Skip to main content

https://gds.blog.gov.uk/2012/03/19/its-not-about-cookies-its-about-privacy/

It's not about cookies, it's about privacy

Posted by: , Posted on: - Categories: GOV.UK, Technology

The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 which came into effect last year has presented UK website owners with a few challenges in moving to compliance. Those of us who work on public sector websites are no exception. We wrote about some of the ways we were working towards compliance here at GOV.UK, in a previous post.

In spite of the challenges, the new regulations have pushed online privacy firmly into the spotlight and this is no bad thing. In fact this online privacy was the focus of a meeting last week of UK government website managers, developers, policy advisers and communications experts. The meeting was hosted by GDS so that people with responsibility for the operation of central government departments’ and agencies’ websites could discuss and learn from one another about some of the ways we could work towards compliance with the new regulations.

We talked about cookies (how could we not?) but we didn’t get hung up on them - other relevant technologies e.g. HTML5 Local Storage and web beacons came up too. We shared our experiences of comprehensively auditing our sites in order to be certain we knew which cookies were being set by us or via our sites (in the case of third-party cookies).

We also discussed how best to probe the use of such cookies in order to correctly classify them (i.e. “moderately intrusive”, “minimally intrusive” or “exempt from changes to privacy legislation”)  in terms of their “privacy intrusiveness”. While we were at it, we touched on how best to be transparent about third-party cookies and their impact on visitors’ privacy.

Inevitably, analytics and the vital role analytics-related cookies play in allowing public sector websites to be held to account on the cost-effectiveness of the way we deliver government information and services came up.  Even more importantly, analytics are essential to our “continual improvement” approach to developing digital public services, which is critical to delivering the government’s digital by default agenda.

The consensus was, especially in the case of first-party analytics cookies, these types of cookies are “minimally intrusive” (in line with the ICO guidance) and that the bulk of our efforts to rationalise our use of cookies should be focused on cookies classified as “moderately intrusive”.

We touched on data-sharing and benchmarking options offered by some analytics vendors’ packages and agreed that despite the fact that no personal data was collected, it was good practice not to share analytics information with third parties in order to reassure government websites’ users.

We also discussed the alternatives to cookie-based analytics and the benefits and risks associated with them.  This included device fingerprinting and javascript tagging which carry the risk of being potentially more privacy intrusive and are more difficult for users to block.

The conversations were technical but the protection of users’ online privacy remained at the forefront.  We’re still working towards compliance but our focus on transparency and education while helping users make informed choices about their privacy seems the right way to go. Finally, we agreed to put together a short implementer guide containing some pointers to a best practice approach, here it is.  All in all, it was a useful meeting and as we continue to work towards compliance there will probably be a few more.

Sharing and comments

Share this page

48 comments

  1. Comment by Cookie Monsters | recipepins.tk posted on

    [...] Dai being our Cookie expert in residence. [...]

  2. Comment by Best Practices to Comply with Cookie Law in the UK | Net Natives | Net Natives, Social wonders. posted on

    [...] advice that the UK government has given to its webmasters. http://digital.cabinetoffice.gov.uk/2012/03/19/its-not-about-cookies-its-about-privacy/ [...]

  3. Comment by Cookie Law – don’t panic but here’s what to do | Net Natives | Net Natives, Social wonders. posted on

    [...] Service (GDS) on Analytics cookies, it’s issued guidance to public sector websites as well as a blog post which both refer to analytics cookies as ‘minimally intrusive’ and [...]

  4. Comment by The EU introduces new privacy & cookie law for all websites | StudioWorks | StudioWorks posted on

    [...] It’s not about cookies, it’s about privacy on the Cabinet Office website [...]

  5. Comment by Digesting cookies | Government Digital Service posted on

    [...] an earlier blog post, GDS stated that education and transparency were the central components of its approach towards [...]

  6. Comment by Ed posted on

    Are websites outside the EU required to implement this as well ? If not we might as well place the application on a server outside the EU - how will this be monitored?

