With the arrival of the new EU Cookie Law, Google Analytics will be targeted as an ‘undesirable’ use of cookies without user consent. This means that websites using Google Analytics will have to display a popup window to arriving visitors, letting them know that the website uses cookies and asking if they consent to their use.

If ever there was a law created for the internet by people who have no idea how the internet works, this is it. Even the ICO website (the lawmakers) took months to comply with its own regulation, and there is still a huge amount of ambiguity about the best implementation of these consent windows.

A few things do seem to be clear:

• Google Analytics is not exempt from the EU Cooke law
• Cookies that track items in a shopping cart through to check are exempt from the EU Cookie Law
• Implied consent is not acceptable in the form of a simple privacy page explaining what cookies are used
• Most people will probably ignore the law and wait to see what happens. This is because online businesses are not going to add any interruptive messaging to their sites until the last possible moment, and perhaps not before they've seen what their rivals are doing about it. 

There was a cookie law event this week hosted by the Department of Culture, Media and Sport.  The DCMS being the government department responsible for this particular law.

It was largely designed as a Q&A session for site owners, but there were also keynote addresses by the minister Ed Vaizey MP and the Information Commissioner himself, Christopher Graham.

The latter being the man responsible for enforcing the cookie law from May 26, there were lots of people there eager to hear him talk, and what he had to say is very much worth reporting on.

First off there was some good news.  Both the Commissioner and Ed Vaizey were keen to point out that they were not interested in bringing the UK's vibrant web economy to a grinding halt.  The ICO intends to take a balanced approach to enforcement, weighing up the interests of individual privacy with the needs of businesses to continue to profit from the web.

Considering that the UK has the largest proportion of GDP attributed to the digital economy of any G20 country - this was great to hear.

Chris also re-iterated a point made in the guidelines published back in November about web analytics.  Although analytics are not exempt from the need to gain consent, they are low down on the priority list when it comes to enforcement.

Which we take to mean that if you are gaining consent for your more intrusive activity, and telling people about your analytics activity, then it will probably be OK to keep collecting information about what pages your visitors are looking at - at least for the short term.

There was also a lot of discussion about the meaning and compliance status of 'implied consent', especially in light of the recent high profile change to the bt.com website which relies very much on this approach.

On this issue we mostly heard a reinforcement of the message from November - that it might be OK if done well.  However we also got a promise of further clarification on its 'acceptability' as a compliance strategy in May.

I think most people would have liked that clarification to come earlier but we shall just have to wait and see on that front.  What was very interesting was that there was no comment forthcoming about what BT had done, yet.

Alongside all of this however, there were also some clear words of warning.  The Commissioner talked about being in the '11th hour' of the grace period, and made it very clear that those site owners that continue to adopt a 'wait and see what happens' policy, are running a much higher risk of enforcement than anyone else.

There was also an indication of a hardening of the approach the ICO will take on one aspect of enforcement.  We had much stronger indications of a 'proactive' enforcement of the law, rather than the more purely 'reactive' message that had been given out before.

The ICO is not going to sit around merely responding to complaints from the public, but will take action on their own initiative when they see sites doing nothing to comply.  Of course they won't be chasing everybody but they will certainly be looking at high profile, high traffic sites that appear to be doing nothing.

It is thought that this change in emphasis has come from a certain frustration that there has not been enough visible activity from websites in the last year to become compliant.  It was again made clear however that actions taken will be proportionate, and the important thing is not to worry about perfect compliance on day one - but to start moving towards compliance now.

The main message is clear.  Come May 26th, if you are the lowest hanging fruit on the tree, you will be an easy target.  The time for doing nothing about this law is at an end.

The cookies named __utma through __utmz come from websites that use Google Analytics, which primarily uses it to track visits.

The cookie names likely come from the earlier versions called the Urchin Tracking Module, and are also also by the newer ga.js.

Some details:

• __utmz stores where a visitor came from (search engine, search keyword, link)

• __utma stores each user's amount of visits, and the time of the first visit, the previous visit, and the current visit (presumably partly for double checking of this information).

• __utmb and __utmc are used to check approximately how long you stay on a site: when a visit starts, and approximately ends (c expires quickly).

Also:

• __utmv is used for user-custom variables in Analytics

• __utmk - digest hashes of utm values (verify)

• __utmx is used by Website Optimizer, when it is being used(verify)