Google Analytics and the EU privacy law #3

This latest privacy post form me comes after a great deal of deliberation. It follows discussions with the UK’sΒ privacy protection agency (ICOΒ – principally David Evans), peers at events e.g. eMetrics Summit, and with reference to the latest and much improved ICO guidance documentΒ (PDF).

Background on the EU Privacy Law…

As you may be aware, in May 2011 a new EU privacy directive came into force – officially known as Privacy and Electronic Communications Regulations (PECR), though often referred to as the “EU cookie law” as it implies that setting website cookies without a visitors consent would be illegal in all 27 EU member countries.

As you can image, that caused quite a furore in the digital industry, where cookies have become almost as fundamental as HTML and JavaScript. At the time, I wrote about my understanding and views on the matter – specifically in relation to Google Analytics. All this happened last year and throughout 2011 there has been a lot of discussion on the matter. In fact, the ICO (the UK’s privacy protection agency) allowed a one year grace period of not enforcing the law to get things in order – that expired on May 26th 2012.

Distilling the discussions that have been going on, it comes down to two fundamental points:

  1. The PECR is now law (in fact since May 25th 2011) in all 27 EU member states – and is here to stay.
  2. Its aim is to protect the privacy of individuals on the web from people and organisations that collect personal information about them, or use Β “behavioural targeting” techniques to profile a visitor across the web.

In principal, this is a good and much needed law.Β The difficultly comes in wording the guidelines in a technology-agnostic way and one that deters privacy abuse while protecting the legitimate need of website owners to know what is going on with their website i.e. at a basic level, how many visitors.Β My previous post on this subject clarifies the main points of what this law represents.

To summarise my previous comments, this law is about:

Behavioural targeting and the abuse of private information is what this law is about. Benign, anonymous, aggregate reports – such as that provided by Google Analytics is not the target of this law.

Note, although my comments are from a UK perspective, they are applicable to all EU member countries (its the same law!). Even outside the EU, goverments are looking closely at what happens here to establish similar legitimate privacy laws. Therefore, understanding this is important for knowing the direction web privacy is inevitably going…

 

wa-users

What this means for Web Analytics users

Contrary to what has been reported (and even enacted on some sites), you do not need to seek explicit consent to set an anonymous, benign first party cookie.

I must emphasize my use of anonymous and benign first party cookie parts. Anonymous means just that. It does not include an anonymised uniqueID that can be tied back to an individual via your CMS system! The use of a first party cookie means that the website the visitor is actually viewing is the website that sets the cookie – not another website or advertiser. In others words, the setting of the cookie(s) is completely controlled by your organisation and that process is transparent to the visitor – and readily available i.e. not buried deep in a privacy policy that is difficult to find or comprehend.

My view on this is taken from the section entitled “Implied consent as a basis for compliance…” (page 6) of theΒ ICO guidance document (PDF – v3 May 2012). Specifically:

“While explicit consent might allow forΒ regulatoryΒ certainty and might be the most appropriate way to comply in someΒ circumstancesΒ this does not mean that implied consent cannot be compliant.”

As I discuss in the background section, this law is not about benign first party tracking techniques.

If cookies are not completely anonymous and are not first party (set by your own website domain), you need explicit consent from each visitor.

 

google-analytics-icon

What about Google Analytics users…?

The good news is, that by default Google Analytics does not collect personally identifiable information (PII) and uses only 1st-party cookies. In addition, all reported data is aggregate. That means it is grouped data and not that of individuals. Following the guidelines of the ICO, this means explicit consent is not required if you only use Google Analytics.

However, five common pitfalls to avoid:

1. Even if only Google Analytics is in place, it is possible to capture PII inadvertently with Google Analytics – all URL information is captured by GA. Therefore, ensure you have checked your data for any PII. For example check your Content > Pages reports and Content > Events reports for captured usernames or email addresses. Remove any such tracking. Collecting PII is also against the Google Analytics Terms of Service. The most common method is to use a re-write filter to remove the personal information.

2. Often there are other tools or scripts in place that set cookies that may not be anonymous or first party. These should be assessed separately to GA – see the next section, “What if I use 3rd-party networks…?”

3. Site owners must have a best practice privacy policy in place and be easily accessible – read my explanation and anatomy of a privacy policyΒ in detail.