  7. Comment by EU Cookie law - almost here, no sensible solution in sight | Your Peoples Geek posted on

    [...] from the Government Digital Services and their implementation [...]

  8. Comment by EU Cookie Law Comes Into Force on May 26 2012 | Saleem Yaqub posted on

    [...] and the EU privacy directive The Register gets a direct and insightful response from the ICO Interesting discussion thread on the Governments’ digital service website Optanon offers a neat (paid for) solution to compliance, see it in action on their site The [...]

  9. Comment by Cookie Law – don’t panic but here’s what to do | Thoughts On Stuff - Net Natives posted on

    [...] from the EU on Analytics cookies. It’s issued guidance to public sector websites as well as a blog post which both refer to analytics cookies as ‘minimally intrusive’ and [...]

  10. Comment by EU Privacy Directive & How It Affects Your Web Site :: Google Adwords Northern Ireland, Belfast & Newtownards – Pay Per Click Consultants posted on

    [...] We can’t give you legal advice or endorse any particular compliance approach, but you might look at: - The advice that the UK government has given to its webmasters. http://digital.cabinetoffice.gov.uk/2012/03/19/its-not-about-cookies-its-about-privacy/ [...]

  11. Comment by Darren J posted on

    Any response to this chap's points...

    http://christianlouca.com/2012/03/27/eu-cookie-law-uk-government-crumbles/

    "The other sticking point is that elsewhere in the quoted Guidance document, the ICO advises that analytics cookies are “unlikely to fall within the exception” and defines “the exception” as applying only to cookies which are “for the sole purpose of carrying out the transmission of a communication” or which are “strictly necessary” (as distinguished from “reasonably necessary”)."

    "In other words it could go either way and, like many organisations considering their cookie options, the GDS seems set to take a gamble that the ICO won’t crack down on analytics."

  12. Comment by Darren J posted on

    I'm still none the wiser whether Google Analytics use without consent will get anyone into trouble after reading this. It sounds like you have decided it is important to you, so it's ok. Wouldn't most website owners say analytics play a vital role in assessing the effectiveness of their website?

  13. Comment by Philip Warner posted on

    Cookie law is set upon a yeasty collection of phrases and sentiments. Carefully read the literature and you will see phrases such as "Privacy", "Openness", "Best Practice", "Transparency" all being used, as if an understanding of them is set in concrete. When the regulators get a bit vague, up pops a phrase to justify a giant leap of faith onto the next subject, itself justified by another fine sentiment, and so on and so forth. It is merely the tune of the times

    Imagine that from 26th of May all Airline passengers are given the tools, activated by an electronic keyboard, to mess about with the internal workings of the jet engine, before and during each flight.

    It is possible to prevent the use of web sites and restrict their use to individuals, their governments, countries and continents.

    • Replies to Philip Warner>

      Comment by Andy Key posted on

      Maybe it's just me, but I don't have a clue what point you're trying to make here.

  14. Comment by Do you accept my cookie « Carl's Notepad posted on

    [...] is an interesting and pragmatic stance being taken by the GDS as outlined in this post by Dafydd Vaughan. You can read a variety of views on the comments of this post  which all contribute to a confused [...]

  15. Comment by Mark Steven posted on

    Since Google changed the terms of its privacy policy, it seems that personally identifiable information will be shared across Google business areas, via analytics.

    Before the change to Google's policy, I'd have said the GDS position on Google Analytics cookies was forgivable.

    Have the implications of this been considered at GDS?

  16. Comment by bicyclerevolution posted on

    Google Analytics gets away with what even Tesco requires opt-in for - loyalty card. Now Tesco operates just fine without loyalty cards and so does your website - you admit as much when you say people always have the option of deleting cookies. As a web professional I think it is laughable that identifying every single user's journey through a site is necessary. Web logs work for a substantial proportion of users and that is plenty to report back to government with.

    Sending one's data to Google, subject to a foreign law, must be an active choice of this population.

    Of course if you give people an informed choice people will not want to be tracked. Are genuinely saying they are wrong? Then start a public education campaign - don't just ignore citizens.

