Most modern websites have web tracking for collecting
information about visitors to the site. The most popular free analytics package is
undoubtedly Google Analytics, which is found in use at around 57%
of the 10,000 most popular websites - including the likes of New
York Times, Washington Post, Mashable and Twitter.
The Google Analytics Tracking Code is set by JavaScript and
augmented by the proprietary GA tool. It sets four cookies
automatically, and a fifth via opt-in (this relates to sharing
information about your traffic with Google).
Google Analytics sets a first party cookie.
The EU Cookie Directive stipulates that all cookies must be given
"consent". Because Google Analytics is first party cookie consent
is needed only once. In other instances where a third party cookie
is deployed a new consent for each deployment would be needed. For
example each time a user visited a site.
Google has previously agreed with the EU that Google Analytics
cookies would be limited to a 24 month lifespan. Prior to this
Google set anything up to and beyond a 30 year expiry on cookie
files.
In early May 2011 the ICO issued guidelines on how to interpret
the new EU Cookie Law. In the PDF document entitled "Changes to the rules on using cookies and similar
technologies for storing information" they say: "An analytic
cookie might not appear to be as intrusive as others that might
track a user across multiple sites but you still need consent.
"One possible solution might be to place some text in the footer
or header of the web page which is highlighted or which turns into
a scrolling piece of text when you want to set a cookie on the
user's device."
Google Analytics sets first party cookie, however many accounts
have the opt-out setting active to "true" which Google allows to
anonymously track website metrics for the purposes of
"benchmarking". Google says this information is used to
categorize a website and show a relative performance line in visit
graphs. This shows how well a website benchmarks for that
category.
The ICO guidance says: "If the information collected about
website use is passed to a third party you should make this
absolutely clear to the user. You should review what this
third party does with the information about your website visitors."
Therefore in the instance of "benchmarking" it is clear consent
must be achieved for a website to pass information to Google.
For more on Google Analytics please also see:
The Analytics Crunch
Google Analytics and the EU Cookie Law compliance could vary
from country to country within the 27 state member areas. The more
likely cookie law analytics solution will come via modification of
the current Google analytics code, and/or an add-on, special
dispensation from the requisite ICO office in that country or a
browser solution through Google Chrome for instance. The UKICO office has already published
information on using cookies.In time, Google might ask site owners
to update their privacy policy, browsers may be engineered to
include a universal consent or opt out button, similar to
Do-Not-Track (DNT). Admittedly anything is possible.
In the past the EU's Privacy and Electronic Communications
Directive applied to user data, and this was largely interpreted to
relate to e-mail data storage. The 'EU cookie directive
builds on this - no surprise you might say in light of the huge
increase of seller side platforms (SSP), demand side platforms
(DSPs), retargeting, tracking, ad-optimization and real-time
bidding and personalization.
Google Analytics May 26th
As of May 26th only Adobe Omniture, WebTrends and StatCounter had given official statements
on handling EU E-Privacy Directive.
Globally and in the European Union member states Google
sets the following cookies
__utma Cookie
A persistent cookie - remains on a computer, unless it expires or
the cookie cache is cleared. It tracks visitors. Metrics associated
with the Google __utma cookie include: first visit (unique visit),
last visit (returning visit). This also includes Days and Visits to
purchase calculations which afford ecommerce websites with data
intelligence around purchasing sales funnels.
__utmb Cookie & __utmc Cookies
These cookies work in tandem to calculate visit length. Google
__utmb cookie demarks the exact arrival time, then Google __utmc
registers the precise exit time of the user.
Because __utmb counts entrance visits, it is a session cookie,
and expires at the end of the session, e.g. when the user leaves
the page. A timestamp of 30 minutes must pass before Google cookie
__utmc expires. Given__utmc cannot tell if a browser or website
session ends. Therefore, if no new page view is recorded in 30
minutes the cookie is expired.
This is a standard 'grace period' in web analytics. Ominture and
WebTrends among many others follow the same procedure.
__utmz Cookie
Cookie __utmz monitors the HTTP Referrer and notes where a visitor
arrived from, with the referrer siloed into type (Search engine
(organic or cpc), direct, social and unaccounted). From the HTTP
Referrer the __utmz Cookie also registers, what keyword
generated the visit plus geolocation data.
This cookie lasts six months. In tracking terms this Cookie is
perhaps the most important as it will tell you about your traffic
and help with conversion information such as what source / medium /
keyword to attribute for a Goal Conversion.
__utmv Cookie
Google __utmv Cookie lasts "forever". It is a persistant cookie.
It is used for segmentation, data experimentation and the
__utmv works hand in hand with the __utmz cookie to
improve cookie targeting capabilities.