How many sites have Google Analytics or something similar? I would argue that analytics are as essential to the operation of an online business as shopping carts. Allowing a large portion of your website users to opt out of analytics effectively cripples you compared to competitors based out of countries without these restrictions.

Fair enough! But let's separate between session-specific analytics, and lifetime analytics. As a person concerned about privacy, I don't care much about "your" analytics about click-through and how long I stay on your site and what I click and what not, this is session specific, and helps you with your business. However, this should be possible with "one-day" cookies. You don't need to know that I was on your site a week ago, and that I happen to leave your site with a full cart for some reason, or that the last banner with food did not work on me, so this time you'll try the car-banners.

So you think that MixPanel, KissMetrics, Google Analytics and all the other advanced analytic services provide no essential value to both the site owner and the public?

A/B tests last more than a session (if you return to the site 30 minutes later after doing some research, you want to see the same site, right?). Cohort analysis requires tracking how people use your website for months or years to see the effect of changes on long-term activity and customer retention. Simply tracking the effectiveness of your own advertising efforts (how many and which campaigns contributed to this sale? what's the lifetime value of a customer from this source?) requires multi-session tracking. Many purchases happen days or weeks after someone initially clicked an ad leading to your site.

Now it's possible to do some of that kind of analysis without cookies, but it requires you building and running all the tracking and reporting on your own server. To expect even a tiny fraction of the site owners that can currently plug into KissMetrics/MixPanel/Google Analytics/Optimizely/etc. to build out the same capabilities in house is absurd.

None of this has to do with serving customized ads to you, yet you are arguing that companies in the UK should not be able to do any of that, and they won't be at a disadvantage compared to the rest of the world?

Sure, this would be a huge disadvantage. But that is no reason not to have a discussion about it. The HN community relys heavily on analytical services, and there is a bias against privacy advocates or anything that would bring change to how the web functions right now. The www does evolve, and some decisions from the past may have to be reverted.

Would such a change be difficult? Would it shift the burdon of analytics? Sure!

But be open minded: The real world is full of analytics, but for most of them you have to opt-in. When I go into a bank, I don't want the bank to know that I was rejected 10 times that same day somewhere else. I want a fair chance on my loan. I don't want my girlfriend to know that I browsed a webstore for some medication a week ago. Analytics provider could know all that. And they can reassure that they will not use that information, but the point here is to prevent the accumulation of it in the first place.

What would happen if someone would hack an analytics provider, and put all this stuff online? Type in an IP address, and I give you all I know about that IP adress. Nobody is doing it, because the data is anonymous, so it's hard to cash it in. But it certainly would destroy some lifes or marriages.

I believe the problem the legislator is trying to solve here it to prevent the crossreference that analytics- and ad-provider facilitate across different web-pages. And I believe this is a honorable goal.

> When I go into a bank, I don't want the bank to know that I was rejected 10 times that same day somewhere else.

the bank does know this, it'd be in your credit report

also, ad networks are worse than the analytics companies.

Off topic: It used to be that your credit report was only updated every 24 hours so if you were denied credit at a bank your best bet would be to go to other banks that same day. I guess it's faster now though.

> How many sites have Google Analytics or something similar? I would argue that analytics are as essential to the operation of an online business as shopping carts.

I think you are overstating the case for Google Analytics in particular, as well as blurring the value of other non-intrusive methods.

Remember, this only affects UK companies dealing with UK visitors (or perhaps EU companies dealing with EU visitors). You still have complete control to stomp over all privacy concerns of US and other non UK (or non-EU) visitors. So you are not completely losing the value of Google Analytics, you just need an informed consent of a subset of your audience.

There is no completely accurate way to identify that subset other than asking every visitor for what country they reside in. To avoid ever violating this law, you would have to implement the changes for all visitors.

Perfect is the enemy of the good.

FTA: "a cookie which was set to welcome a user back to a website, or to record what pages they view would not be strictly necessary"

I can imagine a good case for saying this kind of thing is essential from a usability perspective. Who's to say if it is "strictly necessary" or not?

The spirit of the law is protecting the privacy of site visitors from being leaked to third parties, intentionally or otherwise, and gaining their informed consent before doing things with cookies that violate that privacy.

So the particular focus on third party cookies (be it 3rd party analytics tools and/or third party advert networks and/or 3rd party AB testing frameworks). These 3rd parties amass browsing habits and habits of visitors across multiple sites and topics. They use that information to build personalised profiles of an individual. This is done without the individual's consent. So the individual believes they've visited a set of independent websites, and they don't realise that some third party is watching over their shoulder. If they realise that is happening, and the implications of that, they would probably decline to participate, if they knew how.

So consider the use of cookies with that as a guide (but I am not a lawyer, if you are not absolutely certain, consult a lawyer).

I, for one, would be very surprised if a business got successfully sued for having a first-party cookie that clearly wasn't shared with any other site that was used to present a "Welcome back" message. Unless there was a third party script on the page watching for the appearance or non-appearance of that message.

I don't get what's so hard about the concept of "strictly necessary". If you take the cookie away and the site ceases to function such that the user cannot complete tasks they are there to do, then the cookie is strictly necessary. If the site continues to function, even if your business analytics are somewhat impaired, it's not strictly necessary and you need to gain the user's consent to set it.

There's a disconnect here. How does the absence of analytics mean the site continues to function with reduced usability? You could argue that over time the site's usability would not increase as much as it might be due to missing analytics data, but it won't be reduced just because the Google Analytics beacon isn't present on the page.

If you think that having analytics data is such a benefit to the user, explain to them why you want to track how they use your site and let them decide whether they're happy with that. That's all this law requires.

Again, the new law does not specifically mention "analytics" - the analytics issue is something that you yourself have come up with. If you read the guidelines, you'll notice that it states that consent does not need to be sought "where such storage or access is strictly necessary for the provision of [a service]". As I mentioned above, the provision of a service may have a usability component, for which cookies are necessary; however the service may work with degraded usability without such cookies. Would a degradation in usability make the cookies "strictly necessary", and if so, to what extent? This is something the new law does not address, and causes worry for web developers like me.