EU Website Breaks Cookie Law?

EU Flouts Its Own Law on Use of Cookies

EU Council WebsiteThe European Council website, which is a sub domain of the main EU website, is running Google Analytics to capture the usage statistics of the website. There is no “opt-in” option on the website as required by EU legislation. This legislation refers to Directive 2009/136/EC which amended the European Directive – 2002/58/EC – which is concerned with the protection of privacy in the electronic communications sector. Governments in Europe had until 25 May 2011 to implement these changes into their own law. The UK introduced the amendments on 25 May 2011 through The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011.

The code below is directly from the source of the European Council website and clearly shows the Google Analytic’s javascript.

var _gaq = _gaq || [];
           _gaq.push(['_setAccount', 'UA-26543712-1']);

           (function () {
               var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
                   ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '';
               var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);

The “Legal Notice” page of the site has the following statement regarding the use of Google Analytics:

Google Analytics Statement from European Union Website

You are informed that this website uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”) to help analyse the use of this website. For this purpose, Google Analytics uses “cookies”, which are text files placed on your computer.

The information generated by the cookies about your use of this website – standard internet log information (including your IP address) and visitor behaviour information in an anonymous form – will be transmitted to and stored by Google including on servers in the United States. Google will anonymize the information sent by removing the last octet of your IP address prior to its storage. According to Google Analytics terms of service, Google will use this information for the purpose of evaluating your use of the website and compiling reports on website activity for the European Council.

The European Council will not use, and will not allow any third party to use the statistical analytics tool to track or to collect any personally identifiable information of visitors to this site. Google may transfer the information collected by Google Analytics to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. According to Google Analytics terms of service, Google will not associate your IP address with any other data held by Google.

By using this website, you consent to the processing of data about you in the manner and for the purposes set out above. You may refuse the use of cookies by downloading and installing Google Analytics Opt-out Browser Add-on. The add-on communicates with the Google Analytics JavaScript (ga.js) to indicate that information about the website visit should not be sent to Google Analytics.

The last paragraph is interesting. It highlights the Google Analytics Opt-out Browser Add-on, which perhaps the EU is saying, despite the guidance given by the Information Commissioner’s Office (ICO) in the UK, an opt-out is enough to comply with the legislation or they’ve so far been lapse and not updated their website accordingly.

According to the ICO the law requires that all websites run by companies in the EU have to obtain permission from the visitor of the site before their usage can be monitored using cookies. Google Analytics and other statistics solutions use cookies to follow the visitor as they move from page to page, allowing the website owner to quickly analyse how their website is used. It’s an incredibly useful tool and the EU legislation has caused up-roar with businesses that use these tools to help improve their websites for the benefit of their customers.

Google and other web analytics vendors are in conversation with the EU regarding this law, but in the meantime, perhaps the EU should get it’s house in order before it starts pursuing companies who are trying to deliver the best service to the customers and rely on this information to do so. After all, this puts companies in the EU at a potential disadvantage when compared to those in countries not under this legislation.

For more information on becoming compliant to this law, which has potentially hefty fines of up to £500,000 for those who don’t comply, please see the Information Commissioner’s Office page, Cookies Regulations and the New EU Cookie Law. Maybe the EU should be taken to court for non-compliance with their own law unless, as mentioned above, using the Google Analytics opt-out is enough?