Analytics and User Friendly Opt-Outs

The recent opinion from the Article 29 Working Party on cookies exempted from the need for consent, which I previously blogged about, contained an interesting section about analytics.

I didn’t cover it at the time because I felt it was worth a post of its own.  So here it is.

The EU privacy group is clearly aware that the use of cookies for analytics is one of the most important aspects of many websites – as it is the prime means by which businesses measure a return on their online investment, as well as look to improve their services.

As such, although analytics cookies cannot be said to bring any immediate benefit to an individual site visitor, they clearly can benefit visitors in the long term through better alignment between their needs and the website’s content.

So, whilst the Working Party states that analytics cookies do need consent, they recognise that in many circumstances, their privacy implications are limited:

“..the Working Party considers that first party analytics cookies are not likely to create a privacy risk when they are strictly limited to first party aggregated statistical purposes and when they are used by websites that already provide clear information about these cookies in their privacy policy as well as adequate privacy safeguards.”

Note that they clearly distinguish between first and third party analytics cookies.  They even go on to say that third party analytics cookies, which are able to collect data across different websites, present a ‘substantially greater risk to privacy‘.

Those safeguards they mention even for first party analytics include ‘user friendly opt-out mechanisms‘.

Now, many analytics services do provide opt-out mechanisms, but these can hardly be described as user friendly.  They usually involve you visiting another site to change your preferences, or even downloading a browser plug-in – an option that is of course not open many using locked down systems at work.  Plus they are also rather blunt instruments – often opting you out of all sites using their tracking, rather than just the one you might have wanted.

So this opinion really seems to reinforce the idea that the website itself should be responsible for providing an opt-out mechanism for analytics.  The trouble is that many of them aren’t doing that.

Information Only Notices

A lot of websites have come up with information notices about cookies that simply tell users that cookies are being used – but do not offer the ability to change this.  They often just provide information, or even just links to other sites, telling people how to block cookies in their browser.

I can see why site owners would want to do this as it is a very simple response to the regulations, and we ourselves offer it as an approach.  However I do question whether it is either valid in terms of compliance, or in the long term interests of the website.

The validity question arises from the type of comments above from the Article 29 Working Party – an expectation that a website should be offering choice even over something they see as harmless as first party analytics.  Also one should take into account the statements from the UK’s ICO – that current browser controls are not good enough for people to rely on visitor consent through their settings.  To me this says quite clearly that even if you advise visitors how to change their browser settings, and they actually do it, you actually still can’t rely on this as giving consent for continued setting of cookies.

This suggests that the only way for consent to be valid is if users are given control over cookies by the site itself.  At least then the site can have some degree of confidence that ignoring those controls and carrying on – is some kind of informed consent.

Secondly, if you don’t offer such control to visitors, their option is to like it or leave.  This may be fine where a site has truly valued content, where it is a destination that visitors seek out.  Then they are more likely to put up with a situation they don’t like as the cost of getting the content they need.

However, in the more competitive space that most businesses operate in, if people don’t like what a site is doing, and if they know they have a better privacy choice elsewhere – they may just leave the site that gives them no choice.  And having left, it is a much harder task to get them back again.

At the moment there may be little evidence that people are taking this action, but maybe that is a short term phenomenon, a result of that fact that few people realise they may have a choice to exercise.  When consumers have become more aware of what is happening – which will surely happen now that they are seeing cookie messages all over the place, they are much more likely to begin exercising choice

When that starts to happen, sites that don’t provide choice except to navigate away never to return, are likely to suffer significant traffic losses.