For every website we produce now a days, we need to think about the cookie message that appears. I know, I know – you see them everywhere and you’ve probably gotten blind to them and just click “OK”. But really, a lot of thought needs to go into how they’re put together.
A bit of background: the cookie law
In 2012 the Cookie Law was going to come in to force which meant that any cookies needed to be opted into before you could place them on a visitor’s computer. This was a problem for cookies that were placed as soon as someone arrived in order for the website to work – as many frameworks had in place.
The BBC rolled out their cookie changes and clearly showed that they were going to go with “implied consent”. Rather than have people actually tick a box to agree to cookies, they said they were going to assume you complied unless you stated otherwise, and gave you lots of options for turning off specific cookies (except for “necessary” ones, which they stated included statistical / visitor counting ones).
So at the 11th hour, our Government of the time said that implied consent would be OK. In theory this meant that if anyone didn’t comply, they just had to leave your website. But it also meant you could get more technical and let people opt out of individual cookies.
GDPR
But 2018 saw the GDPR come into force – the General Data Protection Regulation – and that stated that you couldn’t collect or store or process any information about anyone, including their IP address, without their explicit consent.
And Google Analytics, by default, uses IP addresses when it’s doing it’s magic.
So here we have a bit of a blur between the cookie law, and GDPR where we still need that message popping up on websites. People refer to it as a “cookie message” but it’s actually also now about telling people how their data is being used, and asking them if that’s OK.
IP anonymisation
Therefore, in 2018, as we were getting clients ready for GDPR, we started implementing Google Analytics IP anonymisation on websites for our clients. This means that Google doesn’t use / store / process the IP address of your visitors – they say that they anonymise the IP “as soon as technically feasible at the earliest possible stage of the collection network”.
To be precise, they set “the last octet of IPv4 user IP addresses and the last 80 bits of IPv6 addresses to zeros in memory shortly after being sent to the Analytics Collection Network. The full IP address is never written to disk in this case.”
Please note: the following paragraphs were updated on 19th October 2020:
The upshot is, if you have IP Anonymisation turned on your site collects less data about your visitors. The ICO states that Analytics cookies are NOT necessary and do require consent still, but at least you can tell people you’re collecting less about them.
You can’t use IP anon though if you need to monitor where in the world your visitors come from, or if you use Google Analytics for remarketing (you’ll need to rely on Google Ads for remarketing or work around it in another way). The reason you can’t use these hand in hand, is because the IP anonymisation means just that – your visitors are anonymous so you don’t know where they are or what they’re doing.
Analytics strategies
I have a new task to do on all websites we build lately and that’s figure out an analytics strategy. IP anon isn’t for everyone, so there are always a few questions to ask:
1) Do you class analytics as necessary cookies? Can you – honestly – function without them?
There’s always debate around this – a website can absolutely function without Google Analytics, it isn’t needed for a website to load or a shopping basket to work. But some argue, on a higher level, that the business couldn’t survive without that insight. So that needs to be decided.
As I’ve mentioned above, the official line from the ICO is that they are NOT essential – they put it really well that’s what essential for you is not the same as what’s essential for your visitors. However, some organisations still want to over rule this – which goes completely against the GDPR and the ICO.
2) Would Google Analytics IP Anonymization work for you?
If you don’t use remarketing and you don’t mind where in the world people visit from, then yes, it could well be fine for you.
3) Do you want to give your users the option of what they share?
This is a valid question – some organisations aren’t too concerned, others like to show they’re giving their users all the options possible.
If you do classify GA as essential, you can live without location and remarketing data, and you don’t want to give your users questions, then you might go down the route of assumed consent on the cookies and turn IP anonymization on so that you just go down the route of a “we use cookies, your continued use implies your consent” sort of message. Which strictly speaking, I don’t condone as it’s not GDPR compliant.
A different set of answers might be more like you can function without Google Analytics, you don’t need remarketing data and you’re happy to give people options – so then you might ask people if they’ll allow cookies from Google and NOT load Google Analytics on the page until they do – but also implement IP anon so that you can tell people their use of cookies will be anonymous.
It’s not just about the stats
Of course, lots of other services bring 3rd party pixels with them, such as Twitter or Facebook. And all sorts of other things collect data about people. So you need to carefully consider everything you’ve got going on, both with your web developer and your solicitor, and decide how your message needs to be worded, what you’re going to load on the page when a visitor first arrives and hasn’t had chance to opt in or out of anything yet and what options you’re going to give people for turning things off if you’ve had them on by default.
As I mentioned above, I’m not a solicitor so nothing here can constitute legal advice, but the purpose of this article is just to get you thinking about how you can manage both your cookie policy and your GDPR obligations around consent. Have fun!