Last year, in May 2011, the UK introduced its local version of the European Directive 2009/136/EC catchily know as The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011, but usually referred to as the cookie law. This roughly says that you need to ask permission before using cookies (or other local storage by implication) as these can be used to accumulate personally identifiable information.
In the UK, enforcement was delayed by a year, to give people time to rewrite their software and UX, something which as far as I can see most people have been busy not doing.
However whether Google use Analytics information in a way that you, or the law in Europe, might consider as a privacy issue I really don’t know. To use a free service for analytics from the largest company tracking users on the internet is pretty dubious in many ways. The information from analytics is clearly enough to pay for the service, as they have not rationalized it or moved it to a paying service unlike many other services, although they have underinvested, and only just removed Flash. There is an interesting scope for purely statistical analytics in Europe, by which I mean without storing cookies or other data, just based on correlation of events and numbers, definitely an interesting idea for a startup to pursue here. AB testing, conversion tracking and so on can all be done without collecting personal data or using cookies with equal statistical effectiveness, people are just wedded to the easy traditional way, and need to do some more work.
The UK guidance on the legislation is worth a read, and makes it clear that setting cookies by default is not acceptable in almost all circumstances. The Information Commissioner’s Office has an optional cookie dialogue as their chosen solution; other examples of which are at Cookielaw.org which has a third party cookie list which no one who actually drills down would agree to I suspect:
We use a number of social media tools to enhance visitor interaction on our site. If you already use these platforms their cookies may be set through our website. Data may then be collected by these companies that enables them to serve up adverts on other sites that they think are relevent to your interests. If you do not use such platforms then our site will not place these cookies on your device.
Twitter Cookies: ab_sess_search_relevance_ranked_hits_189, dnt, t1, auth_token_session, secure_session, twll, twid, ab_sess_wtf_user_to_user_rec_155, ab_sess_search_relevance_social_167, ab_sess_t1_actions_156, __utmc, __utmv, __utmb, __utma, __utmz, _twitter_sess, _twitter_sess, ab_sess_activity_ddg_126, ab_sess_activity_up_top_98, ab_sess_promoted_arrows_and_pills_78, ab_sess_Relevance_V1-49, _sm_au_d, auth_token, external_referer, guest_id, k, lang, original_referer, pid
Facebook Cookies: lu, L, L, datr, e, c_user, c_user, presence, sct, sct, _sm_au_d, act, _e_bWDI_21, _e_bWDI_22, _e_bWDI_23, _e_bWDI_24, _e_CTMK_0, _e_CTMK_1, _e_CTMK_2, _e_e6Yv_0, _e_e6Yv_1, _e_e6Yv_2, _e_0ITr_10, wd, x-referer, xs, xs, reg_ext_ref, reg_fb_gate, reg_fb_ref, reg_ext_ref, reg_fb_gate, reg_fb_ref
Google Cookies: PP_TOS_ACK, IGTP, NID, ULS, OTZ, APISID, SAPISID, SSID, _sm_au_d, S, S_awfe, SID, SS, W6D, BEAT, HSID, PREF
Microsoft Cookies: MC1, WT_FPC
Hopefully this makes it clear to people that “social” platforms are now in the somewhat less social surveillance business (STASI media?).
Will people take any notice? The attitude so far has apparently been generally to ignore it, outside of government sites. But this is not going away, and there are enough privacy activists who will like using a new tool against people that it would be dangerous to continue to ignore it. Will it kill the internet? Personally I think that the giant spam internet that has arisen from the internet advertising boom is a huge negative that is more likely to kill the internet, and I have already had to install an adblocker on my work computer, disable Flash everywhere, delete my Facebook account, block third party cookies, start removing sites from Google search and so on. So some legislation that does not go along with these moves and puts the consumer first is welcome, even if you might argue that it is not the best designed legislation ever. And if your business model requires cookies, time to think about something else, you still have a few weeks.