting them from commercial use of their personal data - without explicit
consent. In the US it's more of a free-for-all and businesses can get away
with much more; in EU countries, their governments prefer to protect their
populations from businesses (before anything bad happens). Just a different
philosophy.

------
JohnnyFlash
My company is going to ignore the law until someone pull's us up on it. This
law will severely restrict our ability to analyse how users are interacting
with our product. This law will compromise our ability to further improve our
product and disadvantage us against foreign competitors.

Our company doesn't track users off the site, we anonymise data so it cannot
be tracked back to an individual... as far as we are concerned the law
shouldn't apply to how we make use of cookies.

The fine is up to £500k. Realistically.. the fine for a small company is more
likely to a few thousand. It would be better to pay a few k a month in fines
than lose 90% of our user data. If we implement this we might as well stop
developing our product.

~~~
toyg
I'm not disagreeing with you, but you might want to reword this post. The
internet doesn't forget, and you never know when some old post might be used
against you.

~~~
JohnnyFlash
I don't post any personal information with my JohnnyFlash alias. I like my
privacy :)

Thanks for the warning though.

~~~
tzs
There's still a risk. Assuming you have done a good job of keeping your
personal information away from "JohnnyFlash", no one will find your company
through your posts here.

However, what about the other direction? Suppose your company comes to their
attention through some other means, and they start investigating. At some
point, you could find yourself answering questions under oath. It's
conceivable the questioner might go on a fishing expedition, and ask "Have you
ever posted on HN under the alias Johnny Flash?" (he might ask that at every
company he investigates).

Then you've got the annoying choice between telling the truth and making your
company's case for accidental violation much worse, or lying under oath which,
if that is discovered, could bring serious penalties.

------
vasco
Who is forcing users to go to a website? I consider a website the same as
someone's house. While I'm interacting with their server its obvious they'll
want to know what I'm doing.

Its tracking people outside of a website's scope that should be allowed only
with consent, such as facebook tracking people when they go to sites with a
like button and so on

~~~
icebraining
A site is much more like a shop - private property, but a public place, and
therefore it has legal restrictions if you want it open to the public.

~~~
aqrashik
Even if that argument holds, and I want to analyze which sections of my shop
or store are frequently visited, how often users buy goods, and effects of
various changes that I make, I don't see why that should be illegal except in
cases where I actually ask permission from every customer who walks into my
shop.

~~~
icebraining
This doesn't prevent you from analyzing which sections of your shop or store
are frequently visited or how often users buy goods - that can be analyzed
using the server logs.

Now, should e.g. Wal-Mart be able to put an RFID tag on you so that they know
who you ware the next time you come in? And more importantly, should they be
able to contract a third-party, which can then know when you enter _any_ store
with which they have a contract?

------
scanr
The most likely impact it will have is that it will drive more advertisers to
closed platforms like Facebook where gaining consent will be easier. That's
not to say Facebook won't be impacted, given that they won't be able to
passively collect analytics using the Facebook like button on sites.

In terms of workarounds, here are a couple that I have found:

* Don't be a UK based company

While non UK companies are encouraged to respect these guidelines, they are
not required to do so. From the guidelines:

"An organisation based in the UK is likely to be subject to the requirements
of the Regulations even if their website is technically hosted overseas.
Organisations based outside of Europe with websites designed for the European
market, or providing products or services to customers in Europe, should
consider that their users in the UK and Europe will clearly expect information
and choices about cookies to be provided."

Anyone care to guess what happens if a US company has a US based website but
also a based UK presence?

* Get the 3rd party to get the consent. The following wording says that if the 3rd party cookie provider has gained consent from the user, it's the website will not also need to. As in:

"The key point is not who obtains the consent but that valid, well informed
consent is obtained."

i.e. Facebook may only have to gain consent for it's Like button once for any
particular user, same for Google analytics etc.

This is going to be bad for a whole bunch of folk:

* Display advertisers

* Sites that need analytics

* Sites that use 3rd party widgets that require state and those 3rd party providers (discus, Facebook like buttons, etc.)

~~~
justincormack
Facebook probably will continue to collect data from Like buttons as it is the
site owner not them who has to get consent...