    Thankfully there is a very clear law that requires you to ask permission to track them. Now get off your high horses and respect the privacy of citizens you serve.

  17. Comment by Best Practices to Comply with Cookie Law in the UK | Thoughts On Stuff - Net Natives posted on

    [...] advice that the UK government has given to its webmasters. http://digital.cabinetoffice.gov.uk/2012/03/19/its-not-about-cookies-its-about-privacy/ [...]

  18. Comment by EU Cookie Law – ecommerce sites selling to UK need to do something now posted on

    [...] interesting discussion in the comments thread on this post from the Government Digital Service: http://digital.cabinetoffice.gov.uk/2012/03/19/its-not-about-cookies-its-about-privacy/ [Opens in new tab]Brian Clifton has published several thoughtful and authoritative items about the [...]

  19. Comment by craigthomler posted on

    How about websites hosted in other jurisdictions aimed at UK or EU citizens - say a tourism, migration or import website run by a government department in Australia?

    If it breaches the requirements and action is taken, how will the diplomatic issues be managed by the UK and EU?

    • Replies to craigthomler>

      Comment by Andy Key posted on

      Simple. Action won't be taken. EU directives only have force within the EU. The UK regulations in particular will only apply to organisations based in the UK. These are the only organisations that the ICO can take enforcement action against.

      It's the country in which the *organisation* is based that matters, not the country where its website is hosted. You can't avoid the legislation by offshoring your web hosting to India... but you could do so by offshoring your company registration to the Cayman Islands. I'm not sure it's relevant where the *user* resides.

      For example, the Australian government won't have to comply, even when dealing with EU citizens, because Australia is not a member of the EU (surely an oversight). On the other hand, an Australian citizen visiting a UK government website can reasonably expect it to comply with the regulations when dealing with him, just as it would for an EU citizen.

      Google won't have to comply with this legislation even on google.co.uk, because, in the words of its Terms of Use, "The Services are provided by Google Inc.... located at... Mountain View, CA 94043, United States."

      Amazon.co.uk is run by Amazon EU Sarl, based in Luxembourg, so they will no doubt be complying with the *Luxembourg* government's interpretation of the directive, even though the site is aimed at UK residents.

      No country gets to enforce its laws on people or organisations located outside its borders. Unless it's the USA, of course. 😉

      • Replies to Andy Key>

        Comment by Mark Steven posted on

        That's not my understanding of it. If a US firm provides local services to UK citizens, the services are governed by UK law.

        Google et al are clearly under an obligation to comply.

  20. Comment by Confused about privacy and cookies | Mark Grady - Inside Out posted on

    [...] issue isn’t cookies, it’s privacy, and the UK Government has given numerous items of guidance stating that cookies that don’t hold personal data are not at issue here. A recent [...]

  21. Comment by James Ellis-Jones posted on

    This is insanely bad legislation drafted by people incapable of assessing its technical consequences or likely outcome. I've read the legislation and it is suitable vague to keep lawyers in money for a long time trying to work out what it actually means. But it does seem to mean that 3rd party analytics and possibly even session cookies are not allowable without gaining 'informed consent'. Almost every site which is not a few static pages uses session cookies and will have to follow this law.

    While I think it is a good thing for users to be aware of cookies and what they are, this law says that every site on the internet accessible from Europe is responsible for educating them about this. If this information could be given in one place and users told how to use their browsers to block cookies they didn't want that would be great. Under the internet envisioned by this law, almost every new site visited by a user will be trying to tell them about cookies and get their consent. I think most users will find this very annoying and detrimental to their usage of the internet if it ever becomes the reality.

    However I don't think it will. There are thousands of sites on the net which are not currently maintained whose owners will be opened to legal action without their awareness. There are many others who don't have the spare cash to try and implement a solution and will cross their fingers. There are still more who will see that their businesses will be destroyed if they lose 90% of their customers who will click away from their site if they go first in trying to get consent.

