The Cookie Directive

(Also referred to as the Revised E-Privacy Directive or Directive 2009/136/EC – this is a Directive issued by the EU which is due to be adopted by all EU Member States by 25 May 2011.)

QUICK SUMMARY:

  • The Cookie Directive requires users to give “consent” for cookies to be placed in their browsers.
  • It’s possible to take a very literal interpretation from this Directive that would require users to give explicit consent before any cookie can be placed in their browsers HOWEVER it’s also possible to interpret the Directive in a more practical, common-sense way.
  • The UK has already signalled its intent to implement the provisions of this Directive in a practical manner by allowing “consent to the use of cookies to be given via browser settings”.
  • We are hopeful that other Member States will take a similar common-sense approach to the interpretation of this Directive.

NOTE: We’re not attorneys/solicitors/lawyers/legal experts. We are the Team behind StatCounter and we have prepared this post in reponse to a number of queries we have received recently. This post is for informational purposes only. This post is not, nor is it intended to be, legal advice and should not be considered as such.

EU Directives

  • Directives are binding on EU Member States NOT on EU citizens. (The related national legislation is binding on EU citizens.)
  • A Directive should be passed into law by each Member State (by a specified date) at which point it becomes binding on the citizens of the relevant Member State.
  • Each Member State must interpret each Directive so it’s possible for different Member States to have differing laws all based on the same Directive.

This means that it’s the legal interpretation of the Directive in each Member State that is relevant rather than the actual Directive itself. The Cookie Directive is supposed to be transposed into national law by all EU Member States by 25 May 2011. It’s not clear how many Member States will comply with this deadline.

The Cookie Directive – what does it mean?
The new Cookie Directive goes further than current legislative provisions, stating that “consent” must be given for cookies to be stored/accessed on users’ computers.

If the Cookie Directive is interpreted literally, it appears that an internet user could be required to give consent each time a cookie is placed on that user’s computer (e.g. via some sort of pop up consent form that asks visitors if they agree to the installation of specific cookies).

There are numerous potential problems with this Directive including:

  • The internet as we know it could not function without cookies. David Naylor has created an interesting (and worrying) example of the possible consequences of this Directive here. Not a pleasant prospect…
  • The scope and applicability of the new legislation is not clear but presents many potential problems. Will the new legislation apply to all EU citizens? If so, how will the EU force non-EU websites to comply? If non-EU websites are not subject to these draconian provisions, then will EU websites suffer a reduction in traffic as a result? Or will EU businesses considering relocating in order to avoid the penal legislation?
  • As Member States may all adopt different legislative provisions in relation to this Directive, a single entity operating in several EU countries may have to provide different website consent and privacy options in every jurisdiction. This could present administrative and technical difficulties and cause particular hardship for smaller businesses.
  • By placing severe restrictions on relatively harmless cookies, this law may encourage the use of more invasive technologies.
  • All cookies appear to be covered by this Directive regardless of how much (or how little) information they hold.
  • No account is taken of the value of advertising funded content and services nor the consumer support for interest-based advertising.

Enforceability?
Reading the Directive, it appears to us that as each Member State adopts the relevant legislation, that interpretation of the legislation will apply to all citizens of that Member State. (We’re open to correction on this, so please feel free to comment below.) If that is the case, then theoretically every website in the world may have to apply a different set of regulations to their website for every set of visitors to their site from every Member State. In practice, it’s difficult to see US, Australian or Chinese sites tripping over themselves to comply with differing sets of EU legislation plus it’s not at all clear how an EU State could impose a sanction on such a website for non-compliance in any event. Will this lead to non-EU sites (without burdensome consent requirements) being favoured by EU citizens?

Alternatively, if the transposed legislation applies to EU websites – then what is the definition of such a site? As mentioned earlier, will EU businesses be encouraged to move their hosting out of the EU to avoid the penal legislation? And while we’re on the subject of definitions the lack of same in the Directive has resulted in huge uncertainty…for example no definition of “consent” is offered – but equally, this leaves the door open for Member States to adopt a flexible and common-sense approach to this seemingly archaic Directive.

Some commentators have also discussed the possibility that cookies necessary to the operation of a site may be excluded from the consent provisions… but again, no definition of “necessary” is provided. Perhaps unsurprisingly, we view our own StatCounter cookies which we use to track visitor activity as vital to allow us to maintain and improve our sites. (Our tracking cookies contain minimal information and are used to determine unique and returning visitors only.) We know many of our members share this view. Reflecting on this Directive, we feel that the restrictions on cookies may have been initially aimed at behavioural advertising only… but somewhere during the drafting process this important distinction became lost resulting in headaches for website owners and operators throughout the EU.