~~~
scanr
It's a good point but the wording in the guidelines suggests that both the 3rd
party and the site operator share responsibility to get consent (ignoring the
fact that Facebook may just sidestep this, being a US based company):

"The person setting the cookie is therefore primarily responsible for
compliance with the requirements of the law."

and

"Where third party cookies are set through a website both parties will have a
responsibility for ensuring users are clearly informed about cookies and for
obtaining consent."

It opens up an interesting liability issue. I suspect terms of service
agreements for companies that provide services based on 3rd party cookies may
be updated shortly.

~~~
justincormack
I guess as Facebook deliberately designs the Like button to track this makes
sense. Although maybe it will be ok as it will only track Facebook users, who
will presumably have consented.

Facebook is legally an Irish company in Europe so cannot ignore this.

------
rickmb
Stalking is illegal, for obvious reasons. Online stalking is equally illegal,
for equally obvious reasons.

Just because said stalking is automated, used for commercial purposes and has
been renamed with cool souding euphemisms doesn't suddenly make it acceptable.
Neither is the fact that it currently happens on such a large scale that it
affects virtually every website.

These laws aren't crazy, they are a gradual return to sanity. The EU isn't
crazy either. The directive sets the baseline for what is and what isn't
allowed _in principle_ , allows for plenty of wiggle room and the way it is
actually implemented and enforced will be a gradually process.

All this over the top ranting without showing any self-reflection or attempt
at self-regulation is exactly why this is now forced upon us from above in the
first place. The EU and various government en consumer organisations have
repeatedly called for the industry to keep itself in check.

Instead, the industry has gone completely mental under the motto "we do it
because we can", and as a result we now have a commercial surveillance network
that surpasses anything any totalitarian government could have ever dreamed
of. And which on top of that blatantly violates already existing privacy laws.

Congrats. Well done. We've awoken the beast of government regulation, and we
only have ourselves to blame. You can't keep pissing all over consumers and
civil rights without it resulting in some kind of backlash.

------
Zirro
We went through all this in Sweden a while ago, based on the same EU-
directive. What has happened since the law passed here?

Not much. A few government-related sites have started showing an explanation
about what a cookie is and does, and gives the choice of accepting or
declining the cookie.

Other sites, despite the law, continues to function like normal. It's simply
unenforceable on a large scale.

------
Nikkau
Question : how do you remembers that users say no without cookie?

~~~
dalore
You remember the ones who say yes. As for the ones who say no, you ask them
every time until they say yes. So I guess the system works.

~~~
jamiecurle
What you're suggesting sounds like a dark pattern to me.

~~~
ars
He's joking.

But like all good jokes there's an element of truth since I suspect that's
exactly what some websites will do.

~~~
arctangent
He's not joking.

Take a look at what the ICO themselves do - they show a consent box at the top
of every page unless and until you opt in:

<http://www.ico.gov.uk/>

------
setrofim_
Wouldn't it be better to mandate that sites honor the Do Not Track* HTTP
header, rather than require each site to explicitly seek user consent?

* <http://dnt.mozilla.org/>

~~~
dhx
§66 on page 20 of Directive 2009/136/EC at [1] seems to explicitly allow the
use of Do-not-track header as an opt-in mechanism:

    
    
      Where it is technically possible and effective,
      in accordance with the relevant provisions of
      Directive 95/46/EC, the user’s consent to
      processing may be expressed by using the
      appropriate settings of a browser or other
      application.
    

[1] [http://eur-
lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2...](http://eur-
lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:337:0011:0036:EN:PDF)

~~~
Groxx
That seems to imply that if you have 'accept cookies' and 'accept 3rd party
cookies' checked, you can be tracked. Those boxes exist for _precisely_ this
reason, are they not consent?

------
gcp
The site focuses on the UK implementation of the law, but unfortunately the
directive is EU wide and individual member states are hence supposed to put it
into law, too. I say supposed because as in typical EU style, the member
states are lagging, or doing their own thing.

[http://www.dlapiper.com/files/Uploads/Documents/DLA_Piper%20...](http://www.dlapiper.com/files/Uploads/Documents/DLA_Piper%20_%20How_the_EU_has_implemented_the_new_law_on_cookies.pdf)

Who are screwed: Austria, Latvia, Lithuania, Sweden and the UK.

The actual law says that _any non-strictly-needed_ cookie (or whatever you use
to track users) MUST receive PRIOR opt-in from the user. It also clarifies
that non-strictly-needed must be read in the narrowest sense possible, so that
even _saving user preferences_ is considered non-essential. As far as I can
tell this means that even normal use of session cookies is outlawed.

There seem to be some posters here who think the law only matters for
analytics, and hence as users it's not their problem. You couldn't be more
wrong, there is no such restriction in the law! This will effectively make the
internet unusable unless websites start grouping login/cookie access. Like
with Google/Facebook/Twitter account login systems. If the intent of the law
was to hamper those companies, it will effectively achieve the opposite by
hurting the smaller players disproportionally.

And of course, you might not have to care because this will likely end up
mostly unenforced. But as a site operator, it's still a Damocles' Sword
hanging above your head if you ever get Kafka'ed. The fines are not small.

