Monthly Archives: June 2012

Cookie Law, the EU e-Privacy Directive

gingerbread man, by punkle at i-stockContents

In this post we provide ideas for UK website owners on how to deal with their obligations under the new EU e-Privacy Directive.

EU Cookie Law Obligations

If your website uses cookies, you now have to declare this clearly to users and, potentially, get their permission to do so.

Since the  situation is a little confused, we’ve been trying to work out the best advice we can give to clients on how to deal with this new legal requirement. Here is the extent of our thinking so far.


This is our current understanding. We’re not lawyers but this is how it seems to us. We offer the suggestions below as just that: suggestions. Use them at your own risk. If they are wrong, and you’d like to help us correct them, please join in the debate by clicking “Leave a comment” below.

Don’t Panic!

Whilst the rules came into force in the UK on 26 May, 2012, there’s no need to panic, the Information Commissioner’s Office (ICO) says so.  At the time of writing, they’re working with organisations the size of Amazon and the banks to get them to toe the line first. It’ll take a while. First Direct had complied when we checked a few days ago; Santander had not.

Cookie Law Requirements

To comply with EU e-Privacy directive, if your EU-owned website uses cookies, you must,

  1. declare to each new visitor that you use them;
  2. explain what they are;
  3. describe how you use them;
  4. obtain consent before storing cookies on a user’s computer or mobile device.

For UK-based companies it’s slightly less onerous, because our Information Commissioner has adopted the principle of implied consent.  In other words, you do not have to stop users browsing your website until they specifically consent. You can make it all clear and then assume consent if the user takes no further action.

The Big Problem With the e-Privacy Directive

Can you imaging what would happen when somebody arrives at your website? They’ll see a big panel saying, “Do you consent to us using cookies Yes or No.”

Given that a percentage of the population haven’t a clue what a cookie is, and even more don’t understand the implications, many people will bail out at that stage. This would lose potential customers and increase your bounce rate, which lowers your page rank.

Companies that have already tried the dead stop approach have experienced serious loss of traffic.

What You Need to Do

Now, according to the Information Commissioner, using your browser’s cookie settings is a recognised way to give legal consent. So, you can use cookies so long as you:

  • make it clear that your site uses cookies;
  • help the user understand what they are;
  • tell users what you do with them;
  • explain how to opt out, or stop them being used.

Having done all that, and having provided the opportunity to opt out by changing browser settings, you can assume consent and let the website work as normal. You can even deposit a cookie so you can make it less obvious next time.

Does My Site Use Cookies?

Your website designer will be able to tell you for sure if your site uses cookies.

Probably the most common use of cookies is in visitor tracking. Google Analytics uses cookies to identify repeat visitors. It’s not possible to identify a person this way, nor, in many cases, even their computer.

Cookies are also used in security scripts, to recognise a visitor, when he or she logs in, and display only that visitor’s private information. In this case, you may be able to identify an individual and you may be holding some personal data about them.

Cookie Law Solution Examples

Each company should, for each of its websites,

  1. Review the use of cookies and amend if necessary;
  2. Decide on a strategy for complying with  the law;
  3. Implement the strategy;
  4. Monitor compliance regularly.

Here are just a few examples. If you follow the links to the example sites, and you don’t see their cookie banners, you probably visited them before and they left you a cookie.

This is the BBC‘s solution – a banner across the top of your browser window. It offers hyper-links to:

  1. “Continue” – assume consent;
  2. “Find out more” – go and read a full explanation;
  3. “Change your cookie settings” – where you can opt out of the four different cookie types

If you ignore the banner and browse to another page, you won’t see it again, even when you start a new session. Because it dropped a cookie.

BBC Cookie Law Example

BBC Cookie Law Example

The Information Commissioner’s Office implements the EU version of the Directive. It insists that you check a box and click a button before you can use the site.

Information Commissioner's Office Cookie Example

Information Commissioner's Office Cookie Example

Floating Cookie Law Example

Floating Example

This one floats on top of your landing page. It’s a free control you can download and use, from Edinburgh digital marketing agency, Civic.

Please also click here for our own approach to cookies. It explains the different categories of cookie.

More Cookie Law to Follow

The UK is, we’re told, ahead of the game in implementing the EU e-Privacy Directive. Our “assumption rule” for first party cookies isn’t approved by the EU. It remains to be seen what stance the EU will take, what other countries do, and what you need to do for European visitors.

We are also aware that the ICO is talking to browser developers with a view to getting them to change the way they handle cookie settings.

And, as the population at large get to understand cookies better, the requirement for every website to explain so much about them will reduce, too.

It’s all a bit of a mess, really, and there’ll be more work to do in the future – bank on it!

Your Next Step

Further reading:

Want some help? Get in touch!