Blackbeaks Blog….All things Analytics

In Omniture, by setting JS variable to a customer ID, or a proxy for that, you would be able to track a single user across sessions. Then, assuming you’ve seen that customer, and they’ve identified themselves (by logging in or whatever) before, by using Omniture’s SAINT module you could upload the individual’s details (demographics, emails address, phone number etc.) into Omniture and track an individual’s behaviour explicitly. I’ve seen it done. Webtrends make explicit provision to allow you to insert demographic data directly into variables on the webpage (you could acheive something similar in Omniture using custom variables). Of course that would be unethical, but having that demographic data anonymised and used to segment web traffic is gold dust for web optimisers.

Anyway, the EU law isn’t dumb by intent per se, but dumb by implementation. Collecting individually identifiable customer behaviour is easy but bad and consumers should be given the tools to prevent this should they wish to do so. However, breaking the internet by trying to achieve this is not a good idea. I suspect that a lot will change before anyone (ICO included) will try and enforce it.

@Alex
Both the cases you refer to would require you already had the customer information. I am referring to anonymity of a non customer browser session and the protection of this is what the EU directive is attempting to address.

I don’t see anything wrong with anonymous demographic data. If I know for instance my website is on average visited 70% of the time by 30-40 year old women I can tailor my site accordingly without compromising anyones PII.

I think the EU have good intentions and I agree with you that there should be tools to opt-out of any and all tracking if you wish. No argument here. I also agree that the ICO have been dumb in their clumsy interpretation of the law. In fact I’d go as far to say that they have been spectacularly dumb.

On the other hand the EU directive is badly written, ambiguous and interpreted completely differently from member state to member state so the fault can’t all be at the door of the ICO.

The fact that the UK have a year to implement probably means that this will go into the browser settings in the very near future.

That graph at the beginning is powerful- and a bit depressing. This has been on my mind a lot lately (probably on a lot of minds). As I said on a blog post just yesterday (http://www.keystonesolutions.com/community/2011/07/tracking-why-business-intelligence-leads-to-user-benefits/) we MUST educate users about why they would WANT to opt-in and how it benefits them and how un-scary it actually is.

You have a fundamental fact incorrect – it’s not the ICO driving this, it’s not even the UK government. This is EU law that needed to be implemented by the specific date from all state members. All the ICO did was to kind of try to showcase how NOT to do it actually

@Hero I know it’s an EU directive but the ICO are the ones who interpreted the law and demonstrated what should be done as they saw it. That’s why their website has this dumb opt-in button on every page and that is why their numbers have dropped by 90%.

You’re right in thinking that they demoed how it shouldn’t be done, but your completely wrong if you’re thinking they aren’t serious.

@Jenn. I agree. It’s why I wrote this post, hopefully people might start to realize that cookies aren’t the root of all evil.

“..but when people ask you to opt in to receive an identifier that looks like this;

ZLhHHTiegr9Ny%2FdlviNhjUoXSrVDRIOE7v61hsd%2F8NY%3D”

Are you suggesting that the request should be.

‘Would you like a,

ZLhHHTiegr9Ny%2FdlviNhjUoXSrVDRIOE7v61hsd%2F8NY%3D

COOKEEEEEEEI Ay? Ay?

Dribble dribble. Wink Wink Nudge Nudge Eh?’

What sort of reaction should you expect to such a request?

Shoot me down but seriously. Technical measures and a bit of thought.. and work.. might be better than re-enforcing the FUD concept and using the ICO as an example as to how things should not be done.

A combination of Ghostery and No-Script tells me…

Facebook Connect
Google Analytics
Outbrain
Snoobi
Statsit
Twitter Badge
Twimg
Tweetmeme

are living on this page. I have no idea what they do or even what you need them for. If I did not have Ghostery and No-Script installed I would be completely unaware of their existence. Things do not appear to be totally broken as a result of blocking them. I assume I will be able to post this once I have finished slapping the keyboard..

Given you are the person who placed them there or permitted their inclusion perhaps you would be able to put up a page on your blog explaining what they are, what they do and why they are ‘necessary’ to the operation of your site.

Just to re-assure me further rather than telling me..

“There isn’t even a place in the tool that says this is what 162046575.1061623444.1310637483.1310637483.1310637483.1 did today when they visited.”

