This is interesting. Is it clear in the law that no cookies shall be set until the user has accepted the warning, or is that an open interpretation in this particular case?
My initial reaction is that this seems fair. The fine is substantial, but not deadly to an enterprise, so it would serve as a warning without being catastrophic for them.
I'm not a EU citizen - but presumably the EU's rather strict laws re: cookies derives from privacy and a desire not to be tracked at all. A user who has accepted Google cookies from other sites need not submit to the same tracking cookie on your site - but even if you delete the cookie aftewards, presumably Google Analytics has already captured the visit.
And there is, as far as I know, no way to remove that event from Google Analytics.
> Is it clear in the law that no cookies shall be set until the user has accepted the warning, or is that an open interpretation in this particular case?
This is a very liberal translation of the relevant part of the law[0]:
"Those who provide services will be allowed to use storage devices in remote computers, provided that the owners have given their consentment AFTER [my emphasis] they have been informed clearly and completely about the utilization of the private data".
But they may only use the storage once consent has been given, which can only happen after a warning has been issued.
The two clauses seem to indicate that consent must be before storage, and warning before consent, hence there must be a warning /before/ the storage on the remote machine.
In either case, storing the cookie before consent, in the Google context, seems to run directly counter to the intent and spirit of the law.
I'm not big on technicalities. Normally I would put this in the "not a big deal" bucket, but in this case the specific cookies do not belong to the website itself. This means that you cannot retroactively "untrack" a user once they refuse your warning.
If this was just the website's own cookie, and if the cookie could be deleted and all tracking data would vanish from the site's own backend, then I'd be inclined to give it a pass.
My initial reaction is that this seems fair. The fine is substantial, but not deadly to an enterprise, so it would serve as a warning without being catastrophic for them.
I'm not a EU citizen - but presumably the EU's rather strict laws re: cookies derives from privacy and a desire not to be tracked at all. A user who has accepted Google cookies from other sites need not submit to the same tracking cookie on your site - but even if you delete the cookie aftewards, presumably Google Analytics has already captured the visit.
And there is, as far as I know, no way to remove that event from Google Analytics.