Changing the way the cookie crumbles - are you compliant?


Date: 21 May 2012

cookie legislation: pile of cookies{{}}Back on the 26 May 2011 the EU passed some amendments to the Privacy and Electronic Communications Regulations, further expanding its attempts to protect user privacy on the internet (in stark contrast to David Cameron's desire to wiretap every UK citizen). However, the requirements were given a grace period of 12 months before they came into effect. That means that website owners should be compliant by 26 May 2012 – are you?

Here's the definition of a cookie as used by the Information Commissioner's Office (ICO):

“The Regulations apply to cookies and also to similar technologies for storing information. This could include, for example, Local Shared Objects (commonly referred to as “Flash Cookies”), web beacons or bugs (including transparent or clear gifs).

A cookie is a small file, typically of letters and numbers, downloaded on to a device when the user accesses certain websites. Cookies allow a website to recognise a user’s device.”

Changes to EU regulations

The key change in the wording of the EU regulations is that whereas previously it was quite acceptable to assume that a user is happy to have a cookie from your site downloaded to their machine as long as you gave them a way of opting out, now it is a legal requirement to get consent before you can store a cookie.

There are, however, a few examples of exemptions to this requirement. The biggest is that cookies used to track goods being added to a shopping basket are considered to be strictly necessary and therefore exempt from the new rules.

What you need to do

  • The ICO advises taking a “cookie audit” which should entail looking at where and why you use cookies on your site. Once you’ve done this and carefully assessed which ones you need and which are no longer serving a valid purpose, you can take action.
  • The first step would be to include more detailed information for your users about what data you’re monitoring.
  • You then need to get the person’s consent to store your cookies on their machine. This can be by getting them to click an icon or check a tick box.

Getting consent

At this point there seems to be a step missing which I certainly feel is going to harm our own users’ experience of our site, and thus harm the business.

To be certain that our visitors know they’re being tracked, we need to provide some kind of pop-up or other attention-grabbing dialogue which explains our use of cookies and then asks for consent.

Now hopefully, existing customers will decide that they trust us as a company. However a new visitor may well decide that he doesn’t wish us to use cookies.

This in itself isn’t an issue. But how can we tell if this is a user we’ve had before and whether they need to be pestered about cookies again? Simple, we’ll put a cookie... Oh! Any user not accepting our cookies will have a “Please let us monitor you” alert flash at them each time they hit the site.

An alternative to this is to show a display once and then assume consent. However the ICO says that, as knowledge about the extent of cookie tracking is so low, it’s not acceptable to do this.

Why does it matter?

There are several reasons why it’s a valid concern to UK businesses:

  1. It’s the law.
  2. Your competition will be complying. Customers shop around and if you’re behind the curve they’re going to see you as either outdated, or as a company that’s trying to ignore their rights.
  3. The ICO can impose a fine of up to £500,000 on an organisation it deems to have “seriously contravened the regulations”.

However, the ICO has put together a very detailed guide explaining the changes in the law and giving some examples and suggestions of both exemptions and possible ways of tackling the issue. It’s worth taking a look.

Michael Derges is a writer and researcher for

More advice and opinion on cookies...

• Read Rory MccGwire’s blog on the Law Society Gazette, and check out his comment below.

• Robert Peters looks at the marketing implications of the new cookie regulations on Marketing Donut.

• And IT Donut has a full guide to the new EU regulations on cookies.

What does the * mean?

If a link has a * this means it is an affiliate link. To find out more, see our FAQs.