~~~
mjwalshe
As some one who works on major sites having analytics is a strictly needed
cookie - other wise how do we optimise the site and if we can't do that in a
cost efective manner and the site loses trafic we have to make peopel
redundant - and my employer has done that in both the USA and the UK

Are you going to ban in store CCTV and Footfall analysis next?

------
leejw00t354
This really is crazy, most analytic applications track users anonymously
anyway so there isn't really much privacy concern.

It's basically the same as keeping track of the number of customers a physical
store gets in a day, or maybe the time customers spends in the store. This
type of analytics is essential to offline and online businesses.

As a citizen of the UK I'm extremely disappointed.

------
_delirium
The title is a little overly broad; as far as I can tell the only part of
analytics that'll be impacted is setting cookies solely for tracking purposes.
Lots of other kinds of web analytics will be fine. For example, you can do
statistical analysis of your Apache logs, or of _other_ cookies that you set
in the regular course of operating the webapp.

~~~
gcp
No, you cannot. Just read the law. ANY kind of cookie requires PRIOR
permissions.

~~~
_delirium
Well, yes, but presumably you would ask your users to set those. For example,
if you use Gmail, presumably you will agree to let Gmail set your login
cookie. Then Google can do web analytics keyed off that; the law doesn't
actually ban doing analytics.

~~~
gcp
Right, so the majority of websites are now required to display the warning and
request opt-in.

You don't see how this is a major pain?

You can already get this behavior in your browser by changing user settings.
Just try to surf like that for a while. It's horrendous, and what's worse, it
doesn't make the user any wiser, really.

~~~
_delirium
Yeah, that's a pain, I'm not disputing that. I'm just disputing that this law
makes "web analytics illegal".

------
petercooper
It's about as unscary as the various disability and accessibility laws in the
UK and EU. They make lots of demands too and have scary consequences for
inaction, yet hardly anyone follows them to the letter and I've not heard of
anyone getting punished either (although I'm not suggesting no-one has, it's
just not common).

I suspect most companies, other than those with the budgets and public
visibility to run scared, will just ignore this law until it becomes a
problem. Indeed, they haven't done a good job of promoting it either - it's
been in a few news stories.. woopty woo, I bet the _majority_ of webmasters
haven't even heard of it.

------
sparknlaunch12
Wouldn't this be easier if browser companies blocked all cookies by default.
Users wanting cookies turn of blocker? A lot less browsers than websites?

~~~
icebraining
Possibly, but how is the ICO supposed to regular browser vendors?

~~~
mryan
The exactly same way there are attempting to regulate website owners - by
passing a nonsense law that will do nothing to solve any real privacy
concerns.

The ICO has the power to force browser vendors with a UK presence to implement
this at the browser level. I wonder why they didn't? Short-sightedness? Or
perhaps they knew that Google/Mozilla/Microsoft are more capable of presenting
a unified front to fight this, compared to however many thousands of web
developers are affected.

~~~
wardenclyffe
More likely those companies already lobbied the hell out of the situation and
got people to make it someone else's problem.

------
TomGullen
We're a UK business with our web server in the USA. Do these new laws apply to
our website?

