About the EU Cookie Law
The EU Cookie Law is a new EU Directive by which website owners are obliged to obtain informed consents from their website visitors before placing cookies or similar technologies on their terminal equipment (e.g. computers, mobile phones and tablets).
According to the EU Cookie Law, a website owner must not store cookies on, or otherwise gain access to, a visitor's terminal equipment without first obtaining informed consent from the visitor. Informed consent means that the visitor must give his or her consent on the basis of an understanding of what the purpose of the cookie on (or access to) the terminal equipment is, who places the cookie (gains access) and how consent can be withdrawn.
In the context of web analytics, this means that the website must present an information box or similar to the visitors the first time they visit the website. The information box should clearly indicate that the website owner wishes to place a cookie to measure the use of the website. If the website owner uses a web analytics vendor to place the cookie, this vendor must be identified to the visitor. In addition, the visitor must be made aware of how consent can be withdrawn through e.g. deleting cookies on his or her terminal equipment. Only after the visitor has accepted this explicitly by clicking "OK" or similar in the information box, can the website proceed to place the cookie.
The EU Cookie Law contains a few exceptions to the requirement of informed consent, but none of these are relevant to web analytics.
Requirement for written agreement
Although the EU Cookie Law focuses on data protection in connection with electronic communications, it should be read in the context of EU’s Personal Data Directive, which aims to protect personal data in general. The Personal Data Directive is relevant here because web analytics presupposes access to the visitors IP addresses, which are considered personal data by EU.
The EU Cookie Law is based on many of the provisions already present in the Personal Data Directive, but specifies them in relation to electronic communication. However, the other provisions of the Personal Data Directed should still be observed. One of these provisions says that if a data controller (e.g. a website owner) sends data to a data processor (e.g. a web analytics vendor), then there must be a written agreement between the two parties ensuring that the data processor will act only on instructions from the data controller.
Is Google Analytics illegal?
The requirement for written agreement means that website owners should think twice before installing free web analytics tools, which use data ownership as an alternative “payment”. Google Analytics, for example, is offered for free, but on the condition that Google can use the collected data as they see fit. This is clearly stated in their terms of service, which website owners must agree to before installing the system. The terms do not specify how Google will use the data, and Google does not offer a signed data processor agreement with the website owner.
The EU Personal Data Directive does not prohibit Google from demanding such conditions, but it prohibits Danish website owners from accepting them. The problem is that website owners are, on the one hand, obliged to provide website visitors with comprehensive information about how the data are used; on the other hand, they cannot guarantee that Google refrains from using them in a different way. As long as Google Analytics is not offered with a signed data processing agreement, it is in violation of EU law to use the system.
Do you have a solution that observes the new EU Cookie Law?
See how ee can help!