And suggesting you are going to ‘frighten people away’ if you ask to drop Cookie 162046575.1061623444.1310637483.1310637483.1310637483.1 rather than taking a bit of time explaining what it is for and what it does.. Something I and others might be more appreciative of.

-
-

Your Google Analytics ‘Tool’ doesn’t say anything, and I find that statement to be suspect given the purpose of the tool, forgive me if I display some ignorance here, given its supposed purpose as stated by yourself is to apparently to deliver exactly that sort of information…

“I don’t see anything wrong with anonymous demographic data. If I know for instance my website is on average visited 70% of the time by 30-40 year old women I can tailor my site accordingly without compromising anyones PII.”

.. and end up with a site that is visited 70% of the time by 30-40 year old women? That’s is not exactly the ‘demographic’ of your site and I’d be inclined to suggest that if you are unaware as to how to attract such visitors by tailoring content to suit ‘analytics’ as delivered by a ‘third party’, which may well leak the information for use elsewhere, is not going to be of much help to you..

I have digressed

Would you care to explain, in detail because I am certain you understand it, what the following JavaScript called from this page does…

(EDIT: I had to remove a lot of javascript code as it took up vast amounts of space. Javascript was rendered by Google Analytics include file.)

“@Hero I know it’s an EU directive but the ICO are the ones who interpreted the law and demonstrated what should be done as they saw it. That’s why their website has this dumb opt-in button on every page and that is why their numbers have dropped by 90%.”

Dare I say ‘point of order’?

The graph is titled,

“Tracked Visits Prior and Post Explicit Cookie Opt-In”

It does not in any way shape or form indicate that the ‘Traffic’ on the ICO website has dropped by 90%. Without using ‘analytics’ I would be able to wave a wet finger in the air and tell you that Traffic on the ICO website probably suffered a huge spike as, interested, people went to check things out.

In the mean time perhaps you might care to disclose where Vicky Brocks got the information from to produce this graph. I do assume the ICO did not give it to her.

@Kevin. Thanks for your entertaining response.

>Dribble dribble. Wink Wink Nudge Nudge Eh?’ What sort of reaction should you expect to such a request?

This is exactly my point. I find it farcical that we should even be talking about cookies as the whole thing is a joke. I agree that educating the general public and removing fear uncertainty and doubt is the way forward, the entire point of this post. I also feel that the ICO deserve criticism for their methodology as it does nothing but reinforce FUD. As the graph Vicky supplied shows.

Regards the point about my Google Analytics statements. You seem to be an intelligent sort. Why not go and find out for yourself? It’s free to set-up an account and look at the results.

I will follow up this post with another regards what tools I use on this site and why. Your request is not unreasonable. My point is the ICO’s request is.

Regards Vicky, she works with Government agencies in the UK and requested the ICO hand over the information which they freely did. Therefore the information can be considered valid. It is a 90% drop off.

“If their own *website traffic* since this time is anything to go by online marketing in the UK is in trouble. (Picture supplied by Vicky Brock)”

“Regards Vicky, she works with Government agencies in the UK and requested the ICO hand over the information which they freely did. Therefore the information can be considered valid. It is a 90% drop off…”

Errr… Nope.

As mentioned before I doubt that the ICO *website traffic* dropped by 90%. They just gave/received 90% less analytics to/from Google.

I think you will find my interpretation is correct.

Regarding my intelligence and a check out of Google..

I assume you are suggesting that I might set up a website and put the appropriate call on all the pages, assuming it is not automagically done for me, to,

google-analytics.com/ga.js

So I can look at the pretty graphs and then not really bother what the underlying code might do and might be gifting elsewhere because I get some pretty graphs.

Of course if you understand it and can reassure your readers that there is nothing to be worried about then that would be ‘dude’.

I assume the reference to “online marketing in the UK is in trouble” in this case relates to the ability of Google to dish up a few Ads on your site and pay you a bit of coin…

Probably my fault for running AdBlock Plus but assuming you do not dish up Google Ads on your site then it would seem, and I do not know what the code does, you are delivering the information Google requires to pony up Adverts elsewhere… for the 30-40 year old women who are regular visitors to your site.

You get pretty graphs and Google gets to narrow the demographic to intelligent activist women in the age range of 30-40… profit.

Are you happy that you might be betraying your audience?

