Courtesy navigation

How to use website analytics without breaking the law

How to use website analytics without breaking the law

May 14, 2012 by Robert Peters

CookiesAre you interested in how many people visit your website, how they get there and what they view?

I bet you are, we all are.

The intelligence provided to us by solutions such as Google Analytics is incredibly important in building a relevant, focused resource that turns website visitors into buyers.

However, from 26 May 2012, UK businesses using the cookies that enable us to track this valuable marketing information will be breaking the law. Full details of the changes and implications are detailed in the IT Donut Cookie Law Guide.

If you’ve not already prepared your website for the changes what options do you have to keep on the right side of the law?

Total compliance

Achieving total compliance means gaining “opt in” consent from UK website visitors prior to using cookies.  This can be achieved by adding a message and opt-in button in various places on your website.

Problem solved?

Well yes from a compliance point of view, but not from a marketing point of view. When the UK Information Commissioner’s Office changed their own website 90% chose not to opt in. That’s a sobering figure for anyone interested in how visitors find and use their website. A 10% data sample is useless for most purposes.

An option to have total compliance without opt-in consent would be to use an analytics provider whose software does not use cookies, such as eVisit Analyst


The other extreme is to ignore the issue entirely.

You could continue to track users using cookies in the hope that the ICO isn’t going to chase every small business and fine them all the maximum £500,000 allowed under this legislation.

Bit of a gamble though, don’t you think?

Plus, are your prospects and customers going to trust you if they can see that you are blatantly breaking the law?

This brings us to a third option.

Partial compliance

There is a glimmer of hope for businesses that want to keep their analytics data without offering opt-in consent.

In their “Guidance on the rules on use of cookies and similar technologies” Version 2 13th December 2011 the Information Commissioner's Office writes:

“In practice we would expect you to provide clear information to users about analytical cookies and take what steps you can to seek their agreement. This is likely to involve making the argument to show users why these cookies are useful. Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals. Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.”

However, this shouldn’t be seen as a reprieve. UK businesses have already been given twelve months’ notice to get their sites ready which ends when the law becomes enforceable on the 26th May 2012.

Partial compliance could be achieved with three steps:

Step #1

Complete a cookie audit of your website as outlined in the IT Donut Cookie Law Guide.

Step #2

Add a prominent link to your detailed privacy policy with a full account of the names and nature of the cookies used. The policy used on the UK Information Commissioner's Office website is a good example and contains a link to a website explaining the nature of cookies and how to remove them. A further example is available at

Step #3

Create a written action plan for total compliance to follow if necessary once the enforcement decisions and process become clearer after the 26th May 2012.

To sum up

The interpretation of these changes and their enforcement will become clearer in the coming weeks but the implications are certain. Taking no action will not only mean you’re breaking the law but risking valuable trust.

To keep your website analytics you’re going to need to make some changes to achieve either partial or full compliance.

What stance will you take?  Please join me in a discussion in the comments.

Robert Peters is a Small Business Advisor and Director of Fresh Eyes Consultancy.


Rory MccGwire's picture


On Wednesday, Marketing Week carried an article(*) reviewing how the cookie law is being implemented, based on an early analysis by QuBit.

Sites which inform users that cookies are running and then offer the option to disable them – implicit/implied consent - are seeing acceptance rates of up to 99.7%.

By comparison, sites that seek explicit consent from users before receiving cookies are seeing consent rates of just 57.2%.

All as you would expect.

On this basis, now that the initial confusion is over and the ICO has confirmed that implied consent can achieve compliance, I imagine that hereafter virtually all private-sector websites will end up taking the implied consent option. There will still always be a few who like the belt-and-braces approach of having to opt in, even if this acts as a barrier to users using the website.

(* ‘Implicit consent’ best practice on cookies. 13 June)

lizgraveling's picture

Thank you, this is really helpful.

I don't know a great deal about cookies, but I wonder whether it's possible to encourage people to consent to cookies by adding content to websites that will benefit the user and is only accessible or usable if cookies are allowed. I have seen notices on websites warning that some parts of the site will not work properly if cookies are not allowed, so presumably this is possible, although I'm not quite sure what such content might be.

Given that first party cookies seem to be viewed more leniently than third party cookies, I also wonder how far it's possible to separate the two in terms of blocking them. For example, is it possible to disable third party cookies from my website without removing associated widgets, while retaining the use of first party analytics cookies?

Any suggestions welcome!

Robert Peters's picture

That's a great point about content Liz and a good viewpoint on the discussion.

If the content of your website is so compelling and relevant to the reader that they really want to get access to it there is a much higher chance that they will accept the cookies, and you could use some condition code to leave the door of your website closed until they accept.  My only concern with that method would be it would make the acceptance of cookies almost a "conversion" point and if the goal of your website was to gain a second conversion from that point, for instance an email signup, whitepaper download etc, you might find that the goodwill was starting to run out by the time of the second request - again it would totally depend on the perceived benefit of your content.

Regarding the separation of cookies, you can only operate within the bounds of your plugins, widgets, etc.  I'd do a cookie audit (details in the IT Donut Cookie Law Guide) and then change any widgets that are using third party cookies (for instance sharing buttons) to leave you just with analytics.  Alternatively you could state the third party cookies in your privacy policy and take the view of many that the ICO will only take action against complaints.

Thanks for the feedback and comment.

1ManBandAccts's picture

This is causing a lot of worry for micro businesses. I am pleased the ICO has clarified their position somewhat in the past day or so.

Robert Peters's picture

Yes, Rory MccGwire the CEO of BHP, who own and run Marketing Donut and its family of websites, posted a great comment on his Law Society Gazette blog which quotes a member of ICO staff confirming that they will act on complaints rather than have a team of people searching out non-compliant websites.  This is a very useful clarification for worried small business owners.

Thanks for your comment 1ManBandAccts

gazzer b's picture

Would some genius at the ICO explain how all this extra work is going to stop crazy hackers and other baddies from adding stuff to peoples computers in the EU when most of it comes from outside the EU anyway, what about Flash cookies, most people have never heard of those and most browsers give you no chance to find or erase them and in my opinion they are far worse !

Robert Peters's picture

Hi Gary

It's a good point.  One of the solutions suggested for dealing with cookies and the law is changes in browser settings so that cookies are restricted or allowed within the browser, taking away the requirement for the website owner to have to implement changes.  The BBC reported last year that the UK government had formed a working group with browser manufacturers to see if a browser based solution could be found.  

Until such a solution is in place users will have to protect their computers in the normal ways and use virus software or browser plugins to suggest genuine, non-threatening sites.

My understanding is that flash cookies (Local Shared Objects) can also now be controlled via browser privacy settings, but it highlights the issue of ensuring your version of flash and browser are kept up to date to benefit from the latest security enhancements.

Thanks for your comment!

R_Arblaster's picture

Hi Robert,

Your link to the  IT Donut Cookie Law Guide isn't working it's just taking me to a Tools page with a long list of articles.

LizD's picture

Thanks for flagging that up.  The link in the blog is now fixed and should take you to the right article.

The Donut Team


Robert Peters's picture

Hi Richard

Thanks for your comment and feedback, here is the correct link:

Let me know if you get any issues with that one.

Displaying 1 to 10 of 14 results

Add a comment

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <p>
  • Lines and paragraphs break automatically.
  • Links to specified hosts will have a rel="nofollow" added to them.

When you click 'Register' to create a new account, you accept our terms of service and privacy policy