Solution to a Non-Existant Problem? Cookies
We’re just not sure why the EU has decided to target cookies in this Directive… Cookies are harmless text files which are placed in your browser to document your preferences, keep you logged into a site, store your shopping cart contents… Cookies are not viruses, cookies cannot scan your system or search your computer for private information.

Furthermore, control of the cookies in your browser is already in your hands – you can clear cookies at any time and you can opt to reject some/all cookies via your browser settings… which is why we are confused about the point of this new Directive. If you want to reject cookies – you can do so! (Learn how to adjust cookie settings for IE, Chrome, Firefox and Safari.)

It would appear that this Directive has been badly drafted and takes little or no account of how the internet actually works. To obtain prior consent for every cookie, would result in a severe diminution of the quality of the online user experience. Imagine… Every website in the EU would have to use a pop up form to obtain consent for evey cookie… Users would be obliged to deal with these pop ups multiple times every day… Web browsing would become frustrating and cumbersome… And, somewhat ironically, the very people who reject cookies would suffer the worst experience; websites wouldn’t function correctly; shopping carts wouldn’t work and, as they don’t allow any cookies to remember their preferences, they would be prompted to opt in/out on potentially every page of every site they visit! In the end, most people would probably opt in to all cookies simply to eliminate all the pop ups… thereby defeating the purpose of this Directive in the first place!

The new Directive seems to be making a misguided attempt to “protect” some web users (who may not be aware of their browser settings) at the expense of everyone else… in our view, the money spent on developing this Directive would have been better spent educating people about the options that already exist, rather than implementing a whole new set of regulations and placing unnecessary burdens on websites and online businesses.

Solution to a Non-Existant Problem? Behavioural Ads
Behavioural advertising has a bad reputation – but in short it simply means that if you view or purchase furniture, for example, on a website, that same website may advertise their furniture to you on another site. Cookies are used to remember your previous browsing history and show you related ads. After all, if you have viewed or purchased a product on a site, you may be inclined to purchase from them (again) in the future.

We feel that this Directive may have been originally intended to target behavioural advertising cookies (but was widened somehow to cover all cookies)… but even restricting behavioural ads in this nonsensical manner seems OTT. “Traditional” advertising involves analysing trends and behaviour to allow advertising space to be sold based on demographics and preferences… this Directive appears to be punishing online advertisers who are effectively doing the same thing!

Behavioural advertising online is very similar to store loyalty cards – loyalty cards are used to track your purchases, spending habits and shopping behaviour in a particular store, that information is then used to offer you discounts and offers relevant to your interests. Online behavioural advertising works in a parallel fashion.

PLUS – if you don’t like targeted ads online – then you can just opt out! Using your browser settings you can disable all cookies, reject certain cookies or you can use the NAI opt-out tool to opt out of over 70 behavioural advertising programs (but remember that to opt out, you must accept a cookie to remember your opt-out preference!).

Practical Approach
Despite the possibility of taking a very strict (& restrictive) view of the Directive, we understand that the UK has decided to take a practical approach.

For example, the consultation & implementation documents drawn up by the Department for Business Innovation and Skills state:

The internet as we know it today would be impossible without the use of …cookies …so it is important that this provision [regarding cookies] is not implemented in a way which would damage the experience of UK web users or place a burden on UK or EU companies that use the web.

Further the DBIS goes on to explain its preferred option for obtaining consent:

“Option 2: Allow consent to the use of cookies to be given via browser settings. This is the preferred option because it allows the UK to be compliant with the E-Privacy Directive without the permanent disruption caused by an opt-in regime.”

So – that appears to mean that if a user *allows* cookies via their browser, then that constitutes consent. The above would appear to be a reasonable approach and, in short… nothing will change!

So what will happen on May 25?
This is debatable. Until the Directive is passed into law it’s very difficult to anticipate the exact implications. In the future, guidelines on obtaining consent and information on enforcing the legislation will have to be released however, for now, it looks like the 25 May deadline will have no impact whatsoever. Further, if all Member States follow the example of the UK (as outlined above), then nothing will change at all!

We are hopeful that practical, common-sense and commercial realities will take precedence over an overly-zealous and misguided piece of legislation, particularly given the fact that the power to reject cookies is already in the hands of the people this Directive seems to be trying to “protect”.

We welcome your comments below.

Related links:
Europe’s ad industry issues response to cookies opt-in
E-Privacy Directive on Cookies
Why the EU Privacy Directive is not a real threat

Access to European Union Law

NEW: URL Filter

Have you ever spent time combing through the Popular Pages stats looking for one particular web page? Not any more….