    I think the publicity surrounding this law and the few sites who will rather suicidally be led by their companies' legal departments in trying to implement compliant solutions will put a lot of ordinary people off using the internet and set it back years. The ICO will unfairly pick on a few people to prosecute but lack the vast resources to make any attempt at fairly enforcing this legislation. In a few years it will be dropped but a lot of damage will have been done.

    It is impossible to identify a particular individual via the cookies on their computer without the help of their ISP which no commercial organisation has. Anyone can wipe the cookies they have at any time which will lose all the targetting any advertising organisation has on their internet usage. State use of CCTV is 100 times worse as a privacy issue than cookies, and the EU is certainly not trying to badly damage any industry in order to defend individuals rights on that.

  22. Comment by Cookies and EC law – what next for culture websites? | jon pratty/machine culture posted on

    [...] Great plain language article by Dafydd Vaughan on the GDS website – http://digital.cabinetoffice.gov.uk/2012/03/19/its-not-about-cookies-its-about-privacy/ [...]

  23. Comment by It’s not about cookies, it’s about privacy | The Data Partnership News posted on

    [...] regulation and use – ‘It’s not about cookies, it’s about privacy’ a recent post on their site issues some, err clarity on cookie [...]

  24. Comment by Mike O'Neill (@incloud) posted on

    Dafydd,

    I agree some browser fingerprinting techniques are very "intrusive" in the ICO sense, but all known techniques, other than indentification using IPv4 addresses and request headers, are illegal. Anything that relies on executing JavaScript to, for example, detect keystroke patterns or assemble device identifying data like font lists, relies on storing something on the browser (the cache). If this is not "strictly necessarry" or there to enable communication then I think it would be covered by the PECR.

    IPv4 + request headers is not anything like specific enough to identify individuals so is not a problem. IPv6 has standardised privacy extensions so would be fine as long as ISPs enable them, which I should imagine they will have to.

    • Replies to Mike O'Neill (@incloud)>

      Comment by Andy Key posted on

      For
      "all known techniques... are illegal",
      substitute
      "all known techniques... will require the user's informed consent".

      They're not inherently illegal.

  25. Comment by Dafydd Vaughan posted on

    Hi everyone,

    Thanks for your comments - I'm glad this post has sparked some debate. I want to answer some of the points that have been raised both here and on twitter/other blogs.

    Firstly, I think it is worth making clear that although the beta of GOV.UK is using Google Analytics, we haven't made any decision as to whether it will be the analytics solution we use on the live version of GOV.UK.

    As we've said in the past, we think that the collection of analytics is fundamental to the running of any website. Analytics are an important part of how we can tell whether we are providing value for money for taxpayers. Also, without analytics, we can't easily identify where improvements can be made to the service we provide.

    In the post above, I made a brief reference to alternatives to cookie-based analytics. Log-based analytics don't necessarily provide the accuracy or level of information that is useful e.g. they don't always account for offices/ISPs behind proxy-servers and also don't allow us to look at how people interact with our services. On the other side Javascript tagging and device fingerprinting, while not covered by this law, are potentially more intrusive, less transparent to the user (there is no tell-tail sign that a site is collecting information unlike cookies) and much harder to opt-out of (turning off javascript is the only way to completely opt-out).

    As the title suggests - we think this is more about privacy than cookies. The first step to increasing the privacy of users is to look at exactly what "things" you have - hence the recommended cookie audit. The next step is to work to reduce/eliminate those cookies that are the most privacy intrusive for the people who visit websites.

    Dafydd

  26. Comment by EU cookie law: UK government crumbles? « Christian Louca posted on

    [...] title of the GDS’s blog post, It’s not about cookies, it’s about privacy, echoes sentiments expressed in my own recent article on privacy and the cookie law for the LBi [...]

  27. Comment by Mark Chapman posted on

    @MarkRidgewell - Cookies do not collect email addresses; websites will ask for them and you can choose to not receive communications by not providing your email address. Deciding to clamp down on cookies isn't the right way to go.

