Cookies Policy for Google Analytics

Should you care about the EU's cookies directive if your site uses Google Analytics?

Most websites have a tracking solution used to collect information about visitors to the site. These tracking solutions influence the decisions which increase web traffic.

Google Analytics is a popular tracking solution used by popular websites like Twitter, Washington Post, New York Times, and Mashable. This software is not only powerful, it's also free.

This service provides you with comprehensive statistics about how users interact with your application or website including the geographical location of visitors, average time on site, traffic, and other important metrics. Google Analytics also has marketing tools like remarketing advertising capabilities.

Cookies are used by Google Analytics to provide these services. It's the only way Google can gather information, identify unique users, identify special sessions, and store information.

Most Google analytics accounts have an opt-out setting active to which Google allows to track website metrics.

What is ga.js?

ga.js is a Google Analytics tracking code. This code is able to track events and its size allows for faster downloads. Cookies are browser detailed for ga.js. A user working on Safari on their work PC will have different cookies stored than when using Safari on their home computer.

Cookies Set by Google Analytics

Google Analytics uses different cookies to note down information. A built-in GA code determines when the cookies expire.

These cookies accumulate a domain hash that links them to one site.

Here's a look at examples of Google Analytics use of cookie.

-utmz

This cookie contains all the information on the source of traffic for the current visit, the cookie doesn't change if no traffic source information is found for the current visit. This cookie doesn't contain historical information for previous sources. It's the way Google Analytics attributes visit information, such as transactions and conversions to a traffic source. Being a persistent cookie means it expires in 6 months. The only way to refresh it is to change the traffic source.

-utmv

-utmv is a user-defined variable cookies. A developer can separate visitors by specific variables through a native JavaScript method.The new variable is stored in an insistent cookie which expires after two years.

-utma

Utma is the main way through which Google Analytics tracks unique visitors. The cookie stores the date, time of the first visit, and a visitor's ID. Also, this cookie stores information on the number of visits they've made. The -utma cookie can last for up to 2 years. However, you can customize the expiration time in the tracking code.

-utmb

-utmb is a type of cookie that tells Google Analytics whether a visit has timed out and also how far the visit went. It also stores information of the start time of the visitor's current visit as well as the number of page views in the current visit. This persistent cookie expires in less than an hour. But, each page visit refreshes it.

-utmc

This is the only session cookie used by Google Analytics. The -utmc cookie registers that the visit ended once the user closed the browser.

What is a Cookies Policy?

A Cookies Policy is a legal requirement under the EU Cookies Directive.

The policy lets users know that your website uses cookies, why you use them, how the users can change their preferences, and if there are any third-parties who have access to the user's data.

The directive is meant for any website or app directed towards European Union citizens or a website that is owned by a business in the European Union.

Under this directive, it's required to:

  • Provide an opt-out method
  • Obtain consent before cookies can be used
  • Inform your users of your use of cookies and how they are used

Google Analytics keep track of data used by storing cookies on a user's PC. This makes it necessary to have a Privacy Policy that abides by the EU Cookies Directive.

Note how the Google Analytics Terms of Service indicate that you must post a Privacy Policy and that the policy must state that your website uses cookies.

You also need to comply with all applicable laws and regulations relating to the collection of information from visitors.

One of these laws is the EU Cookies directive also known as the Cookie Law.

Google Analytics Terms of Service Privacy clause excerpt

How to Create a Cookies Policy for Google Analytics

There are two main ways of creating a Cookie Policy.

You can choose to have a separate Cookie Policy from your existing Privacy Policy or you can include a cookie clause in your Privacy Policy.

Separate Cookie Policy

Having a separate Cookie Policy allows you to provide detailed information without overwhelming your visitors with a long Privacy Policy.

Spotify has a separate Privacy and Cookie Policy. The links at the footer let the user easily notice them. This not only provides user satisfaction, it also helps with compliance with the cookie law.

