Richard Dallaway

It's mostly technical stuff here. Mostly.

June 10, 2012

Updated Google Analytics Lift module for EU cookie law

Since I last wrote about this, the UK guidance for compliance (PDF) has been updated to note that "implied consent is a valid form of consent" for setting cookies. You may have noticed, as a consequence, web sites changing how they inform users about cookie policy.

Dave Evans from the Information Commissioner's Office, put it nicely when he says to review user cookie information to "make it more prominent, make it more user-friendly, make it mean something to [end users]" and that it's about "being clear and honest up-front about cookies":

That's part of compliance, and it's the responsibility of sites to ensure they understand the requirements and comply. All the details are over at http://www.ico.gov.uk/cookies.

What I've done is update the Google Analytics module for the Lift web framework to help with the control and communication part. It's not that the law is just about analytics, or even just restricted to cookies, but for us Google Analytics are the most problematic cookies that we use, so it seems sensible to place the code on that module.

What's changed

There are two changes. The first is the obvious one: you can now provide a function to control if the Google Analytics module will include tracking code on your site or not:

The only when part is because some of you may need to be showing code to compliance teams and would like something legible for civilians. You can just supply a ()=>Boolean to init if you prefer.

You have access to S so you can pretty much test for anything you like (cookies, requests, database values). The default is to always include analytics.

That small change should allow you to turn analytics on or off on a per-user or per-request basis, so you can go implement nice controls and notices, maybe using snippet and specific locations on your pages to show information.

However, the second change lets you fling some JavasScript around to notify users of your cookie policy without having to change your site. You may prefer not to use this and implement your notices some other way.

That's a horrible example. Let's try something better...

Example implementation

The BBC have done a lot of work, as explained on their Privacy and Cookies Internet blogpost, one part of which is to put a big banner on their site when you visit it:

Screen grab of BBC web site showing cookie info banner

They show this banner and set a couple of ckns_policy cookies. Once you click to another page on the site, the banner is gone. The Guardian does something that produces a similar effect, only involving a scary number of cookies.

Here's one way to achieve that approach with the module:

Effectively, it's giving you the ability to trigger a ()=>JsCmd function on some condition. In this case, we're adding a div a the top of the page using a bit of JQuery. That's maybe not for you, but it provides a single point to add this policy concern across your whole site.

Full details about the module can be found on the module's Github page. It's available now as a 1.0-SNAPSHOT version for Lift 2.5-SNAPSHOT. Your feedback is welcome.