PECR is a UK law which sits alongside GDPR (the EU’s rules about how personal data is gathered/held). [Very basically] both say that you have to have consent or a VERY GOOD reason for gathering and holding data about a person, or data that can be used to track someone.
In their new cookie guidance, the ICO says “your users must take a clear and positive action to consent to non-essential cookies” and that now includes cookies used for things like Analytics and stats cookies (like the ones used by Google Analytics). [The new guidelines cover ALL kinds of cookies, but in this post I’m only talking about analytics cookies as they are the ones which are mostly affected for my clients…]
Many of my clients use Google Analytics – so things will need to change/be updated on their sites to make them PECR compliant!
So below is the info I’ve sent to my clients about this (although edited a bit to make it web friendly!).
After the email contents, I’ll explain some more about PECR/GDPR compliant ways of getting website Analytics and visitor numbers, etc.
What was in my Email…
Hi,
This email is long and might seem complicated but it’s really not too bad…
At the moment, you use Google Analytics to get stats (the number of visitors, etc.) on [your] site.
Moving forward, using Google Analytics for stats will become more tricky. The ICO (Information Commissioners Office – the bit of the UK govt that deals with online privacy, etc.) has recently changed their cookie guidance for analytics/stats related cookies.
It now says that ANY cookies that aren’t vital to the functioning of the site, including anonymised analytics/stats cookies, will need permission to be set. https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/blog-cookies-what-does-good-look-like/
(In the past as long as you had a good Privacy/Cookie Policy on your site, explaining what cookies you used; and where possible any analytics/stats cookies were ‘anonymised’ (so individual IP addresses weren’t tracked), then it was ok to use analytics cookies like that.)
This means that to continue using Google Analytics (or cookie based analytics/stats) your site will need to have a pop-up where people have to click to allow analytics/stats cookies BEFORE any stats will be taken! It would look like the one on the ICO’s site on the link above.
Now I hate all those types on banners and I’m sure you do too! So with my clients, I’m working on getting non cookies based and privacy/GDPR/PECR friendly analytics/stats on to sites.
For my Clients who use WordPress:
For your site, I think the best option will be use a analytics/stats plugin on the site itself. This would give you most of the information which Google Analytics can; certainly information about the number of visits and more popular pages, etc. (And no cookie is used as it gets data directly from the hosting server and that counts as ‘vital’. And ad-blockers generally don’t affect the results either.)
If you’d like just ‘simple’ stats like the basic number of visits, top pages and where people came from, there are simple plugins like Statify or Koko Analytics that can do this (I now use Koko Analytics – you do have to turn a cookie off in its settings but it works very nicely).
If you’d like more detailed information, then a more complex plugin [WP Statistics] can be used on the site…
With plugin stats, it’s a good idea to keep a max of 6 months worth of stats (3 months is better) because they are stored in the database on the site and having too much information in there can slow things down…
For my Clients with ‘static’ sites (but could also apply to WordPress sites…):
For your site, I think the best option will be to use some analytics/stats produced by the hosting server. As part of your hosting package, the server generates stats using a service called AWStats. It’s not as ‘pretty’ as Google Analytics but for ‘simple’ stats like the basic number of visits, top pages and where people came from, it can do the job nicely.
However, all that cookie talk won’t affect the ‘Google Search Console’ (another Google service which helps Google know about your site) as that information comes direct from Google search information. And it might be that the information for that is really more useful that the site stats…
And to make sure that Google will index the site correctly, I also really need access to your ‘Google Search Console’ account. I think this is on a Google account you control.
You can add me as a ‘verified owner’ on your Google Search Console, so I can check things/make any changes without having you log into your account. How to do so is explained here: https://support.google.com/webmasters/answer/7687615?hl=en My Google account email to add is [retracted for privacy!!!!!].
I hope that all make sense – any questions please ask. If you’d like me to go ahead and take off Google Analytics and add in the stats plugin/show you how to use AWStats, I can do that. I’ll also update your privacy policy to make sure it’s also correct with the new situation.
Phew…
I hope your brain doesn’t hurt after all that!
Best wishes,
James
PECR/GDPR Compliant Analytics…
Below are some different options for analytics/stats. I know I’m not covering everything, I’m giving you an idea of some of the options out there!
So, to confirm what I’m using for (most of my clients):
For WordPress Sites…
These are the plugins I’m using/suggesting:
For ‘simple’ analytics there’s Statify – https://wordpress.org/plugins/statify/ and Koko Analytics – https://wordpress.org/plugins/koko-analytics/
For more detailed analytics there’s WP Statistics – https://wordpress.org/plugins/wp-statistics/
(There are other WordPress Analytics Plugins, but for my client’s needs, these ones work the best!)
For ANY Sites…
Analytics/stats tools that come with hosting packages.
Pretty much any hosting company that uses cPanel (the most common control panel used on web hosting) comes with AWStats – https://awstats.sourceforge.io already installed (in fact it’s probably already getting analytics/stats for you and you don’t even know!).
Another common ‘included’ option on hosting is Webalizer – http://www.webalizer.org. I’m not a fan of Webalizer as it’s really not pretty to use and can be somewhat confusing to read as well!
Some hosting companies don’t use cPanel and they might well have some form of their own analytics/stats tools available – I suggest you ask your web host!
‘Replacements’ for Google Analytics.
Below are some ‘replacements’ for Google Analytics (i.e. scripts that you add to your site and then you get visitor stats) which I’m aware of (but haven’t used). And again, I’m sure there are more out there – if there’s a good one that I’m missing, please leave a comment!
Fathom is an analytics tools that comes in two versions. A free/open source version which you can host yourself on your hosting server or their ‘Pro’ version, where they host it all. The Pro version costs from $14 a month (or $140 a year). The Pro version is PECR compliant, but at the moment the free/open source version isn’t (but they hope it will be by the end of 2019!).
Matomo is a free/open source analytics program which you can can install on your web host to collect site stats (it can often be installed via ‘one click’ services on many hosts). There are some steps you have to take to make Matomo GDPR compliant and, as out of the box Matomo uses cookies, it’s also a good idea to turn off cookies within Matomo to make it PECR compliant as well.
But what if I still want/need to use Google Analytics..?
That’s a good question – and it applies to a couple of my clients as well! As we saw above, the ICO says “your users must take a clear and positive action to consent to non-essential cookies”; so that’s what needs to be done!
The solution used on the ICO’s own site (as that site uses Google Analytics!) is called ‘Cookie Control’ – https://www.civicuk.com/cookie-control. It’s a script which helps to control(!) what other code (which sets the cookies) is loaded and when (i.e. when you’ve got consent from someone). If you’re a WordPress user, there’s also a plugin to help install it.
Another plugin which can do a similar thing is Complianz and I’ve used this for a couple of clients.
Another option for Google Analytics is the Minimal Analytics plugin. This loads the ‘bar minimum’ of code for Google Analytics and there’s no cookie involved! But other ‘tracking’ things might still be in place…
So that’s a round up of the new UK cookie advice and what you might need to do about it! Please leave a comment if you’ve got questions or can suggest some other good analytics solutions which are GDPR/PECR/privacy friendly…