    Cookie debate among digital industry professionals can be read here - http://econsultancy.com/uk/blog/9298-82-of-digital-marketers-see-the-eu-cookie-law-as-bad-for-the-web-survey#blog_comment_88536

  28. Comment by Richard posted on

    It's not about privacy or cookies. It's about people in positions of power making misinformed decisions that have negative effects on the broader community at an international level. What a stupid idea.

  29. Comment by Mark Ridgwell posted on

    In a world of unsolicited communications, this is an encouraging commitment. In addition to tight
    barriers to sharing user information, I'd like to see complete transparency in this space - before I commit my details to an online service, I'd like to know exactly how and with whom my information will be shared, rather than the 'smoke and mirrors' approach currently adopted by many.

  30. Comment by Miles Golding posted on

    "In fact this online privacy was the focus of a meeting last week of UK government website managers, developers, policy advisers and communications experts." Did they all therefore proactively discuss the highly pertinent issues raised by Mike O'Neill and John Harrison in Comments above?
    "....there will probably be a few more." (such meetings)
    There had better be, so please put your money where your giving-citizens-control-over-their-privacy mouths are and give us some answers to these questions.
    Citizens around the world are at last waking up to the gross intrusions into our privacy that have been permitted by sleepy, ignorant and corporate-cuddling governments.

    • Replies to Miles Golding>

      Comment by Jonathan Locke posted on

      Since both the issues raised above are written by authors with commercial motivations for writing, perhaps you should have a think about who's really looking out for you.

  31. Comment by Mark Steven posted on

    The guidance for the public sector is really welcome - and government agencies will be delighted to see it.

    I really am interested in how you interpreted some very plainly worded legislation about consent to read "analytics cookies are OK".

    Not that I'm unhappy about it! It just seems more like a combination of wishful thinking and a pragmatic awareness that ICO has bigger fish to fry, than a measured interpretation of the regulations.

  32. Comment by Marcus Stafford posted on

    Good article. I don't think most people understand the wider implications of the privacy directives and are too focused on the cookies element. Let's hope this marks the start of a privacy awakening.

  33. Comment by Mike O'Neill (@incloud) posted on

    It should be about respecting citizen’s privacy, not implementation convenience.

    The law requires web publishers not place any information that could identify a visitor on their browser unless they have been given informed consent.

    It was drafted in such a general way to protect citizens from having their personal information being harvested without their permission, by whatever technology that became available.

    Informed consent means that citizens should be given an explanation of why the information is being stored. This should be clear, short and written in simple language. It should not consist of long lists of unintelligible cookie name (which are often random strings regenerated on every visit) which would only bore citizens with their irrelevance.

    The law applies as you say to html5, http and “flash” cookies. It also applies to anything stored in the cache such as ETag values, and JavaScript files containing unique values. It probably also applies to script functions that identify citizens by recognising their keystroke patterns, or by sending fingerprinting information (such as a list of the installed fonts in a device).

    Any browser fingerprinting using stored files is probably illegal. If it is based on only IP4 address (IPv6 is covered by its standard privacy extensions) combined with the other http request headers it has been shown to be not being able to identify citizens accurately enough to track them for commercial purposes.

    The EFF panopticlick test was only able to accurately fingerprint devices because it used a (probably) illegal JavaScript technique that sent device identifying data back to the site. It also happened to use an http session cookie to thread the returned data with the initial request.
    The major threat to the legislation, which was extensively discussed in Europe for many years before it was debated in the EU parliament (with overwhelming support across the political spectrum) is the confusion generated by those that profit from the traffic in personal information.

    It is also put in danger by inaccurate information put out by influential public sector organisations.

    Any cookie that contains a value that uniquely identifies a visitor can be used to track them. It is disingenuous to say that because a value does not of itself contain personally information it is not “intrusive”. Citizen’s personal data is already held in the cloud, in social networking sites, financial services websites and many more. This data can very easily be indexed and addressed by a key encoding the unique value. For example, your name is not encoded in your telephone number but databases exist that can ascertain one from the other.
    It is also wrong to claim, based on an (admittedly badly worded) sentence in the ICO’s guidance, that analytics cookies are “minimally intrusive”.

