How to use website analytics without breaking the law

By: Robert Peters

Date: 14 May 2012

Cookies{{}}Are you interested in how many people visit your website, how they get there and what they view?

I bet you are, we all are.

The intelligence provided to us by solutions such as Google Analytics is incredibly important in building a relevant, focused resource that turns website visitors into buyers.

However, from 26 May 2012, UK businesses using the cookies that enable us to track this valuable marketing information will be breaking the law. Full details of the changes and implications are detailed in the IT Donut Cookie Law Guide.

If you’ve not already prepared your website for the changes what options do you have to keep on the right side of the law?

Total compliance

Achieving total compliance means gaining “opt in” consent from UK website visitors prior to using cookies.  This can be achieved by adding a message and opt-in button in various places on your website.

Problem solved?

Well yes from a compliance point of view, but not from a marketing point of view. When the UK Information Commissioner’s Office changed their own website 90% chose not to opt in. That’s a sobering figure for anyone interested in how visitors find and use their website. A 10% data sample is useless for most purposes.

An option to have total compliance without opt-in consent would be to use an analytics provider whose software does not use cookies, such as eVisit Analyst

Non-compliance

The other extreme is to ignore the issue entirely.

You could continue to track users using cookies in the hope that the ICO isn’t going to chase every small business and fine them all the maximum £500,000 allowed under this legislation.

Bit of a gamble though, don’t you think?

Plus, are your prospects and customers going to trust you if they can see that you are blatantly breaking the law?

This brings us to a third option.

Partial compliance

There is a glimmer of hope for businesses that want to keep their analytics data without offering opt-in consent.

In their “Guidance on the rules on use of cookies and similar technologies” Version 2 13th December 2011 the Information Commissioner's Office writes:

“In practice we would expect you to provide clear information to users about analytical cookies and take what steps you can to seek their agreement. This is likely to involve making the argument to show users why these cookies are useful. Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals. Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.”

However, this shouldn’t be seen as a reprieve. UK businesses have already been given twelve months’ notice to get their sites ready which ends when the law becomes enforceable on the 26th May 2012.

Partial compliance could be achieved with three steps:

Step #1

Complete a cookie audit of your website as outlined in the IT Donut Cookie Law Guide.

Step #2

Add a prominent link to your detailed privacy policy with a full account of the names and nature of the cookies used. The policy used on the UK Information Commissioner's Office website is a good example and contains a link to a website explaining the nature of cookies and how to remove them. A further example is available at aboutcookies.org.

Step #3

Create a written action plan for total compliance to follow if necessary once the enforcement decisions and process become clearer after the 26th May 2012.

To sum up

The interpretation of these changes and their enforcement will become clearer in the coming weeks but the implications are certain. Taking no action will not only mean you’re breaking the law but risking valuable trust.

To keep your website analytics you’re going to need to make some changes to achieve either partial or full compliance.

What stance will you take?  Please join me in a discussion in the comments.

Robert Peters is a Small Business Advisor and Director of Fresh Eyes Consultancy.