Big news - Google has revealed plans to block third-party cookies across its Chrome browser by 2022.  Privacy is the fundamental reason behind it.

Justin Schuh - Director of Chrome Engineering explains;

"Users are demanding greater privacy - including transparency, choice and control over how their data is used - and it's clear the web ecosystem needs to evolve to meet these increasing demands"

 

While modern web browsers have allowed the user to disable third-party cookies for some time, Google’s announcement suggests third-party cookies will be completely blocked by Chrome in 2022 and Firefox, Safari et al are all likely to follow suit given the technical changes involved. 

If you didn’t already know by now; it’s very common for a website to put at least one or in fact as many as they want, harmless files on your computer, known as cookies.  Cookies might store information about your browsing session, what you looked at, what your viewing preferences are, what’s in your basket, etc.  Some websites use these solely to remember you when you go to make a return visit so that, for example, you don’t have to sign in again. Cookies that are set by and read by the website are classed as first-party cookies, and they’re a great way to make the UX more convenient.

On the other hand, third-party cookies are cookies that are set by a website other than the one you are currently on. For example, a website might have some JavaScript code on it to render a Facebook “Share” or “Like” button.  The code, written by Facebook, will do the rendering but also, and some might say sneakily, store a cookie on the visitor's computer and that cookie can later be accessed by Facebook to identify the visitor and, rightly or wrongly, see which websites they visited across the web - like a network of nanny cams.

Funnily enough, the most habitual third party cookie setter is Google, specifically their  Google Analytics service, which is used by website owners to track their visitors activity; such as session duration, browser usage, user origin, bounce rate, etc. of individuals using the site, along with the information on the source of the traffic.  

According to W3Techs at the time of writing, Google Analytics is being used by 55.2% of all websites on the internet - which is quite ironic given Google’s plans to block third-party cookies.  Google Analytics is a huge revenue generator for Google, so are they shooting themselves in the foot? 

Chrome's director of engineering, Justin Schuh, said Google intends to phase out support for third-party cookies "within two years." - does that timeframe give their Analytics division ample time to come up with a cookie-less tracking alternative, maybe using a server-side alternative or browser-fingerprint instead?  Time will tell, but Google is very much in control of how it will play out. 

Let’s be clear, Google Analytics isn’t really what sparked the debate on cookie privacy.  The discussion about online advertising and privacy revolves around cookies because they’re what support many predatory advertising models today, i.e. websites that let “adtech companies” put their own third-party cookies on the site that they then use to track you across other websites.

Despite what you might have been told by your tinfoil hat-wearing Aunt, Facebook doesn’t listen in on your conversations - they just know that you’ve been on PetsAtHome.co.uk searching for dog food, which is why Pedigree Chum adverts show up on your Instagram timeline now - it’s all done using third-party cookies - and it’s these cookies that have raised privacy concerns for a number of years.

So we all get the “Big Brother-esque cookie tracking me across the Internet” issue is a privacy concern and we most likely all agree it’d be a good idea to let people opt-out of that at the browser level, but Google Analytics, while also dropping those third party cookies like they're hot, isn’t exactly doing any harm to users’ privacy; especially if it’s been implemented with IP address anonymisation.

The Information Commissioner's Office (ICO) in the United Kingdom, a public body which reports directly to Parliament, having previously said and demonstrated that it’s OK to have third party cookies and track users as long as you “warn them”, have recently changed their own (minds, again, and) cookie policy so all third party and/or unnecessary cookies are opt-out by default. Case in point, they now turn off Google Analytics by default and are saying you need to do the same

From their blog post, the ICO state;

Myth 2: Analytics cookies are strictly necessary so we do not need consent

Fact: While we recognise that analytics can provide you with useful information, they are not part of the functionality that the user requests when they use your online service – for example, if you didn’t have analytics running, the user could still be able to access your service. This is why analytics cookies aren’t strictly necessary and so require consent.

 

In my opinion, the ICO are somewhat undervaluing services such as Google Analytics, focusing on it from a single user's perspective, rather than thinking of how Analytics can improve the service of the website, or how/what the best way to present information or products to the users should be through A/B testing etc.. As such, Analytics could be argued to be essential for the delivery of a service and therefore don’t require consent under the "Cookie law".

At the very least, anonymised analytics are vital to running a successful website. From a developer's point of view, we use them to deliver the best experience, including resolving dead links (404 errors) and seeing where users don't do what you expected them to (edge cases) - all very important for Search Engine Optimisation (SEO).  By anonymising and aggregating the data before using it, we take all the necessary safeguards for privacy.

This data can also be used for service improvement like sales funnels, but when properly anonymised and aggregated they are not "personal data" as defined under the GDPR. The data would therefore also fall out-of-scope from the Cookie law, with the caveat that you have to argue that the cookie is functional.

The legal boundaries exist, but the ICO offers just one opinionated interpretation. While the use of analytics doesn't benefit a single visitor directly, it does impact the group as a whole. Rather than advocating the use of non-personal data in analytics, they take a polarising position defending the narrow viewpoint of a single-time visitor.

We get asked all the time what we think of the “Cookie law” and what we recommend - it’s very difficult to give a straight answer when the ICO themselves can’t make up their mind and the Cookie law is complex and somewhat open to interpretation.  The main bone of contention for our clients is “should we be using Google Analytics without the users' consent?” - as explained above, it depends on your interpretation of “necessity” really.

Currently, what are the alternatives to using Google Analytics - or any cookie-based tracking analytics for that matter?  It would seem server-side analytics are the way to go if you want to follow the ICO’s guidance to the letter. In fairness, server-side analytics software has come a long way since the days of Webalizer and AWStats - and maybe this is the way Google Analytics will go to get around their own cookie block?