    As you point out the ICO guidance says “Provided clear information is given about their activities we are unlikely to prioritise first-party cookies used only for analytical purposes in any consideration of regulatory action”.

    The relevant word here is “only”. If you use an analytics service from a 3rd party how can you know whether they use the cookies only for analytics purposes?

    It is perfectly possible to write some server-side or client-side code that can use a 1st party cookie to identify unique visitors and use that indication only to gather analytics information. But if the value of that cookie is sent to a third party, especially one that makes the bulk of its revenue from advertising, on every visit to your site by a citizen, then the ICO guidance does not apply as it probably is not being used for “only” analytics purposes.

    In the case of Google Analytics the unique value encoded in the 2 year persistent “__utma” cookie is sent in an AJAX call to Google every time a citizen visits a site using the service.
    This is perfectly capable of tracking a citizen’s web behaviour whatever metaphysical term you arbitrarily apply to it.

    As I have already pointed out, the GA cookies are also available to any script, perhaps located in an external site, with access to the publisher’s domain. If co-opted 1st party cookies like this are endorsed by the Government and remain ubiquitous then others would be encouraged to develop tracking techniques that could use them. They may even be able to avoid legal action.

    Have you received an undertaking from Google that they will not use the unique value to behaviourally track people, perhaps using personal information held within their other properties? If so perhaps it would be a good idea to make it public. Are you sure you are not placing 3rd party script that accesses the GA cookies or may be capable of doing so in the future?

    You can still get useful information from analytics services like GA even when cookies are not placed. You can record and count the number of page visits and record the browser type. You can even, in many cases, get a general idea of the source location of the visitor. Moreover with the right kind of compliance technology you can still get an indication of unique visitors. And of course you can the complete analytics information about visitors who have agreed to your 1st party cookies.

    If you allow cookies to be placed without informed consent on the GovUK site you are not only giving the wrong signal to UK web publishers you are showing no respect for the privacy rights of UK citizens.

    Some may not agree that citizens’ privacy rights should be protected. But these rights are a fundamental principal in the EU and all of its most economically important member states. If Government wants UK businesses to keep their unfettered access to the EU single market and its 500M consumers they need to ensure they operate under the same regulatory framework as all the other member states. Sooner or later the same will apply to US businesses.

    It is perfectly possible to comply in a way that does not bore or confuse with pointless "cookie descriptions", but still gives citizens clear information and control over their privacy.

    It may be inconvenient to comply with the law but you especially have a duty to do so.

    • Replies to Mike O'Neill (@incloud)>

      Comment by David Bennett posted on

    • Replies to Mike O'Neill (@incloud)>

      Comment by searchforphil posted on

      Interesting discussion.

      In reply to Mike O'Neill comment RE: "co-opted 1st party scripts" ... If you are unable to screen external scripts for GA script references, then it is technically possible to host http://www.google-analytics.com/ga.js locally, and then manually disable these functions _setLocalGifPath, _setLocalRemoteServerMode, _getCustomVar, _visitCode, _link, _linkByPost.

      However, using this method would add extra maintenance cost as the locally hosted script would eventually become out-of date, or it could cause version control issues on large websites or microsites (although _getVersion can be used to mitigate this). Also the IE serverside header "X-Content-Type-Options: nosniff" would also need to be enabled on the hosted ga.js to make these comparable.

      It is possible that GA introduce /ga-enhased-privacy.js or /ga-minimum.js if demand for this functionality increases.

      Links - How to host ga.js locally
      http://www.askapache.com/google/ga-urchin-speed.html#Updating_ga-js_Crontab

      ga.js change log
      http://code.google.com/apis/analytics/docs/gaJS/changelog.xml

      Thanks

      Phil.

      P.S. I have converted your implementation guidelines from PDF to Word format here: http://db.tt/C6zURSvH

    • Replies to Mike O'Neill (@incloud)>

      Comment by Dave G posted on

      (Shameless plug) I am currently developing a low cost "Cookie Free Analytics" solution for Windows IIS based websites. It is a server side module that allows your basic tracking back into Google Analytics, without any client side javascript or cookies. It could be considered the equivalent of having your IIS logs being fed into GA in real-time, after passing thru a few basic filters to reduce spiders / bots.

