Many sites use Google Analytics for their web metrics / analytics, because it's useful and free. Even the UK data protection regulator, the ICO, uses Google Analytics.
What Google Analytics code doesTo use Google Analytics, a site would paste some code into its webpage or website template, like this (with Xs for the site's unique ID number):
var _gaq = _gaq || ;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
var s = document.getElementsByTagName('script'); s.parentNode.insertBefore(ga, s);
You can see that this code references a "ga.js" script from google-analytics.com, a Google website.
When someone visits your site, containing your Analytics code, their browser downloads and runs that code. That code in turn tells it to fetch and run the ga.js script from Google's google-analytics.com site.
That ga.js script will then read/set/update Analytics cookies via the visitor's browser.
Are Google Analytics cookies "first party" or "third party" cookies?
That depends on your definition.
EU privacy regulators the Article 29 Working Party (A29WP) say (my emphasis):
Why does it matter?
This matters because first party cookies are considered less invasive than third party cookies, for cookie law purposes, so that eg fewer hoops may need to be gone through in order to show that you've obtained user consent to those cookies. Generally, third party cookies are considered to pose greater privacy risks than first party.
But, from a technical viewpoint, actually "Google Analytics uses first-party cookies". This because, strictly speaking, Google Analytics cookies are effectively set by your website's domain, not Google's. Technically, whether or not legally, Google Analytics cookies are first party.
For example, below is a screenshot showing the cookies set via Google Analytics once you've accepted cookies on the ICO website. The first four, beginning _utm, are all Google Analytics cookies, but you'll see that they're associated with ico.gov.uk rather than google.com or google-analytics.com. (Here are some explanations on how Google Analytics cookies are first party not third.)
Now for some further statements from the A29WP:
So the big question is, for cookie law purposes, are Google Analytics cookies considered first party, or are they "first party cookies with the analysis performed by another party" or third party analytics, which regulators will come down harder on?
Let's check the ICO guidance:
That doesn't necessarily clarify the position, as arguably Google "sets a cookie through [a Google Analytics user's] website".
What's more, the ICO goes on to say:
The key point is not who obtains the consent but that valid, well informed consent is obtained.
Third parties setting cookies, or providing a product that requires the setting of cookies, may wish to consider putting a contractual obligation into agreements with web publishers to satisfy themselves that appropriate steps will be taken to provide information about the third party cookies and obtain consent.
Given the ubiquity of Analytics cookies, it would be helpful if regulators would confirm whether, for cookie law purposes, they're treated as first party or third party, and who's considered to be the person setting the cookie - the person who included the Analytics code on their website, or Google, who actually wrote, hosts and generally controls that code and what it does?
Social media "buttons"
It's not just Analytics scripts - lots of services offer scripts or other code for website owners to insert into their webpages. It's the service who controls that code, not the site owner. Lots of site owners are individuals, eg bloggers or SMEs, with little technical expertise. They wouldn't know how to dissect the service's script if they tried.
Their only choice is as to whether to use the script, which third party services may market heavily as helping to promote individual sites - or not. But individual sites may not have the technical or legal expertise to make that decision properly. I have in mind here AddThis, ShareThis, Twitter, Facebook and other services that offer social media "buttons" to sites and blogs - code that can be inserted to show the button, and do whatever else the third party service wants it to do.
I also, with respect, take issue with "In practice it is obviously considerably more difficult for a third party who has no direct interface with the user to achieve this." (In this case, I'm using "third party" to refer to the service that provided the script or other code.)
It's not. It's the third party who wrote the script it offers to sites. The script is its direct interface. It has the practical and technical ability to tweak its script to, eg, pop up a request to the website user to accept cookies set by its script, identifying itself so the user knows who is responsible for the script.
As for "Third parties setting cookies, or providing a product that requires the setting of cookies, may wish to consider putting a contractual obligation into agreements with web publishers to satisfy themselves that appropriate steps will be taken to provide information about the third party cookies and obtain consent" - that's even worse. Given what I've pointed out, that sentence seems to me to be the wrong way round, and very unfair on SMEs and bloggers. I feel it should be for Google and similar services to change their scripts so that information is given and consent requested - it's easy for them to do, and they ought to take at least some of the responsibility. Why aren't they doing something?
Sharing Google Analytics data
This is the kicker, to me. Rather than "first party" or "third party" distinctions, surely what matters more is how someone other than the site owner could potentially use that data, ie what can the third party services, that provide scripts to sites, do with the data they gather via their scripts? To what extent can they use the data for their own purposes, and not just the site's?
The A29WP do touch upon third party analysis or use of first party cookies and "third party analytics", but it should be remembered that the cookie law extends to non-personal data as well as personal data, and that its terms don't confine its scope to "controllers" (joint or not), or even "processors". As I've pointed out above, it is the analytics provider who creates and controls and code used by sites, so it would make sense for it to bear more responsibility than sites or blogs who may not have much technical knowledge.
This blog shows that, in practice, Google Analytics data is shared with Google as standard - sharing is ticked by default, and site owners must take active action to disable sharing data with Google, ie not exactly privacy by design or privacy by default! And it seems quite a long-winded, difficult and involved process to stop Google Analytics data sharing (scroll down the page for instructions).
I've disabled sharing Google Analytics data with Google as far as I can for my main site (indeed I've not even added working Analytics code to that site yet). But for users of Blogger.com it's just not possible to prevent the sharing, as no settings are provided to do that. Also, Blogger Stats (which uses Analytics) is "fully integrated with Blogger; you don't need to do anything to enable it for your blog" - put another way, analytics collection can't be turned off on Blogger blogs.
Google Analytics terms vs practice
Google clearly states on the Analytics settings pages (quoted in the blog linked above) that it uses sites' Google Analytics data to "improve" its service.
This is what Google's contract terms for UK Analytics customers provide (my emphasis):
Some might feel this isn't quite the same as what's in its FAQs. The phrase "providing other services relating to website activity and internet usage" in the terms is very, very broad, and could cover "improve the service" and create "more powerful features" as well as much more ("other services relating to internet usage" is very wide indeed).
Yet the FAQs and settings pages seem to suggest to those using Google Analytics for their sites that Google won't use the data except for the limited purposes stated in the FAQs, and that if sites decide to disable sharing, this will prevent Google using it for its own purposes.
The terms do state the data will not be shared with third parties without consent (or required by law etc etc). But, strictly, they don't stop Google from using the data for its own purposes to help it provide "services relating to internet usage", even if the site using Google Analytics has disabled sharing in their settings - unless Google's provision of those settings can be taken as Google's representation or implied undertaking that it won't use a site's Analytics data for other purposes if the site has in fact turned off sharing in the settings.