Hacker News new | comments | ask | show | jobs | submit login
Setting Google Analytics to not use cookies (stackoverflow.com)
60 points by robin_reala on May 28, 2012 | hide | past | web | favorite | 32 comments

Note that EU directives don't apply to website owners. They bind the member states to implement them in some form. The laws of individual member states contain guidelines that you should adhere to.

I was going to ask this. What exactly would happen if I (as a US citizen) ignored this? Would the EU block my website?

The EU doesn't make (much) real law per se. Unlike the USA, the EU doesn't really have a criminal system, or federal laws etc. The EU makes member states (which are countries and states) implement a law. This law would only apply to owners of websites. They don't block websites.

This gives member states a bit of extra freedom - some implement the laws in stricter or looser manner than the european parlament may have intended.

Some countries even refuse to implement them, as the Swedish goverment did with the Data Retention Directive (http://en.wikipedia.org/wiki/Data_Retention_Directive). See


(scroll down to implementation) for a while. Then they complied.

No, at worst an EU state might block your website.

But that won't happen either: it's a law that applies to EU companies with a website. Your company might have to worry a little if they chose to incorporate in Europe.

No, that's not true. Where a company is domiciled has nothing to do with these regulations - they apply to any company which has users in the EU. And yes, they will apply in a slightly different form as interpreted to each member state.

And yes, this is a somewhat ridiculous situation; but in practice it's not really likely to be a problem, unless you've got a major presence in an EU market.

In practice, the UK at least is extremely unlikely to pursue any non-UK companies for breaching the UK interpretation of these regulations (which is very light-touch anyway); if only because of the difficulty in taking effective action.

Other member states might take a more or less proactive approach in pursuing action; and other countries have a different take on the regulations anyway.

Basically, if I was a small-ish non-EU based website with EU customers I'd be keeping an eye on this to see where it goes, but I wouldn't take any action yet.

If I was a large non-EU-based site with tens of thousands or millions of EU customers, I'd be paying quite a lot of attention; what I did about it would depend on my risk profile.

> "So, my only option seems to be that I should not embed Google tag code at all if the user has not explicitly given consent."

The other option is to ignore the directive, which is what most websites will do.

As Ian Clarke (original designer of Freenet) put it:

"It is the responsibility of every citizen to ignore dumb laws."

And I would add that the whole world would crawl to a halt and descend into total chaos if everyone followed every law in the books. Too many laws are plain incoherent, inconsistent and impossible to follow.

Also, laws only 'matter' if they're actually enforced. There's no indication this will actually be enforced at all.

I put google-analytics (among thousands of other useless tracking websites) in my hosts file. Probably the most useful text file you'll ever download:


Author of the accepted answer here. You can block GA without breaking sites by using the GA Opt Out plugin in this specific case https://tools.google.com/dlpage/gaoptout

The reason is that blocking the domain in your hosts file will prevent the functions from ever loading, and so something like this (the standard code for doing cross-domain tracking):

    <a href="http://thirdpartycheckoutsite.com" onclick="_gaq.push(["_link"]); return false"></a>
Will cause _gaq to simply add an array with a single element, a string that says "_link", and then return false, preventing the site from completing the default action. This is because ga.js never loads, so it never executes the queue of functions and never converts gaq.push into a non-native function. So, you'll click the link, and nothing happens.

(I actually abhor the practice of doing this this way, because it's so easily breakable, but this is the "recommended" way of faciltating cross domain tracking)

If you use one of the "official" Google opt-out plugins, it'll load ga.js, but it'll block any information from being sent about you to Google, it'll block Google Analytics cookies from being sent, and it won't break any site functionality.

Will simply

How about just using Ghostery plugin in your browser? http://www.ghostery.com/

It's more user friendly and easier to modify websites that shouldn't be blocked than big hosts file.

The line for google analytics in this hosts file is commented out, with the comment "breaks some sites".

If only getting rid of spy cookies/tracking was so easy...

The list is very conservative this way, but I add a bunch of sites myself and uncommenting google-analytics and other tracking sties is perfectly safe and doesn't break anything - even google. And for cookies there's cookie monster.

If left to owners/managers/developers to implement the opt-in we risk having a variety of ways for doing the same thing. Some good, some not so good and some just bad.

A less painful solution would be to try and solve this at the browser level where the experience for end users would at least be consistant. Like a blend of DNT & private browsing mode that had extremely restrictive criteria for cookie usage - if any.

Something like [Ghostery][0] would be a nice starting point.

Of course the better solution would be to erase Article 5(3) and start again. Good intentions, bad directive.

[0]: http://www.ghostery.com/

Nice one, that's the kind of `thing` I was referring to.

It's a bit of a pain for website owners, but I think the EU directive is a good thing.

Why? It will make people better aware of what cookies they have, and how they are used. Which is probably a good thing.

It's a terrible thing, good only for lawyers. Nobody understands what cookies are anyway, most people think they are tiny little programs that steal their privacy in some magical way.

And nobody cares about that level of technical detail either, and why would they?