With the new URL filter on Popular Pages you can search for any page or subset of pages on your site quickly and easily.

  • Simply enter your URL (or partial URL) in the filter box.

  • Click “Update” and that’s it!

NOTE: This feature is available in the “New StatCounter“. Try it now and send us your feedback!

StatCounter Beta Design – what’s new?

Folks,

We recently announced the public launch of the new StatCounter site which is currently undergoing beta testing.

Sincere thanks to everyone who has submitted feedback so far!

To assist with beta testing, we’d like to point out some of the new features which you may find useful…

(1) Visits/Pageloads Option

Easily switch between viewing pageloads and visits on the Projects page.

(2) Switch Projects

Quickly flip between projects when viewing your stats – just click the drop-down arrow beside your project name.

(3) Hourly Stats

Watch the hour-by-hour evolution of your stats.

(4) Date Range Selector

Available for all stats – just click “narrow range”. Choose your preferred date range and check the stats only for that period. Hourly, daily, weekly, monthly, quarterly and annual options.

You can also compare different periods if you wish – just click “Add Comparison Period

(5) Keyword Analysis – Options

As for all stats, switch between projects when viewing Keyword Analysis.

Or change the time period being examined by clicking “narrow range”.

Or download a file of all your keywords.

(6) Wrap URLS

Check/uncheck the box to truncate and expand very long URLs.

(7) Search Engines

View the families of Search Engines sending traffic to your site.

Click on a Search Engine family to see a breakdown of the regional search engines sending traffic your way. E.g. Google breaks down to google.com, google.co.uk, google.ca etc

(8) Browsers

View the families of Browsers being used by the visitors to your site.

Click on a Browser family to see a breakdown of the different browser versions. E.g. Firefox breaks down to versions 4.0, 3.6, 3.5 etc

(9) Simplified Reinstall Process

Need to reinstall your StatCounter code? No problem! Simply go to “Config” then “Reinstall Code” – we’ve even created a nifty tool which will confirm if the installation has been successful – just click the button “Check Installation“.

FEEDBACK!
Please keep all your feedback coming! The single best way to comment on the new site design is via the feedback button at http://beta.statcounter.com.

If you DON’T like something in the new design, then please DO tell us!

We can only improve with the help of your constructive criticism – so don’t give up on us! Please stick with us and let us know your thoughts as the design evolves in response to your comments and suggestions.


PS: As usual at this time of year, StatCounter has made charitable donations instead of sending cards.

Merry Christmas, Happy Holidays and all the very best to you all for 2011.

To Paypal or NOT to Paypal…

Quite unbelievably, despite reporting a problem to Paypal on 26 August, we have STILL not received confirmation that this problem has been resolved. Here’s the background…

    On 26 August we identified a serious problem with Paypal.

    StatCounter members who had upgraded in the previous few days had NOT been appropriately upgraded as the Paypal system stopped sending out subscription payment notifications. In fact new subscriptions were no longer created at all and payments received were not linked to StatCounter accounts.

    In short, we were receiving hundreds of Paypal payments which we couldn’t link to any StatCounter account. As you can imagine, this caused serious difficulties for us.

    We reported the problem to Paypal with as much supporting evidence as possible to assist them in quickly identifying the problem… but, as we have come to expect, the first response from Paypal completely ignored the information we supplied and denied the problem.

    It’s now 5 WEEKS since we reported this issue to Paypal and we have STILL not received confirmation that this problem has been resolved. We feel we have been more than patient at this stage and remain astounded that any company can treat its customers with such disregard.

While we understand that ALL services can have problems from time to time we find Paypal’s habit of ignoring its customers to be abhorrent. We are particularly upset that Paypal’s poor behaviour can and does impact on you, our members, and also unfairly reflects on us.


Our Position
As a result of this Paypal problem, we had to manually examine hundreds of payments, attempt to link these to StatCounter accounts and where this wasn’t possible we had to contact the payees individually to request their StatCounter usernames. As you can imagine, this had a high cost for us in terms of time and resources. Further, although these problems were caused by Paypal, StatCounter has absorbed all the costs of this problem. We also felt it was only right for us to offer all affected members a free upgrade for one month to make amends for the problems. Paypal, of course, offered us (their customer) absolutely nothing by way of assistance for the trouble they caused us.

Unfortunately, we have been here before… At that time, we decided NOT to remove Paypal as a payment option for new subscribers. This was because we highly value each of our members and, despite OUR poor opinion of Paypal, we have to cater to what YOU, our members want. However, we are now again considering our position in relation to Paypal…

Your Feedback Please
Due to the problems outlined above, Paypal has been suspended as a payment option (for NEW subscriptions) on StatCounter since 26 August and remains so. We can’t possibly reactivate it until such time as Paypal confirms that the problems introduced in August have been fixed… but we have no idea when that will be. In the meantime, we’d like to ask you, our members, for your thoughts on this.