[...] reactionary when it comes to privacy, but why? Anonymous, aggregated monitoring of web traffic can only be a good thing for consumers. It’s because they aren’t educated on the basics of what tracking cookies [...]

[...] reactionary when it comes to privacy, but why? Anonymous, aggregated monitoring of web traffic can only be a good thing for consumers. It’s because they aren’t educated on the basics of what tracking cookies [...]

@Kevin;
You cannot be sure that the traffic hasn’t dropped by 90% can you? You can not make any decisions based on data because the data is in most cases likely to be close to useless information if the ICO law becomes enforced.

You may be right that the traffic still arrives but no business can rely on data with any level of confidence when they know 90% or more of the behavioral data is hidden from them.

Compare that with much of the rest of Europe (despite the EU directive – it’s a totally different interpretation in other EU states) indeed the world and you’ll see that the ICO are putting British business at a severe disadvantage.

Now to the little experiment I suggested. What would happen if you did set-up a website with GA.

All your visitors to that site would be issued a cookie as I described and then anonymously tracked across your site – and that is it.

If you populated GA variables via a survey form for instance asking people whether they were male or female you would also be able to know whether your visitor was a 30-40 year old woman as well but Google Analytics doesn’t allow you to know whom the survey respondents were as individuals, just the number of visitors as a segment of overall traffic.
Google analytics will never track your visitor from your site to another site. The GA cookie is a 1st part cookie which is different on every website. Google have to be very careful not to break their own terms of agreement here or they can be sued.

The data (anonymous and aggregated across all GA accounts) sits in a Google server somewhere and how they use that data is confidential to Google but we do know that they can never identify anyone as an individual as they have never gathered the data.

NOW if you were to issue a different 3rd party code that allowed a cookie to be set and track across a Google Ad-Network then that is different to google analytics. Personally I don’t advertise anything. My site doesn’t deploy those cookies but even if it did it would still be an anonymous behavioral cookie. It would be a string of text like I have shown as an identifier sitting on your browser. The idea is when your cookie is recognized on a website somewhere (your cookie, not you) an ad is fired from an advertiser that you have visited before.

In my view that is fine. It’s like showing adverts on the TV to an unknown audience except that someone is paying to show you ads that you might be interested in.

When I think it’s wrong is when PII (personally identifiable information) is passed without consent. PII however can’t be passed with a cookie. You as a user have to give information or become a customer and this is when I think the law should be made clear (for instance as Alex pointed out in the first response). The ICO failed here by making it blanket opt-in regardless of whether PII is passed or not and the EU directive is ambiguous so that countries can interpret the law as they see fit.

> Are you happy that you might be betraying your audience?

I hope the above explains why I am not betraying my audience. I track what they visit when they come here, where they come from, what they do on my site, how many tweets they make and that’s about it really. I don’t advertise or pass on any information to any other 3rd party, even the ad network variety. I am not as you presume writing this post because I will lose advertising revenue, I am writing because the ICO have set an extremely bad example for the rest of Europe which is short sighted and could if enforced hurt the British economy.

FYI – I live and trade in Finland so this ICO law doesn’t effect me at all. I have little to gain but when I see stupidity I point it out.

“@Kevin;
You cannot be sure that the traffic hasn’t dropped by 90% can you?”

Perhaps Vicky Brook can ask on your behalf or you might FOI them yourself..

http://www.whatdotheyknow.com/body/ico

Just to clarify you have, and still appear to be attempting to claim, that traffic on the ICO website has dropped by 90% as a result of giving people the opportunity to refuse tracking by Google Analytics.

“You can not make any decisions based on data because the data is in most cases likely to be close to useless information if the ICO law becomes enforced.”

It would seem that the data [pretty graphs, and I assume that is a dump of their GA graphs. Correct me if I am wrong] provided by the ICO to Vicky is quite implicit. It states that given the opportunity when made aware 90% of people would rather not be tracked by Google Analytics.

Perhaps you might wish to explain the revealed dataset and the relative frame of reference?

I do not accept that the data, in your terms, becomes useless. It will still be there and, where available, ‘presumably’ still valid. They just have to trawl The Long Tail Harder..

Obviously being ‘Elite’ myself I realise those ‘below me’ will not realise what is happening and I can sell ‘drop ship’ socks to 30-40 year old women and make profit.