If the gov't is so keen on regulating Web stuff, they should have a regulatory body that reviews and audits Facebook's and Google's internal handling of user data, to make sure thay actually don't abuse them secretly.

This cookie thing doesn't make any difference for privacy protection at all.

I hope it will raise awareness, but my cynical expectation is that the "Accept" button will become one people press habitually to get rid of an annoying banner. Sites abusing the Facebook Like button as a gateway to content are a proof of concept that this might happen.

Considering web browsers already have cookie controls built in it seems a bit silly incur such an enormous cost in implementing a completely redundant feature.

I think the effort would be better spent on publishing transparent descriptions of what data collected and what it is used for than for designers to each create their own non-standard dialog boxes. The cookie issue could be "fixed" (to the extent possible with pointless legislation) with a link to an EU-published HOWTO on configuring a web browser.

Most people don't understand the difference between "Google" and a "Browser" [1], cynically, I don't hold much hope people will care what browser cookies are.

I've already had to explain to my parents that cookies aren't evil, the sites they visit (BBC/Google etc) are mainstream and fine.

As an EU resident and webmaster of several sites for myself and clients. I see little benefit to my visitors other than causing me a lot of grief over trying to follow guidelines and hoping my implementation doesn't break them.

I was speaking to a client about it today, he hasn't seen anything about it and I doubt many small business owners have seen (or cared) much about it.

[1] http://www.youtube.com/watch?v=o4MwTvtyrUQ

Definitely, it is not. Users already "opt-in" by configuring their client to accept cookies. Users could be more aware of that and use their clients appropriately if they don't wish to be tracked, but instead there will be this new layer of complexity by which a users opts in. Users (much like they have with their browser security settings) will grow accustomed to blindly opting in like they always have because it makes the thing they're trying to use work. Only now, we have an extra bit of work to do.

Users already "opt-in" by configuring their client to accept cookies.

I highly doubt that is the interpretation of "opt in" that the various Data Protection agencies will take.

My point is that cookies are, and always have been, an optional feature of the web. If you go back a decade or so, you might remember annoying IE dialogs warning you that "a website is trying to put a cookie on your computer, do you accept?" While cookies may be used for nefarious purposes, they are essential to many, many legitimate features of the web like maintaining a user session, and to an end user, their importance has trained them to automatically click "Accept."

They are so ubiquitous that browsers typically accept them by default now, but they are still an optional feature. This EU mandate could have been just as well fulfilled by required browser vendors to have the accept cookies warning turned on by default and let users turn it off at their peril. Instead, it has just added another chunk of compliance for web workers to adhere to. Users are still going to be the same ol' users who click "Accept" because they want to get into whatever they were trying to get into. Only now, there's a lot more room for lawsuits.

All of that is true. However I doubt you could claim "opt in" because the user's browser accepted the cookie. It's not that easy to get around the letter and spirit of the law.

There are better ways to achieve those goals without writing these laws

If you're that concerned about Tracking, using Adblock is the best option ..


Does anyone know of a decent and up to date guide on what is/is not allowed? The official guidance is typically not much help and my searches reveal a lot of stuff out of date and other sites that are more interested in selling me cookie analysis - so I'm taking their advice with a grain of salt.

The interpretation of the law is up to the individual countries. I've only been watching what's been happening in the UK. Until last week the guidance from the Information Commissions' office has been 'you need explicit opt-in' if you want to set cookies that aren't vital to your site's work (example, cookies set when a user is shopping and puttnig items into their cart are deemed vital, Google Analytics is not).

However last week the ICO issued new guidance saying that implied consent is OK

News article here:


The UK formal advice here (PDF)


A rather handy site that has an easily integratable tool for implementing Directive-compliant opt-out on your site


and the Drupal module: http://drupal.org/project/cookiecontrol

I would argue that analytics is vital - if you cant work out what your site is doing then you can not work out how to improve the site which costs money and indirectly jobs.

I look forward to each individual shop/business making us sign a waiver when we enter a shop with CCTV ie 95% of UK shops

I would argue that analytics is vital

So would a lot of people, but the official guidance makes it clear that they are not considered vital as far as these legal rules are concerned.

The "essential cookies are OK" criteria relate to the functionality the user has explicitly asked for, not to functionality that the site operator needs to run the site in a commercially viable fashion. Thus things like session cookies to record that you have logged in or what's in a shopping cart are OK, but things like analytics aren't allowed to piggy-back on top.

There seems to be some doubt about how seriously anyone in the UK is going to take these rules, though. Even the ICO can't get its opinion straight, and it's the government body responsible for enforcement. As I understand it, we're already taking this whole mess far more seriously than most countries in the EU, in that some web sites run by large organisations have made some effort to comply with the rules, while even that might not be true in most places that are theoretically affected.

Well as some one who has been working on www based systems since 1994 and one online systems for many years before it's a pity they did not ask people actulay working in the industry.

Ironically Neelie Kroes, the EU's Digital Agenda Commissioner now wants us to have manditory electronic id cards storing god only knows what information about us.

This is a far worse infringement of our rights that some aggressive retargeting as opposed to being asked "papers please" on the euro star.

I think i will change my last name to Pike :-)

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact