Our comment to Gov.UK blog post "Cookies on the Beta"
The Google Analytics (__utma) cookie is no more or less “intrusive” than any other piece of inert data. It is simply a number that is unique to a visitor’s browser.
The reason this is a data protection issue is that the value encoded in cookies can be used to key into other personally identifying information about citizens.
The __utma cookie is unique to each visitor/target website combination. It is persistent, with an expiry time of 2 years. It is 1st party so visible to the target website and any script that runs in the browser in the domain of the target website. It is also ubiquitous, almost 95% of public facing websites use it.
Every time anyone visits one of these websites an Ajax call sends the value of the cookie to Google. They can therefore see every website that everybody in the world visits, every day. You may think this ability is fine because Google is not evil in any way, and you may be right, I cannot tell. But then nor can you.
Because it is a 1st party cookie script in other 3rd party elements can read its value.
Lets pretend and call one of these a “snoop” button.
The “snoop” button does not have to ever place or receive a cookie. It complies completely with the law. It simply reads the value of the __utma cookie, which you know is very easy to do.
Google may have clauses in its contract with the web publisher that attempts to stop this, but the “snoop” company was never party to them.
It can then make its own Ajax call to send the value, or one derived from it, to the “snoop” website. They also get to see all the websites that people visit. They are are not legally responsible,
This is such a simple technique that soon every social networking button, embedded video or analytics widget uses it. They can all track people without hindrance and have no fears of being taken to court by the DPA.
If your website, which aims to ultimately be the main Government website, signals to the rest of Europe that analytics cookies are fine because they are not “intrusive” then the cookie directive, and all the time and effort invested in drafting and debating it, is pointless. Is this the idea?