“Now to the little experiment I suggested. What would happen if you did set-up a website with GA.

All your visitors to that site would be issued a cookie as I described and then anonymously tracked across your site – and that is it.”

Good to see you have analysed the JavaScript installed on you site, or asked for advice elsewhere.

Presumably when I leave your site, having been classified and cookied accordingly [as a 30-40 year old activist woman], I can move on to another site and be profiled further.

Sorry, naturally I mean the ‘demographics’ collected about me on your site will not follow me around.

It seems to be your claim.

No?

@Kevin;

Now you’re not paying attention to what I said. I don’t believe the traffic has dropped by 90% but I maintain it’s as good as useless knowing what 10% of your traffic does.

>It states that given the opportunity when made aware 90% of people would rather not be tracked by Google Analytics.

Of course it does. However it’s clear to me that you have very little experience analyzing data or you would know what I am talking about. It’s what it doesn’t say about the traffic you can no longer see which is the problem for UK businesses.

> I do not accept that the data, in your terms, becomes useless. It will still be there and, where available, ‘presumably’ still valid. They just have to trawl The Long Tail Harder..

We will differ on this till the end of time then. The data will not be there!! Only a minute amount of it will be there.

What if your site has too few visitors to have a long tail? Like a 1000 visits a month? That then becomes 100 visits you can analyze. Some weeks you will have data some weeks you wont. Completely unacceptable for a small business.

Or what is the reverse was true and you suddenly get shed loads of traffic you don’t know about? Sales go up? profits go up? Great! You hire more staff to handle demand and then realize it was a fluke due to a spike in demand from a tiny niche somewhere and now you have to fire those people.

There are literally dozens of reasons why forcing cookie opt-in is bad for a business and yet harmless to a consumer.

> Good to see you have analysed the JavaScript installed on you site, or asked for advice elsewhere.

I refuse to rise to this kind of bait.

> Sorry, naturally I mean the ‘demographics’ collected about me on your site will not follow me around.

Correct. Not from my website or from any other standard Google Analytics 1st party cookie.
Please check your facts before you start on a tirade about how re-marketing works as I’ve already explained that. You won’t see adverts for blackbeak.com appearing on other sites you visit, I 100% guarantee it. Nor do I know what you do after you leave this site.

Um, I doubt most visitors to http://www.ico.gov.uk/ even think about the “banner” at the top. I.e. I doubt most people have NOT made any choice whatsoever. You can surf the site fine without ever caring about the text at the top. Who are we to assume it’s being read? In fact, if I go to their site I have an intention. I am used to finding what I’m looking for in the middle, or I use the navigation or search. I don’t necessarily read “alerts”. And if you entered after searching on Google you’d be looking for the answer to your question, not at a banner area.

I suggest they put the question explicitly in a lightbox forcing visitors to say either yes or no. Before they do that we have NO idea of knowing.

Oh, and this is of course ridiculous:

“One of the cookies we use is essential for parts of the site to operate and has already been set.”

I thought users had to be asked about ALL cookies.

Lastly, spammers phishers, and other criminals will never follow any law whatsoever. This will just be another tool for diehard dogmatists who go after benign sites they have it in for, rather than a tool to rid the Internet of charlatans.

It is important to remember that you don’t need consent for any essential cookies. Admittedly, most website owners regard the analytics as essential, but it’s nevertheless worth stressing that you don’t need consent for all cookies. Anything essential for the service is exempt from the regulations.

Also, whatever you think about the ICO, they haven’t set anyone up to be anything. They’ve been handed a very clear set of regulations (i.e. everything non-essential is opt-in), subject to no subtlety or loopholes by the drafting. In order to avoid the accusation that they’re breaking the laws that they are obliged to enforce, they’ve thrown out a quick compromise. It’s changed once since they started it, and it will change again as they work out more intelligent approaches. Given duff law at the last minute, I don’t think you can blame them for an inelegant solution which they’re not recommending for anyone else.

And as a regular user of the ICO website, I clicked the opt-in fairly quickly as I found the banner annoying, and need to use the site for my work. Because I know the ICO won’t do anything nefarious with my data, I had no issues with it. I won’t consent for sites that are less important to me unless they explain what they’re doing. If they convince me, I’ll give them the same benefit of the doubt.