      Its currently version 1 and I am waiting to hear back from the ICO on their view of its compliance. However as the tracking data is sent from your web server there is no client IP to pass back to GA, and (by default) there is no use of 1st party "utm" cookies that other scripts could intercept and feed back.

      The only browser finger printing CFA does is based on IP and user agent, so as per previous comments you can't pin point a single user. The finger print is only used to stop every page view as showing up as a new visitor, with the added bonus that asset downloads like PDF / ZIP files that you would normally have to gaq.push() tag will also show up. But if someone came back the next day or after their application pool recycled then my solution would consider them a new visitor.

      More info about my solution can be found at http://www.cookiefreeanalytics.co.uk, and I will be following any updates from the ICO, and others whom have been in discussion with the ICO for other solutions, to ensure my "Plan B" can be configured to be compliant (if it isn't already).

      Cheers,
      Dave

      • Replies to Dave G>

        Comment by Andy Key posted on

        Dave,

        Before you go much further with your product you might want to confirm that it doesn't breach the Google Analytics Terms of Service - section 4 in particular. (http://www.google.com/analytics/tos.html)
        Google's lawyers are much more scary than ICO's...

        • Replies to Andy Key>

          Comment by Dave posted on

          Hi Andy,
          I can understand your concern. A couple of weeks into starting my little project I contacted the Google Analytics Development programme via the online form letting them know what I was planning do to, and asking if they had any objections with it (not had a reply as yet, so just sent a follow up just now).

          My system doesn't do anything that hasn't already been publicly documented regarding the format of gif requests in the "Google Analytics for Mobile Websites" section of their website (http://code.google.com/apis/analytics/docs/mobile/mobileWebsites.html) since 2009.

          I'm not attempting to use their tracking code to develop a rival system so (I'm not a lawyer), but I feel happy with what I am doing. However if I hear back from Google either way then I'll let folks know. I'm not the first do try something like this, there is an active PHP-GA project on the go, and a legacy SSGA project since 2009. I expect if the big B had issues with projects like this I'd hear back quite quickly (touch wood!)

          Cheers,
          Dave

  34. Comment by John Harrison posted on

    I really don’t understand this.
    Why don’t you use a non cookie based website analytics system instead?
    Our eVisit Analyst Select website analytics system is one. (www.evisitanalyst.com/eva8)
    It is developed and operated in the UK, within UK legal jurisdiction.
    It doesn’t use cookies so it is non intrusive, much better than ‘minimally intrusive’ whatever that means.
    Data is stored in the UK not in the US.
    It can be used with ABC audits so it is accurate.
    Currently over 80% of UK government websites use US website tracking systems so UK citizens' interactions with their own government’s websites are recorded in the US.
    Not so bad if you are checking bin collection days from your local council but a different matter if you are looking at certain health conditions on NHS Choices. What protection is there to stop this information being shared with insurance companies?
    The first duty of government is to protect its citizens.

    • Replies to John Harrison>

      Comment by Andy Key posted on

      As the headline says, it's not about cookies, it's about privacy. In all the fuss about cookies this fact has been overlooked. Other methods of collecting visit data can be just as intrusive, and not necessarily controllable by the user in the way that cookies are. To say "package X doesn't use cookies so it's OK" is to miss the point somewhat. Our old stats package was based on web server logs and enabled us to examine the IP address of any visitor we chose - some would call that pretty intrusive...

    • Replies to John Harrison>

      Comment by Richard Fergie posted on

      Hi John,

      How does you solution track visitors across their session without using a cookie (or similar technology that would also be covered by the directive).

      Without the ability to tie traffic source to revenue weba analytics loses a lot of its usefulness

      Richard

  35. Comment by Thomas Punt posted on

    Nice to know this is being taken seriously in such detail; as indeed it should be since government sites should act as an examplar. Maybe some space could be given to a layman's explanation of cookies.