Both problems we have had with PayPal have been with their subscription payments. During this problem and the last one, regular Paypal manual payments appeared to be functioning normally. On this basis, we are wondering if we should STOP accepting PayPal subscriptions and accept only manual payments instead? Manual payments *would* require our upgraded customers to log in to Paypal every time a payment falls due… so perhaps we will have to restrict Paypal upgrades to quarterly or yearly – logging in every month to pay could be a bit too time consuming! We’re not sure about this idea, so do let us know your thoughts!

We’d also love to know what alternative payment options we can introduce to cater for your payment preferences.

Here are our initial thoughts…

  • We need to accept Discover cards – if you can recommend an acquirer for a European company, please let us know
  • We need to accept AMEX for USD payments – currently we can only accept AMEX directly for EUR payments
  • We need to accept echecks – please let us know if you can recommend any echeck processors

Note that we already accept VISA, Mastercard, AMEX (for EUR payments), wire/bank transfer, EUR/USD checks/cheques.

Please post below with any other card or payment method you think we should accept and feel free to share any comments or suggestions you may have. Thanks folks.

UPDATE: Please note that existing, active Paypal subscriptions are not affected by the suspension of Paypal on StatCounter – this affects NEW subscriptions only.

StatCounter: Blocking Your Own Visits

If you spend a lot of time browsing/checking/editing your own site, it’s a good idea to block your visits from being counted by StatCounter… Otherwise, your personal visits can skew your stats. At StatCounter we offer two different blocking methods.

  1. IP Blocking
    This method is suitable if you have a static (unchanging) IP address (e.g. 12.345.67.89) OR if your IP always falls within a particular range (e.g. 12.345.*.*). Hits from any blocked IP address or IP range will not be included in your StatCounter stats.

  2. Blocking Cookie
    If you have a dynamic (constantly and completely changing) IP then use the Blocking Cookie method. Note that for this method you *must* enable cookies in your browser and ensure that cookies are not regularly destroyed by either your browser or your antivirus software. A blocking cookie must be set up for each separate browser you use. Hits from any browser which contains a blocking cookie will not be included in your StatCounter stats.

More about IP Blocking
Please note that this method will *only* be effective if you have a static (unchanging) IP or if your IP remains within a set range. If your IP is dynamic and changes completely and constantly then IP blocking is not suitable. Instead you should consider using the blocking cookie method.

You can confirm your IP address via many different websites like this one, that one or another one and then block your IP using these steps:

    1. Login to StatCounter.

    2. Click the small “wrench” or “spanner” icon to the right of any project name. (You will later have an option to apply the IP block to all projects)

    3. Click the “Edit Settings” link.

    4. Go to the section named “IP Blocking”. Enter your IP address/IP range##.

    5. Check the box in the section called “Update IP Blocking in All Projects?” if you want to block the visits in all of your projects.

    6. Click the “Edit Project” button.

The IP should now be added to the blocking list.

##If your IP address is in a range, for example, 12.345.00.00 to 12.345.99.99 please use the following format, 12.345.*.* – using the asterisk wildcard characters like this allows you to block the full range of IP addresses which could be allocated to you.

IP Blocking – Your Questions Answered

  • How do I find out my IP address?
  • You can confirm your IP address via many different websites like this one, that one or another one.

  • How do I know if I have a static (unchanging) IP?
  • Generally, you will *only* have a static IP if you have requested one from your ISP (internet service provider) and in many cases an additional fee will be charged. If you have *not* requested a static IP then it’s unlikely that you have one. You can confirm this by communication with your ISP directly. OR you can try to check yourself via a “trial and error” method. Check your IP using one of the websites mentioned above. Reset your internet connection and check your IP again. Repeat this a few times and note your IP on each occasion. It should quickly become clear if you have a static IP or if your IP is in a static range or indeed if you have a dynamic IP.

  • I’ve blocked my IP but my hits are still counted by StatCounter – what’s wrong?
  • The most likely problem is that your IP address has changed from the IP that you blocked. Check the IP address/range that you have blocked in StatCounter. Next check your current IP using one of the sites listed above. You will probably find that your current IP is not blocked by StatCounter. To solve the problem, add your new IP address/range for blocking purposes. If you’re still having trouble – then talk to us.