~~~
polshaw
yes

~~~
mryan
To provide a bit more detail:

"An organisation based in the UK is likely to be subject to the requirements
of the Regulations even if their website is technically hosted overseas.
Organisations based outside of Europe with websites designed for the European
market, or providing products or services to customers in Europe, should
consider that their users in the UK and Europe will clearly expect information
and choices about cookies to be provided."

So, as a UK-registered business, you will be subject to this law.

My startup is registered in the UK, but all servers are outside of the UK. I
am actually planning to just ignore this ruling and see what happens. If it
looks like they are seriously going to go after startups that don't follow
these rules, I will simply register the business in a location with less
idiotic rules.

------
read_wharf
Gov enacts a law, but says don't worry they won't enforce it in some cases?
Ludicrous.

------
jdietrich
Goodbye UK Ltd, hello Delaware C-Corp.

------
mrao26
there are cookie free analytical tools out there which can be used for same
purpose.

------
carbonesc
These four documents appear to be the main source material. I have extracted a
few bits I found interesting.

Information Commisisoner's Office - Enforcing the revised Privacy and
Electronic Communications Regulations (PECR) of 25/5/2011
[http://www.ico.gov.uk/~/media/documents/library/Privacy_and_...](http://www.ico.gov.uk/~/media/documents/library/Privacy_and_electronic/Practical_application/enforcing_the_revised_privacy_and_electronic_communication_regulations_v1.pdf)

Information Commissioner's - Office Guidance on the rules on the use of
cookies and similar technologies of 13th December 2001:
[http://www.ico.gov.uk/news/latest_news/2011/%7E/media/docume...](http://www.ico.gov.uk/news/latest_news/2011/%7E/media/documents/library/Privacy_and_electronic/Practical_application/guidance_on_the_new_cookies_regulations.ashx)

"Check what type of cookies you use and how you use them"

"If the information collected about website use is passed to a third party you
should make this absolutely clear to the user. You should review what this
third party does with the information about your website visitors. You should
tell people what you are collecting and how you are using this information."

"Even where the clear cookie rules do not apply you must consider the DPA
[Data Protection Act] whenever you are collecting information that builds up a
picture that could allow you to identify an individual."

"... the Commissioner is therefore unlikely to prioritize, for example, first
party cookies used for analytical purposes and cookies that support the
accessibility of sites and services, in any consideration of regulatory
action."

"... we would expect you to provide clear information to users about
analytical cookies and take what steps you can to seek their agreement."

Directive 2002/58/EC of the European Parliament of 12 July 2002: [http://eur-
lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:...](http://eur-
lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:EN:NOT)

"(25) However, such devices, for instance so-called "cookies", can be a
legitimate and useful tool, for example, in analysing the effectiveness of
website design and advertising, and in verifying the identity of users engaged
in on-line transactions. Where such devices, for instance cookies, are
intended for a legitimate purpose, such as to facilitate the provision of
information society services, their use should be allowed on condition that
users are provided with clear and precise information in accordance with
Directive 95/46/EC about the purposes of cookies or similar devices so as to
ensure that users are made aware of information being placed on the terminal
equipment they are using. Users should have the opportunity to refuse to have
a cookie or similar device stored on their terminal equipment. This is
particularly important where users other than the original user have access to
the terminal equipment and thereby to any data containing privacy-sensitive
information stored on such equipment. Information and the right to refuse may
be offered once for the use of various devices to be installed on the user's
terminal equipment during the same connection and also covering any further
use that may be made of those devices during subsequent connections. The
methods for giving information, offering a right to refuse or requesting
consent should be made as user-friendly as possible. Access to specific
website content may still be made conditional on the well-informed acceptance
of a cookie or similar device, if it is used for a legitimate purpose."

Directive 2009/136/EC of the European Parliament of 25 November 2009:
[http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2...](http://eur-
lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:337:0011:01:EN:HTML)

"(66) Third parties may wish to store information on the equipment of a user,
or gain access to information already stored, for a number of purposes,
ranging from the legitimate (such as certain types of cookies) to those
involving unwarranted intrusion into the private sphere (such as spyware or
viruses). It is therefore of paramount importance that users be provided with
clear and comprehensive information when engaging in any activity which could
result in such storage or gaining of access. The methods of providing
information and offering the right to refuse should be as user-friendly as
possible. Exceptions to the obligation to provide information and offer the
right to refuse should be limited to those situations where the technical
storage or access is strictly necessary for the legitimate purpose of enabling
the use of a specific service explicitly requested by the subscriber or user.
Where it is technically possible and effective, in accordance with the
relevant provisions of Directive 95/46/EC, the user’s consent to processing
may be expressed by using the appropriate settings of a browser or other
application. The enforcement of these requirements should be made more
effective by way of enhanced powers granted to the relevant national
authorities."

