EU Cookie Law – a UK perspective.

This is a working guide to the EU Cookie Law and what it means to Website Owners within the UK.  It is meant to document my research and understanding of the Law and hence my responsibilities as a website owner.  It is not meant as legally binding advice for any other website owners although I hope it does help you draw your own conclusions.  I would welcome any feedback and thoughts from other webmeisters or legal minds   I am not a legal expert and cannot / will not provide such advice and you should discuss your requirements with a EU Specialist Lawyer.   

The Cookie Law

On 26 May 2012 the UK’s Information Commissioner’s Office (ICO) imposes an EU directive designed to protect internet users’ privacy.

The law says that sites must provide “clear and comprehensive” information about the use of cookies – small files which allow a site to recognise a visitor’s device.  It says website managers must:

  • Tell people that the cookies are there
  • Explain what the cookies are doing
  • Obtain visitors’ consent to store a cookie on their device

What is a Cookie?

If you do not know what a cookie is then I really recommend this youtube video:

Silktide, the company behind the video, also have a page explaining more about cookies and the law.

What should you do?

For starters, don’t panic!

As reported by BBC News [BBC#1] – 95% of 55 major UK-based organisations surveyed on behalf of KPMG were still not compliant with the cookie law at the end of last month.

You will also appreciate from your own browsing experience and a probable complete lack of knowledge about this law that many website owners have either no knowledge themselves or have just elected to ignore the law.

Ignoring the law, although a common approach it is probably not a legally sound one.

Read up on the topic

There is a lot of guides to the Cookie Law online and even more blog posts claiming to explain it.

In Summary

There appear to be three types of Cookie that should be addressed to ensure a website is compliant with the law:

Essential Cookies

Online shops and websites that require a login e.g. Amazon, Ebay and Facebook will all use Cookies to track your preferences and interactions such as items placed into a shopping basket.  Without them the site will not work – it will not remember that you are logged in let alone the items you have placed into your shopping basket.

Operational but Non-Essential Cookies

Most modern websites e.g. WordPress use cookies for internal purposes such as remembering site preferences.  These internal cookies are used to enhance a visit and allow a user to fully appreciate the website functionality and appearance.  You should be able to use the site without them yet your experience maybe compromised.  They do not track your behaviour or store it elsewhere for other purposes.

Non-Essential (Tracking) Cookies

Non-Essential Cookies particular of the tracking kind (Google Analytics/Statcounter)  are where the problems really start and at the time of writing the guidance is varied and contradictory.

How to make your website compliant?

Find out what Cookies your Website uses.

There are a few tools on the web which will tell you what Cookies your website is storing such as this Chrome extension by AttaCat.  If you are going to use Attacat take care as it will scan all tabs and all cookies available.   So my report was not contaminated I installed this onto Chrome running inside a Virtual Machine but here are screenshots from the report for this site:

There are already commercial companies setting themselves up to provide this service at a cost e.g. CookieLaw.

Essential Cookies and Operational Cookies

These Cookies should be considered essential.  Users agree to the Cookies by visiting and using the website.  However, it is the website owners responsibility to ensure that a Privacy Policy describes the purpose and usage of Cookies within the site.

You should advise visitors that they can turn off cookies within their browser settings and ideally provide links to the appropriate help pages for common browsers.  The About Cookies Organisation maintain a page providing such information for most major browsers.

Non-Essential Tracking Cookies

Until very recently the default response to the law and the issue of tracking cookies is that some form of Opt In/Out system must be implemented. However, looking at the current wave of reporting online it would seem that this is not the case.

EConsultancy have undertaken a lot of work looking into the problem created by the Cookie Law including a survey of leading professionals and possible optinout solutions.

StatCounter who provide an alternative but similar service to Google Analytics have posted their response to dealing with Tracking Cookies which acknowledges the UKs practical approach to this law.

As reported on E-Consultancy the Government doesn’t seem particular worried about this type of Cookie when used in relation to Web Analytics (e.g. Google Analytics)

The government’s argument: The Government Digital Service (GDS) takes the view that web analytics are “essential to the effective operation of government websites” and that “at present the setting of cookies is the most effective way of doing this”. Further, they feel that web analytics cookies are “minimally intrusive” and that “their usage tends to be controlled by the first-party”.

Finally they point to a statement in the Information Commissioner’s Guidance on the rules on the use of cookies and similar technologies which would appear to seal the deal: Provided clear information is given about their activities we are unlikely to prioritise first-party cookies used only for analytical purposes in any consideration of regulatory action.

So this would seem to suggest that our Google Analytic Cookie is OK providing we are clear in our privacy policy of its existence and usage.

A Personal Conclusion

Good luck to anyone trying to decide on a policy for their company and/or website at this time.   The information seems varied and I get a feeling there is a good chance it will go the way of browser control and rely upon public awareness.  Obviously companies exploiting Cookies and using them to gain information that is not considered ‘normal’ for the operation of a modern website will get nailed in the legal sense.

I am working on a privacy statement for my websites that explains how I use Cookies and for what purpose.  I will not be implementing an Opt-In/Out policy until I have seen more the directions taken by more major players e.g. our own Government.

References (may or may not be included within page text)

9 Comments on “EU Cookie Law – a UK perspective.”

  1. Hi Chris

    Thanks for featuring our tool in your review. We are about to start upgrading the tool to cover more cookies and provide further assistance in achieving complaince.

    A think your approach is one that many will adopt even though, as you suggest yourself, it falls well short of complying with the law. Of course whether the law can be enforced remains to be seen so you are doing the bit that I consider most essential: monitoring the situation.

    Affiliate and advertising models are probably the areas that have most to lose from the directive.



    • Thanks for the comment. I have used the tool on a couple of websites and it seems to work quite well.

      I think your comment suggesting my approach falls well short might be a slight exaggeration given the comments made by the UK government but you are right to say its a monitoring job for the time being.

      It seem ironic that whilst we are busy trying to implement this law supposed to protect privacy they are talking about greater monitoring of our online activities!

  2. So in response to a client request I have added a Cookie Opt-Out feature to this website as a means of testing the Cookie Control from Civic UK before implementing it into their website. I always prefer writing my own but the costs are significantly lower when using ready available plugins.

    The plugin looks very good and has a full range of features. Annoyingly it didn’t appear to work out the box but by changing the advertised ccADDAnalytics( ) to ccAddAnalytics( ) seemed to fix this.

    It’s also a shame that the CSS for the triangle icon appears to leave a line across the top in Firefox and for now its source escapes me!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.