OK so last week, I was attending the Adobe Omniture (website analytics package) conference in EMEA, London. As you can imagine, the ePrivacy law restrictions was a hot topic for discussion. Adobe kindly provided some information as to the conversations going on between them and the Dept. for Media, Culture & Sport, so a big thanks to Adobe!
Well first thing to note is that the ePrivacy law is primarily designed to prevent cookie use in behavioural advertising. Unfortunately analytics cookies have been caught in the cross-fire in this fight hence the discussion. Because of this, the informal view is that any users of analytics cookies are unlikely to have the law enforced against them, but this is by no means a guarantee. Detection will also be down to visitors reporting your site for using analytics cookies and I guess, if only a small number complain, it will not warrant enforcement of the law.
So what can you do to protect yourself properly? Well two key things were mentioned, being:
- Provide a clear definition as to what cookies are being used and their purposes. Apply the “McDonnalds” test to see if people will understand your definition.
- Provide a means for users to opt-out of analytics tracking somewhere in the site, just in case users do decide against the use of analytics.
The then controversial conversation of using a “no-track” cookie to track the fact the user does not want to be tracked … was mentioned. Well general consensus here was, because this is as a result of a user action, you could get away with this from a legal stand-point.
Now, by not tracking users will start skewing your revenue figures against actual takings. Fortunately, for you Omniture users out there, you can inject data into the analytics suite off-line using simple delimited spread-sheets uploaded via FTP. I am not sure if the other analytics systems (say Google) provide similar functionality, but without it, I do not see a simple way of solving the issue.
Finally, every country has their own interpretation of the EU ePrivacy law. This was at the start of the presentation so I missed most of this, but still worth considering. As an example, Germany’s view is that, if IP addresses are stored then consent must first be provided. Otherwise, if the IP address is obscured or not recorded, opt-out measures are sufficient. In short, check the law in your market country.
So there we are. The law does not appear to be as scary as before. There will be no requirement for annoying pop-ups appearing when first landing on the site, so user-flow can continue un-interupted; just a few small measures to implement.