Cookie Law, another EU Classic

Just when you thought you had complied with all the EU legislation needed for your electronics business, they dump another one on us and what a beauty!

This regulation, 2009/136/EC requires all websites that use cookies to inform the user and to obtain their consent before placing any cookie on the user’s PC.

What does this mean in practice?

Cookies are small text snippets dumped on a user’s computer by web sites that are visited. Some are 100% necessary, for example, session IDs that allow shopping carts to run or hold language or currency preferences. This type of cookie that is “technically necessary” can still be used without telling the user, especially if it expires when the browser is closed.

Where it gets tricky is tracking cookies, such as Google Analytics. Nearly every website nowadays uses tracking of some sort to collect information about user behaviour and it is difficult to run an effective online business without this information and I am sure your web site designer has incorporated some analytics in your site. Should you disable them to comply with this new law or ask the user for consent, with a pop up for example?

Both of these solutions are unpalatable as they could affect your online business but are you taking a risk if you do not do either? The answer is both yes and no, like all EU legislation. EU regulations have to be incorporated into laws in each member state, so it depends how each country has interpreted them. The regulations are good at defining what a cookie is but awful when it comes to defining what is “user consent” and how you should obtain it. This is par for the course for EU legislation.

In the UK, the Information Commissioner who is charged with enforcing it, is saying different things from the government minister who actually passed the legislation. This is because it is actually a very stupid law and the best way to solve issues with cookies would be a technical solution i.e. do something with browsers to make cookies clearer to the user. This seems to be the government’s line – we won’t enforce this until the technical solution is available. The commissioner is talking about agreements and enforcement notices but that is his job. Even he says that fines are unlikely.

So, you may be breaking the law by using Google Analytics or similar without asking for the user’s consent, but nothing will happen if you just carry on doing it like almost every other site. The big boys, like Screwfix or Amazon, have done it because they store much more information on user PCs and are more visible.

What about the moral position? This is the balance of a right to privacy against a better service. When I go to a website, it doesn’t worry me that they use cookies to run a shopping cart or even that my anonymous data is used to produce traffic statistics.

Google states that they don’t have access to the information themselves, and only the web site that uses that Google Analytics code and cookie gets the data. This means that it is technically a first party cookie as no one except that site gets the data, not even Google. For more on this topic, see
Cookies and Google Analytics

As everyone can use their browser now to disable cookies if they want to either by blocking all cookies, selectively blocking them from some sites or deleting them after visiting a site, then morally I see no problem with Google Analytics.

There is a case for more education, about cookies and many other Internet or PC security and privacy issues, and web browsers should be clearer about cookies, but it is not going to affect anyone deeply if you can tell what percentage of your website visitors have visited before, or what proportion came from Bing, Google or elsewhere.

On balance, Kanda is going to continue to use Google Analytics without having lots of popups asking for permission. The law was mainly aimed at third-party cookies that advertisers can use to track individual users across the web, but was badly drafted. As Google Analytics doesn’t use any third party cookies, is anonymous and only gives traffic percentages and statistics to us, we cannot see how it is violating anyone’s privacy. If people disagree, then they can block or delete them.

The UK government seems more sensible than the EU at the moment as they are basically waiting for a better, browser based solution. This should have been the approach from the beginning.

Please see Kanda Privacy Policy for more information about our cookie usage.

Leave a Reply

Your email address will not be published. Required fields are marked *