Screenshot of Spotify website footer

Vimeo places separate links to its Cookies and Privacy Policy. Clicking on their Privacy Policy takes you to their Cookies Policy link for further information on the way they use cookies and the type of cookies used.

Screenshot of Vimeo website footer

LinkedIn also has a separate Privacy and Cookie Policy. Both sections have ample information and provide a user with enough information on the collected data and what it's used for.

LinkedIn policy menu with Privacy Policy highlighted

Privacy Policy with a Cookie Policy Clause

You can choose to have your Cookie Policy clause in your Privacy Policy instead of listing it separately. The users can get all the information in one place instead of clicking on separate links.

Here are some examples of sites with a Privacy Policy which includes a Cookies Policy clause.

GoFundMe has an extensive Privacy Policy that also includes a paragraph on their use of cookies and other electronic technologies.

GoFundMe Privacy Policy: Cookies and Other Electronic Technologies clause excerpt

How Do You Obtain Consent For Using Cookies?

You need to alert a user about your use of cookies when he/she first visits your website.

The best way to get consent is to include a banner or a pop-up message on your webpage.

Your cookie notification needs to inform users that you use cookies, what constitutes consent for cookies, and also provide a link to your Cookie Policy.

You need to write in language that is easy to understand and place it somewhere that one can notice on the website. You can use two methods to get consent:

  • Explicit or Affirmative Action Consent
  • Implied or Further Browsing Consent

With an affirmative action consent, you can place a clickable button or a checkbox in the notice.

The user needs to click on it to consent. You can get implied consent by placing a banner ad that makes it known to the user that continuing to browse grants you the consent.

Capital One provides a banner notification that lets the users know that they use cookies. They also have a link to their Cookie Policy.

Capital One cookie banner notification

Zoopla's notification is similar.

Zoopla cookie notification

NVidia has a footer notification that alerts the users of their use of cookies.

NVidia cookie notification

Note how they place a link to their Cookies Policy in case a user wants to learn more about why they use cookies and the use of the information collected.

Examples of Websites that are Using Google Analytics

You need to include information about Google Analytics cookies in your Cookie or Privacy Policy. This lets users know that you're using analytics to gain insights and provide them with a better browsing experience.

Here are a couple of websites that are using Google Analytics:

The AutoTrader website lists Google Analytics as one of the cookies they use on their website. Also, they provide information on how a user can opt-out of being tracked with Google Analytics

Auto Trader UK Cookie Policy: Google Analytics clause

Acer's Cookie Policy provides a detailed brief on why they use Google Analytics and what type of information they collect. They also have a link that a user can click on to read more on the Privacy Policy of the service.

Note at the end, they admit to configuring Google Analytics to avoid a user's identification when browsing their website.

Acer Cookie Policy: Performance cookies clause

Shell provides a chart under their Cookie Policy to highlight the different types of cookies used. Google Analytics is one of the cookies listed.

Their sole reason of using these analytics cookies is to improve the user experience. They also have a link in which a user can opt-out.

Shell Cookie Policy: Google Analytics section

COTY lets the users know that they use Google Analytics to find out what products and web pages their users prefer.

They also have an opt-out link with instructions on how they can change their settings to avoid being tracked by Google Analytics cookies.

COTY Cookie Policy: Targeting Advertising clause

The Telegraph's Cookie Policy explains that they use GA cookies to serve advertisements that might be of importance to the user on their website as well as others.

Telegraph Privacy and Cookie Policy: Third party advertising sections

The Plexiart site has a conspicuous Google Analytics paragraph that states its main intention of using these cookies.

Plexiart also do not use cookies from Google to collect or track a user's personal identifiable information.

Plexiart Cookies EU Law Policy: Google Analytics clause

If you use Google Analytics, you'll need to at minimum include a Cookies clause in your Privacy Policy that lets users know you use Google Analytics cookies. Be as detailed as possible, and consider creating a fully separate Cookie Policy.

This website uses cookies, and also collects some information using Google Analytics. By continuing to use this website, you agree to our Privacy Policy, Terms of Use, and Disclaimer.