@Tim;
>Given duff law at the last minute, I don’t think you can blame them for an inelegant solution which they’re not recommending for anyone else.

I do blame them though. They have reacted too quickly and without sound judgement to an admittedly badly written EU law.

What they could’ve done was simply do what Kevin was suggesting I do as an example of how UK businesses should go forward. They could’ve said in a separate page on their site (linked to in every header and footer for instance) how each cookie works, what it’s used for, the reason why the cookies are essential for the operating of their business and giving the user the option of opting out to the cookies where possible.

But they didn’t they reacted with a “quick compromise” which is simply not feasible if businesses in the UK have to do the same thing.

My issue here is they are sending out a poor message – despite the fact they haven’t said “do as we do” people can (and will) read it that way as they are the regulations body in the UK.

My advice to UK companies would be to create good visibility to a page like I’ve described and argue in court if necessary about the essential nature of business information in relation to anonymous data as you seem to be suggesting.

But for the ICO to confuse British businesses further is irresponsible in my opinion. It’s possibly the worst thing they could’ve done to help educate a confused public about cookies and it’s why I’ve been highly critical of them in this post and in my comments.

They have an opportunity to put it right though and I hope they do see sense.

Essential for the operating of the business isn’t the issue – no matter how essential a cookie might be to the business, the only thing that matters is whether it’s essential to the service. If it isn’t, then the website owner has to prove consent. That’s not the ICO message, it’s on the face of the regulations and the Commissioner can do nothing about that. The Commissioner is always criticised if caught not following his own legislation, so I don’t see how his office could do anything else.

I don’t agree the approach is confusing – the law says opt-in for cookies that aren’t vital to provide a service, so the ICO has said that most of his cookies are not essential. It’s not the ICO job to convince the public that cookies are good or bad, but to enforce these clunky regulations. They’ve already given everyone a year’s grace (which they probably had no official power to do), and so what has to happen now is business finds a way to convince the public to opt-in. They may have to provide incentives.

@Tim;
I personally believe we’re disagreeing on this because the law is so open to interpretation.

> I don’t agree the approach is confusing – the law says opt-in for cookies

The EU law doesn’t say this anywhere. The ICO has decided that cookies (all cookies) are what the EU are discussing. This is what it says and this is why it’s open to interpretation and where I feel the ICO had more flexibility than they demonstrated;

“3. Member States shall ensure that the storing of infor­mation, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user con­cerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing.

This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications net­work, or as strictly necessary in order for the provider of an information society service explicitly requested by the sub­scriber or user to provide the service.”

To me the first part says you have to ask to have information stored on a device but the second part says it doesn’t need to prevent storage or access for transmitting a communication or as is strictly necessary for a service provider to provide a service to someone who wants it.

Ok? Then allow me to continue.

The only place it ever mentions cookies is in part 66 of the document where it says;

“Third parties may wish to store information on the equip­ment of a user, or gain access to information already stored, for a number of purposes, ranging from the legiti­mate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spy­ware or  viruses).

Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these require­ments should be made more effective by way of enhanced powers granted to the relevant national authorities.”

(bold emphasis mine – the rest is word for word from the legal documents)

So even after the amendment on 25th of May it still says that cookies are potentially a legitimate purpose. It also suggests browser settings as a way of asking for consent.

Finland in my view have taken a sensible approach (at least as far as I understand about what is going to happen here). They have said you have to explain what you’re doing in a comprehensive privacy policy and for all 3rd party cookies (IE for re-marketing purposes) you should give a clear opt-out at any time – done in a user friendly graphic attached to all re-marketing banners. There is no requirement to opt-in anywhere.

To be fair I could be reading the document completely wrong, I am not a lawyer and that EU document is as clear as mud, but the situation is that Finland (and probably other states in the EU) will be implementing the law in a totally different way to the UK and it puts the UK at a big disadvantage if they force this kind of legislation through. The ICO are doing a tough job and I sympathise with them having just trawled through that EU document again but I still feel that if the UKs position is to force people to opt-in to receive cookies people simply won’t as was well demonstrated by the ICO. That is putting UK business at a huge disadvantage.

Christopher Graham should know far better.

[...] like the traction they wanted from Google+ and so has resorted to something very similar to the ICO on the cookie regulations – Rather than take direct responsibility for consumer education/acquisition, just force [...]