Skip to content.

Top tips: Is Your Web Analytics Breaking The Law?

The new EC Directive on Privacy & Electronic Communications came into force last month and has caused major concerns with website managers who use web analytics systems. The new rules requires positve consent on the use of cookies for web analytics. John Harrison CEO of web analytics company Maxsi, looks at the changes, how it effects websites and the solution.


The Privacy and Electronic Communications (EC Directive) Regulations 2003 which came in to force in the UK on 26 May 2011 has caused major concerns with website managers who use web analytics systems. Although the regulations do allow the use of cookies that are essential to the operation of the website without user consent, the Information Commissioner Office's (ICO) guidelines[1] on the regulations make it quite clear that the use of cookies for web analytics require positive consent by the user.

As if to reinforce the point the ICO, which uses the website analytics system Google Analytics, has placed a banner on the top of pages on its website ( requesting consent from users to permit non essential cookies including those used by Google Analytics.

This issue is not restricted to Google Analytics but to any website analytics system which uses cookies.

There is a lot of debate about the whys and wherefores of this legislation which is covered elsewhere. This analysis is about the implications of this legislation on cookie based website analytics systems.

Attempts, such as the ICO's, in trying to make cookie based website analytics systems compliant with the regulations end up going nowhere.

In order to use a cookie based web analytics system one needs to gain the positive consent of the user. The regulations are quite explicit in that one cannot assume consent until a positive opt in is made. Unless this opt in is obtained it is against UK law for a website to use a cookie in the furtherance of website analytics.

So what is the problem in adding an opt in mechanism for user when using cookie based website analytics systems? The problem is that website analytics systems measure activity and user interaction on the website. For the information to be of use it needs to be reasonably accurate. If, however, it is only activated when a user consents to its use then it is not measuring website activity, it is in fact measuring website activity only of those who consent to opt in. This is not the same.

At this point in time it is unclear what the exact impact of user opt in on the accuracy of website analytics systems that use cookies will be. Recent research[3] found that that "Just fewer than one in five respondents (18%) stated that they accept all internet cookies whilst 36% accept only selected internet cookies and 9% do not accept any internet cookies". From this it can be concluded that the accuracy of website analytics will be impacted by user opt in.

Asking the user to opt in to the use of cookies to support cookie based website analytics will ensure compliance with the law but it is futile as information from the website analytics system will be compromised.

Website managers will be missing activity from their cookie based website analytics reports from those users who do not give their consent to cookie usage. They will be better off moving to a non cookie based website analytics system.

Although in recent years they have been overshadowed by the cookie based systems, website analytics systems that use IP address and user agent are still around and still going strong. The advantage they have is that because they don't use cookies they do not require user consent and thereby will report all activity on the website.

IP address and user agent is a different technique for website analytics and there is a difference between what it and cookie base methods report. We will leave that for another discussion but nevertheless IP address and user agent is still accurate enough for the Audit Bureau of Circulations to permit its use in website analytics systems it allows to be used for auditing website activity[4].

Implementation is no different to most cookie based systems as both usually require a tag needs to be placed on each website page.

To summarise, the solution to the dilemma posed to website managers by the new regulations and their cookie base analytics systems is clear. In order to comply and still have reasonably accurate website analytics they should refrain from using an opt in banner in combination with their cookie based website analytics system. Instead they should use an IP and user agent based website analytics system. Do this and you will have a solution to your problem.

By John Harrison
Maxsi Ltd

About the author

John Harrison is CEO of Maxsi Limited ( John founded Maxsi over ten years ago. Since then it has developed the eVisit Analyst
( range of website analytics systems including IP Address and user agent variants. Its products are accredited by the Audit Bureau of Circulation.


[1] 'Changes to the rules on using cookies and similar technologies for
storing information', Information Commissioner's Office, 9 May 2011
[2] 'Research into consumer understanding and management of internet
cookies and the potential impact of the EU Electronic Communications Framework Report', Department for Culture, Media & Sport April 2011
[3] 'JICWEBS Reporting Standards Website Traffic', ABC, Version 2 2011,
Issued May 2011

Marc commented:

"The advantage they have is that because they don't use cookies they do not require user consent"

It is not only about cookies according to the wording of the law. And collecting an IP address must be like "gaining access to information stored in the terminal equipment"

6 (1) Subject to paragraph (4), a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment--
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.

Comment on this article

Verification (needed to reduce spam):

Subscribe to Netimperative Newsletters

Email address:

Search Marketing
Publishing & Media

Send as:

Alternatively, click here to unsubscribe

Digital Training Academy training tips
Digital Training Academy
Essential skills for today's marketers: boost your team's results with customised advanced digital marketing coaching from world class trainers at the Academy.
Mail our academy managers Ask our tutors for more
Full details here...

Digital marketing audits - improving your ROI
Digital Training Academy

Getting the best ROI from your websites, emails and online ads? Sure?

Our digital marketing audits review your current and planned campaigns to find ways of cutting budgets without cutting impacts.

Mail our academy managers Ask for more
Full details here...

About Netimperative | About Digital Strategy | Terms of use | Privacy | Cookies

© Copyright 2014 Digital Strategy Consulting Ltd | is part of the Digital Strategy Consulting group | UK company number 4342602 | The Digital Hub, 8 Macklin Street, Covent Garden, London, WC2B 5NF