4. If any PII is captured, explicit consent must be requested. This can be as simple as the visitor completing a purchase or a subscription. That is, visitors are completely aware they are handing over their PII and agree to do so by making their purchase (I agree that this is not strictly speaking ‘explicit’ consent. However, the action of completing a purchase is so obvious to the visitor that it goes way beyond implied consent). If the collection of PII is not so obvious, consent must be asked for.

5. If PII is captured by consent,Β it must not be used to backfill data i.e. to track the visitor prior to their point of consent. Although disallowing a retrospective backfill is not currently described in the ICO guidance documentΒ (PDF), I expect this to come into place soon.

 

What if I use 3rd-party Networks…?

This is probably the mostΒ trickiestΒ part of compliance because so many websites embed 3rd-party content…

Ad Networks, such as Google’sΒ DoubleClick and AdSense use 3rd-party cookies that track individuals. Plugins, such as Disqus, AddThis, ShareThis, LivePerson ChatΒ are also common site plugins that use 3rd-party cookies, as is embedding YouTube content and feedback surveys from vendors such as Kampyle and KISSmetrics. That means, if you are a visitor to a site that has embedded one or more of these, your individual browser behaviour is being tracked around the web – anonymously in the examples given.

Disqus - scary privacy implications

Example: The Disqus pop-up. Scary privacy implications…!

There are many more examples. In fact, the use of 3rd-party cookies is so prolific its hard not to come across them! For example, social plugin buttons such as tweet me, follow me, Like, Google plus, LinkedIn, often set 3rd-party cookies (who isn’t trying to exploit the power of social these days?) Also certification logos, such as those provided byΒ Security MetricsΒ to certify PCI compliance, set a 3rd-party cookie.

Based on ICO guidance, if you have embedded any of the above 3rd-party networks/plugins into your site, explicit consent must be sort. This is because they are not first-party techniques and so there are privacy implications for visitors. That is, having their behaviour profiled across different unrelated websites across the web requires explicit consent.

What is not very clear at this time, is who is responsible for the obtaining consent to set the 3rd-party cookies – the 3rd-party network, the website hosting the content that the visitor is viewing, or both. According to ICO guidelines, “The person setting the cookies is primarily responsible” (page 13). However that isΒ impracticalΒ for 3rd-parties who do not have any direct relationship with the visitor – for example, AddThis claim its plugin buttons are hosted on 14 million websites. And consider that the visitor may not even be aware there is a 3rd-party involved. Hence, myΒ view is that this is the responsibility of the website hosting the content.

To discover which advertisers use behaviour targeting i.e. set 3rd-party cookies on websites, the Network Advertising Initiative has an industry sponsoredΒ Opt Out of Behavioral AdvertisingΒ list. The list is provided and updated voluntary by advertisers and is not a complete list of all organisations that set 3rd-party cookies, or perform behavioural targeting.

What about mobile content?

The law applies equally to mobile websites. Mobile apps can be considered differently as explicit consent is already required by the user in order to install the app. Therefore additional consent is not applicable.

The bottom line…Audit your privacy!

Any web analytics tool or script can be used to breach a visitor’s privacy. Therefore audit your website(s) to demonstrably show what cookies (and any other storage mechanisms) are being set.

Follow these 6 steps:

  1. Know what tracking methods (tools and scripts) are in place in addition to Google Analytics (audit your website).
  2. For each tool/script in place that tracks a visitor, you must assess if the data collected is anonymous and first party. If “yes” to both criteria, no explicit consent is required.
  3. If “no” to the above criteria, you will need to provide a consent mechanism. The ICO guidance document has some good and non-obtrusive examples to illustrate this.
  4. During an audit, I often find numerous legacy andΒ redundantΒ scripts on pages that are no longer used by the website owners, but are still setting and collecting data. Unless you are using these, remove them to save the headache of managing the privacy implications.
  5. If Google Analytics is in use, confirm no PII is collected.Β If no PII is collected, no explicit consent is required for Google Analytics tracking.
  6. Ensure you have a best practice privacy policy in an easy to find place – written for the user, not for the legal team!