More about the Blocking Cookie
The Blocking Cookie will *only* be effective so long as the cookie (small text file) remains in your browser. If your browser/antivirus software is set to remove/destroy cookies, then this method will not work for you. In order to effectively use the Blocking Cookie, you must set your browser/antivirus to allow/retain cookies.

Here’s how to set up a Blocking Cookie:

    1. Login to StatCounter.

    2. On the “My Projects” page click the “Blocking Cookie” link.

    3. Click the “Creating Blocking Cookie For All Projects” button.

    4. The page will reload and the button will change to “Destroy Blocking Cookie For All Projects”. This indicates that the blocking cookie has been successfully installed.

Blocking Cookie – Your Questions Answered

  • I’ve set up a Blocking Cookie but my visits are still counted by StatCounter – what’s wrong?
  • The Blocking Cookie can *only* block your visits while it is stored in your browser. If your browser is set to disallow or remove cookies, then this means that the Blocking Cookie will not be retained in your browser and therefore cannot block your hits. To effectively use the Blocking Cookie you *must* ensure that your browser is set to allow (and retain) cookies. You should also confirm that your antivirus software is not destroying your cookies.

  • How do I enable cookies in my browser?
  • The method to enable cookies will vary from browser to browser – here are instructions for a selection of common browsers:

      Internet Explorer 7 or 8:
      1. Click Start > Control Panel. (Note: with Windows XP Classic View, click the Windows Start button > Settings > Control Panel).
      2. Double-click the Internet Options icon.
      3. Click the Privacy tab.
      4. Click the Advanced button.
      5. Select the option ‘Override automatic cookie handling’ under the Cookies section in the Advanced Privacy Settings window.
      6. Select the ‘Accept’ or ‘Prompt’ option under ‘First-party Cookies.’
      7. Select the ‘Accept’ or ‘Prompt’ option under ‘Third-party Cookies.’ (Note: if you select the ‘Prompt’ option, you’ll be prompted to click OK every time a website attempts to send you a cookie.)
      8. In the Internet Options window, click OK to exit.

      Internet Explorer 6:
      1. Click Start > Control Panel. (Note: with Windows XP Classic View, click the Windows Start button > Settings > Control Panel).
      2. Click the Advanced button.
      3. Select the option ‘Override Automatic Cookie Handling.’
      4. Select the ‘Accept’ or ‘Prompt’ option under ‘First-party Cookies.’
      5. Select the ‘Accept’ or ‘Prompt’ option under ‘Third-party Cookies.’ (Note: if you select the ‘Prompt’ option, you’ll be prompted to click OK every time a website attempts to send you a cookie.)
      6. In the Internet Options window, click OK to exit.

      Mozilla Firefox 3.x (PC):
      1. Click Tools > Options.
      2. Click Privacy in the top panel.
      3. Set ‘Firefox will’: to Use custom settings for history.
      4. Check the box next to Accept cookies from sites to enable cookies.
      5. Click OK.

      Mozilla Firefox 2.x (PC):
      1. Click Tools > Options.
      2. Click Privacy in the top panel.
      3. Select the checkbox labeled ‘Accept cookies from sites.’
      4. Click OK.

      Mozilla Firefox (Mac):
      1. Go to the Firefox drop-down menu.
      2. Select Preferences.
      3. Click Privacy.
      4. Set ‘Firefox will’: to Use custom settings for history.
      5. Check the box next to Accept cookies from sites to enable cookies.
      6. Click OK.

      Chrome (PC):
      1. Click the Tools menu.
      2. Select Options.
      3. Click the Under the Hood tab.
      4. Click Content settings in the ‘Privacy’ section.
      5. Make sure Allow local data to be set is selected to allow both first-party and third-party cookies.

      Chrome (Mac):
      1. Select Chrome > Preferences on the menu bar.
      2. Click the Under the Hood tab.
      3. Click Content settings in the ‘Privacy’ section.
      4. Make sure Allow local data to be set is selected to allow both first-party and third-party cookies.

      Safari:
      1. Go to the Safari drop-down menu.
      2. Select Preferences.
      3. Click Security in the top panel.
      4. Under ‘Accept Cookies’ select the option ‘Always’.

If you have any questions about IP Blocking or the Blocking Cookie, please post them below. We’d also welcome any feedback, comments or suggestions… and if you spot any errors in our post (bar the footnote below!) then please do let us know.

FOOTNOTE: Before anyone decides to comment on our example IP address 12.345.67.89 – please note that it’s an ILLUSTRATIVE EXAMPLE ONLY! It’s not *supposed* to be a real IP address, ok? It’s just a “made up” IP for which we used the digits 1,2,3,4,5,6,7,8,9 in that order regardless of whether that sequence of numbers is technically possible or not.