Friday, September 2, 2011

Cookie Monster Commeth

All you need to know about the EU e-Privacy Directive
In the past it was sufficient to inform users that cookies were used, however this change requires explicit consent from users for each and every cookie used – permanent, session, and ‘super cookies’ must all be accounted for.
The change applies to all computers and terminal equipment that track via cookies. So computers, phones and any type of browser based application must comply.
While the UK offered a grace period, Ireland has given an interpretation of EU Directive where all tracking cookies are forbidden. Now it is for companies to find a seamless technical solution for meeting this requirement.

For brevity visit this EU Cookie Law website where the solution is in place. Not the accordion drop down which asks for your consent. In the past this website might have chosen to hide the cookie tracking information in their terms and conditions, with a claim that users had been “informed”.
All websites by May 26 2012 are directed to comply with the new EU Cookie Legislation.
The law has been on a backburner for a year since passing into UK Law on May 26 2011, with the Information Commissioners Office (ICO) laying down a one year grace period to comply, will be statute from 2012 – or face a fine of up to £500k.
While this all sounds heavy and legal-like the reality is a much more technical issue: How will you gain consent from your users for every cookie dropped on their machines?

What happens on 26th May 2012?
The date is significant as all websites hosted, or operated in the UK must comply with the Information Commissioners Office instructions by this date – after May 26 the ICO will begin enforcement of the cookie law.
Opt-Out to Opt-In – Why?
The change is seen as a move to get users explicitly consent, while commentators note the change is likely to thwart 3rd party tracking, building profiles based on cookie sharing and permanent “zombie cookies” such as flash based reigniting cookies which have become the cookie du jour for serious marketers due to how these cookies avoid detection of browser cookie deletion. More on Zombie Cookies here.

Who is exempt from the change?
Strictly speaking no one, however where the use of cookies is “Strictly necessary” to the user consent is not needed. Say for instance, when a cookie is session based and used for calculating an iCommerce shopping cart. In short, where the integrity of a user experience is lost while performing session based activities.
The exception is narrow and should be treated as such. As a rule of thumb, all cookies need consent from May 26th 2011, but with a delay to the cookie law enforcement of the rule is now from May 26 2012. This presents what has been described by the developers at Scottish company web design dundee as "a ballache for devs".

Cookie Law and Google Analytics
Surprisingly GA is a first party cookie, but is not “strictly necessary” and to that end must be consented before dropped on a user’s machine.
What has yet to be seen is if the suggestion that a Browser solution can be applied. This would mean granting consent to all cookies at browser level. A ‘once and for all’ type of consent, rather than site by site, application by application.
This would solve the issue of The EU Directive for Google Analytics cookies which are found on 85% of the top websites including NT Times, Financial Times, Mashable, Techcrunch....and even MSN!

If I use Google Analytics should I expect trouble?
The EU Legislation says: "The government's view is that there should be a phased approach to the implementation of these changes. In light of this if the ICO were to receive a complaint about a website, we would expect an organisation's response to set out how they have considered the points above and that they have a realistic plan to achieve compliance. We would handle this sort of response very differently to one from an organisation which decides to avoid making any change to current practice. The key point is that you cannot ignore these rules.
Types of Google Analytics Cookies
Globally and in the European Union member states Google sets the following cookies

utma Cookie
This is a a persistent cookie – and does not automatically delete unless it expires. Typically the expiration is 2 years in the future.. Tracks visitors (first visit (unique), last visit (returning). Used for iCommerce www.icommerce.co.uk
will also register the “Days and Visits to conversion” information.

utmb Cookie & utmc Cookies
These are the ‘twins’ of Google Analytics and both need to be present to function correctly. This is because utmb and utmc calculate length of visit. These are the least “serious” of Google Analyrics cookies.

This is a session based cookie.

utmz Cookie
Cookie utmz tracks HTTP Referrer details such as the type of referrer (Google or PPC), direct, social, mobile or PC or sometimes unaccounted visits like ‘bots’. Using HTTP Referrer utmz will note the referring keyword and geo information of the visitor.

This cookie is permanent and last 6 months. It is a heavy weight and provides much of the information we use each day in Google Analytics, not least for conversion tracking information like source, medium, keyword to attribute the info to a Goal Conversion.

utmv Cookie
This cookie is not always included by GA, but is dropped on a machine when segmentation, retargeting or data experimentation is set up. Google utmv Cookie lasts ‘forever. It is a persistent cookie. Utmv and utmz in tandem do much of the legwork around ad retargeting capabilities.


The takeaway: Act If you have.....
1 Any Terminal equipment, application or websites hosted in the United Kingdom or EU targeting users in those territories
2. Any Terminal equipment, application or websites hosted in the United Kingdom or EU targeting users in outside territories
3. Any Terminal equipment, application or websites hosted in another country targeting the United Kingdom or EU users.
4. Any Terminal equipment, application or websites hosted in another country using a CDN or proxy in the United Kingdom or EU to serve content..

Read the full text of the The European Commission's Directive of Privacy and Electronic Communications 2002/58/EC (known also as the e-Privacy Directive or Cookie Law www.cookielaw.org)

No comments:

Post a Comment