In Summary

This update from me is to confirm that using Google Analytics on your website (being anonymous, aggregate reports) is absolutely OK – both in the spirit of the EU privacy law and in practice. However, it is the prevalence of 3rd-party tools and 3rd-party embedded content that require careful consideration. That is exactly what this law is intended for.

Some reference material for further reading

  • ICOΒ – the latest guidance information form the ICO. Also PDF download
  • GDSΒ – excellent blog post form the Cabinet Office (UK government)
  • EconsultancyΒ – good discussion document that hopefully led in part to the ICO substantially improving it recommendations (specifically about implied consent)

Looking for a keynote speaker, or wish to hire Brian…?

If you are an organisation wishing to hire me and my team, please view the Contact page. I am based in Sweden and advise organisations in Europe as well as North America.

You May Also Like…

20 Comments

  1. Tiffany Taylor

    Thanks for the advice, my site uses a session cookie to track the sales process and a persistant cookie if a user wishes to remember their login to the shopping cart, both of which are expected and necessary to its operation. The Analytics cookie however I wasn’t sure about however and your article has clarified it for me.

    Reply
  2. Brian Clifton

    @Julia: I don’t see a problem of sharing of data with other services – it is all anonymous and aggregate. The idea of sharing is that other G products such as AdWords, AdSense, Website Optimiser, Ad Planner etc. can all be improved and better integrated within GA if you share your data. In fact Website Optimiser has now been integrated. If data was never shared they may not have happened, or it could have taken a lot longer.

    I recommend _anonymizeIp is used by default. Whether it falls under the EU Privacy law depends on which country laws are applicable to you. For example, Germany requires it, but UK doesn’t. I haven’t see any major downside with having it set by default.

    Reply
  3. julia

    Hi,
    I guess it is better to set the sharing of data to other google services at OFF, but do you also need to use the anonymize function of Google Analytics to prevent tracking at individual level to comply with the EU law?

    Example:

    var _gaq = _gaq || [];
    _gaq.push ([‘_setAccount’, ‘UA-XXXXXXX-YY’]);
    _gaq.push ([‘_gat._anonymizeIp’]);
    _gaq.push ([‘_trackPageview’]);

    Reply
  4. Gary

    Just want to make sure here. So if a website explicitly asked user to give consent to use a particular form of PII for tracking. There won’t be any issues using that piece of PII for tracking?

    For example, many sites that offer incentive for sharing socially (eg. Dropbox will give you free space if you share with friends). Then your email is used for tracking if your friend signed up for Dropbox and if you are rewarded free space.

    Often times, data collected and used are in their lengthy T&C, and users usually skips the part and just check the box “I agree with your privacy policy”.

    Reply
    • Brian Clifton

      @Gary: There are two key points you reference:

      1. Yes, collecting PII is acceptable in EU law if you have the explicit permission of the visitor.
      2. It must be transparent to the visitor what you are doing and how you use the data.

      You are very right about obscure legal documents masquerading as Terms of Conditions. Truste recently showed that the average UK privacy policy is 2299 words long.

      As a guide, have a read of my 10-Point Best Practice Privacy Guide for Working With Google Analytics. My privacy policy is under 600 words.

      Reply
  5. Jacob

    I see what you’re saying; thanks very much for clarifying πŸ™‚

    Reply
  6. Jacob

    I think I understand what you’re saying – where you’ve got your transaction ID you can already match that to a person.

    But what about where it’s just a form submission? The business I work for has a contact form where people just request information about our services or our training etc.

    If I import a bunch of things about their site usage from the GA cookie without them knowing along with that form, surely that’s turning non-PII into PII? I mean, ordinarily I’d just get that information in the GA cookie in aggregate form, so tying it to a person surely changes it to PII and thus breaches the new law?

    I have a feeling that I’m misunderstanding something here and that I could infer the answer from your original post/response … so again apologies if I’m missing something.

    Reply
    • Brian Clifton

      @Jacob: If the form submission is transparent to the user i.e. they know they are submitting their PII to you, I see no difference to the example of transaction tracking. You are only making the connection with their GA cookies once they have explicitly submitted the form knowing full well what they are doing.

      Reply
  7. Jacob

    Hi Brian – I’ve got one thing that I’m unsure of. I’m very new to all this – your book is my first proper guide – so I’d appreciate your thoughts.

