Share this content

Should you ignore the ICO over new cookie privacy regulations?

30th Jun 2011
Share this content

John Harrison believes firms should not follow the lead of the Information Commissioner's Office in how to make their websites compliant with new regulations. Here he explains why...

Website managers should not follow the lead of the Information Commissioner's Office (ICO) in how to make their websites compliant with the new privacy and communications regulations.
If you are using a cookie website analytics solution then unless you get visitor consent then you will most likely be breaking the law. The regulations ban the use of cookies unless visitors positively opt in to their use or they are deemed essential to the operation of the website.
Are website analytics essential to the operation of the website? No, according to the ICO. Their guidance makes it quite clear that your visitors must positively consent to any cookie use associated with website analytics.
Are website analytics essential to the operation of a website? Yes, according to us. We feel that website analytics are essential for any good website management and development regime. We firmly believe that accurate and timely website analytics reports allow website managers to establish the success of marketing campaigns whether email, banner or SEM. They also determine what is popular or not on the website and provide insight into user behaviour and identify problem areas. Most importantly they help establish the return on investment of the cost of operating and marketing a website.
The scale of the problem
The scale of the problem now affecting the UK's websites is becoming clear.
A recent audit we commissioned showed just how much of a problem this is. We surveyed 100 randomly chosen local and central government websites and found that 88% of them breached the Privacy and Electronic Communications (EC Directive) Regulations which came into force last month.
So where did the ICO go wrong in trying to make their website compliant with their own guidance?
In order to comply with their own guidance the ICO added opt in banners to obtain the consent of visitors to permit the use of cookies, including those used for their website analytics system. FOI requests have established that the ICO paid £3,942.50 to their web developers to install them. Although this made their website compliant with their own guidance it made the information reported by their website analytics systems not worth the paper it is printed on and certainly not the £4k spend on adding the visitor opt in.
The problem is that instead of reporting all activity on their website their cookie based website analytics system will now only report website traffic from those users who have chosen to opt in, which is something different altogether. This is a problem with any cookie-based website analytics system, not just Google Analytics.
Further FOI requests to the ICO established just how much an impact to the accuracy of cookie based website analytics system is caused by adding visitor consent In the two weeks before the addition of the opt in their website analytics system was registering an average of just over 8,000 absolute unique visitors per day. In the fortnight after adding the opt in their systems reported an average of under 750 absolute unique visitors per day. In other words a drop of over 90%.
What next?
So, what can you do about it? Doing nothing, isn't an option. The ICO can levy whopping penalties - up to £500,000 for infringements. We are sure that as soon as their current amnesty is up there will be a few high profile cases. Don't be one of them.
We recommend website managers move to IP address and User Agent based website analytics systems. They don't use cookies so they do not need opt ins to obtain consent from visitors. The process of adding these systems to a website is the same as cookie-based systems.
One of the key functions of any website analytics system is to assign website activity to individual unique visitors. The easiest way for a website analytics system to do this is to place a cookie on the visitor’s browser. Each cookie is unique so by interrogating this cookie the website analytics system can resolve website activity to unique visitors.
A cookie free alternative to this is to separate website activity by IP address and User Agent. All access to the Internet, including all websites, by a browser is made using an IP address but these are not wholly exclusive to individual visitors as they may be shared. User agents determine the browser, operating systems etc used to generate the website activity. Again they are not wholly exclusive to an individual visitor as others may have the same configuration. However using them together they can differentiate, to an acceptable level, website activity from different visitors.
Although they operate in slightly different ways to cookie-based systems, IP address and User Agent website analysis systems are accepted by Audit Bureau of Circulation for website audit.
Our advice is quite clear: ignore the ICO; don't waste money adding an opt-in banner, which will probably frighten visitors off; don't use a cookie-based website analytics system; use an IP Address and User Agent-based one instead.

John Harrison is CEO of Maxsi.

Replies (0)

Please login or register to join the discussion.

There are currently no replies, be the first to post a reply.