New cookie law: what you need to know

The E-Privacy Directive, the law that applies to how website owners can use cookies to store user information, comes into effect today (26 May).

Website owners will need to gain “explicit” consent from their users if they are to store their usage information and will need to provide “clear and comprehensive” information about why they are storing cookies.

Essential cookies provided by the website at the request of the user (such as on some subscription and e-commerce services) will not require consent.

This is how it affects you.

What is a cookie?

Cookies are text files on web browsers that store user information. They can be used to store passwords, information about users’ shopping habits, to personalise the browsing experience to show more relevant content and for tracking browsing habits.

Users can delete their cookies to protect their privacy or free up storage space on their computers, although the files are tiny.

What will website owners need to do?

Website owners are advised by the ICO (Information Commissioner’s Office) to conduct a full audit of their sites to analyse what types of cookies are strictly necessary. “Strictly necessary” cookies include those that allow users to add items to shopping baskets and proceed to checkouts.

Those cookies that could be deemed “intrusive” by users should be removed, altered or the company should decide what solution they will take to gain consent. The UK government, the ICO and the online industry are working together to decide on a scale of instrusiveness and will provide further information soon.

What consent options are there?

Browsers have not yet adapted to the law to assume that users have given their consent for cookies, so the onus is on the website owner. The government is currently working with major browser manufacturers to establish future solutions.

  • Pop-ups - Although pop-ups can potentially detract from the user experience, they are one of the simplest options to draw in user attention and ask for consent.
  • Sign-up terms and conditions - When a user registers with a site they will give their consent for the website owner to operate in a certain way, which could include cookies. However, website owners would need to ensure current users are alerted to the change in the terms and conditions and must gain their consent to the alterations.
  • Settings-led consent - Some website features, such as a choice on languages, text sizes or colour schemes, use cookies. When a user chooses their preferences, they can be alerted to the fact that a cookie will be used.
  • Feature-led consent - Cookies are also stored when a site remembers feature-led preferences, such as the personalisation of content or where a user has got to in the video they were watching. When the user clicks for one of these features to be activated, the website can inform them a cookie will be set.
  • Functional uses - Often cookies are taken in the background, without the consent of the user, for tracking purposes. A solution to provide information on these types of cookies could be taken could be to place text at the header or footer of the web pages, or to provide a specific page with further details.
  • Third party cookies - If a website displays advertising, this third party may take cookies from users. The ICO admits the process to get consent in this instance is complex and it is currently working with the industry and European data authorities to assist in addressing concerns.
  • Tracking icons - Some big advertisers, including AOL and Google, have committed to placing recognisable icons on any ads using tracking technology.

What could happen if companies do not comply?

Given the confusion surrounding the new Directive and the complex technology required to make websites compliant, the law will not be enforced for one year.

The UK government says there will be “no overnight changes” and the ICO says it will give business and organisations up to one year to “get their house in order”.

Failure to take any action before 26 May 2012 will result in a fine of up to £500,000 in the UK.

How has the industry reacted?

Caroline Roberts, director of public affairs at the Direct Marketing Association, says: “The DMA welcomes the long-awaited regulations and is reassured by the government’s decision to allow businesses more time to come up with workable technical solutions before enforcement of the new law begins in the UK.”

Law firm Thomas Egger says: “Is it, once again, the law struggling to keep up with the rapid changes in social and business use of the web?”

Peter Gooch, privacy expert at Deloitte, says: “Since there is no ’one-size-fits-all’ approach here, businesses will need to implement a solution that best reflects how their website operates so that users are fully aware of what they are agreeing to.”

Ed Vaizey, Minister for Culture, Communications and Creative Industries, says: “We remain firmly convinced that UK implementation is correct that it is good for business, good for consumers and addresses in a proportionate and pragmatic way the concerns of citizens with regards their personal data online.”

Readers' comments (4)

  • I'm wondering who decided to implement this initiative in the first place?
    Did the users complaint?
    Or just the higher authority decided that the users are not safe and their personal data is being violated?
    Eventually, this will have a negative impact on the general users' experience online!

    Unsuitable or offensive? Report this comment

  • The ability to track a customer, or potential customer’s journey through search engines and on websites has become one of the most important ways for marketers to understand the attributes, channels, media and preferences that customers have, so that they may be best informed of the most effective means of delivering digital marketing strategies and creating an enjoyable online experience. Even though it is looking unlikely that the UK will adopt as strict a regulation as Holland – where all web users now have to manually agree to opt-in to accept the use of cookies on any Dutch site before accessing it – there is still cause for concern.

    Although several EU member states have signed a declaration stating that using browser settings for the purpose of permission should suffice, U.K. Information Commissioner Christopher Graham warned that browser settings alone may not be enough for compliance with the directive.The Information Commissioner’s Office and other central government departments have acknowledged that current default browser settings do not meet the requirements of the directive as they stand, and this has led to the formation of working groups alongside browser manufacturers to see if these can be enhanced to meet the requirements of the directive. So it appears that for the time being UK marketing teams are playing a waiting game until the ICO announces the required approach.

    Whatever the outcome, the real challenge going forward will be to maintain trust amongst user and customer bases; assuring website visitors that not only will their data be safeguarded, but that tracking their online journey will help to create a better web experience and establish channels of communication which satisfy user preferences. The danger of choosing a more manual, explicit approach, such as the case in Holland, is that a user’s web experience will be completely ruined if they are required to respond to an ‘opt-in’ form every time they want to visit a new website. The purpose of accessing information to a user’s online journey has always been primarily to serve as a means of developing and improving website innovation and experience, and harsh interpretations of this directive threaten to destroy that.

    Unsuitable or offensive? Report this comment

  • All cookies that are not strictly necessary for a service requested by a user are affected.

    Unsuitable or offensive? Report this comment

  • You may be interested to know that a compliance solution is now freely available from

    The free widget, known as "Cookie Control", will be adopted by Public Sector websites in Scotland in the run up to the May 2012 compliance deadline.

    In itself, the solution doesn't guarantee compliance for your website (you still need to do a cookie audit and publish the results in your Privacy Policy), but it gets you a long way there by making it explicit to users that cookies are at work on your site.

    You can configure your own Cookie Control widget here:

    Unsuitable or offensive? Report this comment

Have your say


Related images

Job of the Week

Top Jobs


+media Facebook Twitter LinkedIn