    In Chapter 12 of the latest edition of Advanced Web Metrics, you write about when (p504):

    “… a visitor subscribes or makes a purchase on your website, and you wish to pass the original referrer information, such as the search engine name and keywords used, into your customr relationship management system.”

    Doesn’t this change what was originally personally non-identifiable information into personally identifiable information? And isn’t the user going to be unaware of their giving this information when they submit the form or make the purchase?

    Reply
    • Brian Clifton

      @Jacob: I have been waiting for someone to point this out πŸ˜‰

      GA is already making this association if you are performing e-commerce as it captures a unique transaction ID for each transaction. When the site owner/manager is notified of a purchase, your CRM system (or a simple email) is sent notifying you of the transaction details – including the transaction ID. So you already have this information – and more to the point you have to have it. That is, your business has to tie a specific order with an individual!

      This process is entirely transparent to the purchaser (they confirmed the purchase) so I see no difficulty is passing the anonymous GA cookies along with the transaction details into your CRM system (or via an acknowledgement email). If a goal completion is similarly transparent then the same applies.

      The reverse logic does not hold true. That is, it is not OK to capture PII within Google Analytics as described in the GA Terms of Service.

      Hope that makes sense.

      Reply
  8. Wolf Software

    @Brian – It might go against the advice you give, however some people might still want to do it, hence throwing it out there for people who do πŸ™‚

    Reply
    • Brian Clifton

      @Wolf Potential for a slightly new version… πŸ˜‰

      Reply
  9. Mike

    You *DO* need consent for first party cookies, even if they’re “anonymous”, unless they’re absolutely necessary to operate the website (the functioning of). The ICO is very clear about this:

    “Setting cookies before users have had the opportunity to look at the information provided about cookies, and make a choice about those cookies, is likely to lead to compliance problems”

    and:

    “It is not enough simply to continue to comply with the 2003 requirement to tell users about cookies and allow them to opt out.

    and in regards to implied consent:

    “For implied consent to work there has to be some action taken by the consenting individual from which their consent can be inferred … The key point, however, is that when taking this action the individual has to have a reasonable understanding that by doing so they are agreeing to cookies being set.”

    How can someone agree to something, if it has already occurred?

    Reply
    • Brian Clifton

      @Mike – I have to disagree with you on that one. It is in fact the main difference in v3 of the ICO’s guidance doc and in all the presentations I have seen and discussions I have had with the ICO i.e. a softening on implied consent being compliant. This has to be kept in context though. In this instance, I am referring to benign, anonymous, aggregate, 1st party cookies (i.e. GA).

      The thing to keep in mind is that the law is there to stop PII without consent, and behavioural targeting of individuals without consent.

      Reply
  10. Wolf Software

    We have created a complete suite of consent solutions to assist website owners in gaining compliance, including a turnkey solution for GA built in collaboration with the engineers at Google.

    http://demos.dev.wolf-software.com

    Reply
    • Brian Clifton

      @Wolf – while I like your tools and the thinking that has gone into them, they go against my advice in the article…

      Reply
  11. Brian Clifton

    @Richard Johnson – my feeling is that once these privacy laws have settled in, other countries outside of the EU will follow suite. Essentially this new law is simply an extension of existing privacy laws, updated and applied for the digital world. So it makes sense other countries will follow.

    @Jonathan ODonnell – the ICO guidance doc has some useful examples. I have also seen numerous non-intrusive methods. HSBC.co.uk was one example I came across last week that I thought was good.

    For your second question, bear in mind that enforcement orgs, such as the ICO, respond to complaints – they do not police the internet in general. So if you get lots of complaints about your approach to privacy, have done little to understand what settings effect user privacy, and (worse of all) collect PII without user consent, expect a hefty fine.

    Reply
  12. Jonathan ODonnell

    Brian,

    As always, I appreciate your thoughts and the knowledge you provide, thank you.

    A few questions:

    1: What have you found to be the most effective way of alerting a user to 3rd party cookies and their options?

    2: What if any fines or actions have or will be taken on offending sites?

    Thanks again,
    OD

    Reply
  13. Richard Johnson

    Hi Brian. I’m from Chile, and I’ve been reading about this issue in Europe, but have you been a kind of intent in US for doing something similar, any cookies or privacy law?

    Regards

    Reply

Leave a Reply to Jacob Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Share This