Frequently asked questions

We're outside the UK, are we affected?

Only if you have operations in the EU.

If your organisation falls under the jurisdiction of the EU then it is subject to this law. The regulators who enforce it are based in the member states of the EU. So if your organisation is - say - located solely in the US, but sells to EU customers, we don't foresee this causing problems for you.

If on the other hand you have offices in the EU, or other legal entities, they may be subject to the law:

"If you are a multinational company headquartered in the US, you should be doing something to comply with this directive"

Dennis Dayman, Chief Privacy Officer at Eloqua

This is a complex issue for multinational organisations and you should seek appropriate legal counsel.

Can we just host our website outside of the EU?

No.

If your organisation falls under the jurisdiction of the EU, it doesn't matter where your website is hosted. It will be your organisation that is prosecuted, not your hosting provider.

What does "strictly necessary" mean?

It's more restrictive than it sounds.

It is often said that cookies are allowed if they are "strictly necessary". This quote comes from the original EU Directive:

"This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service."

Lets break this down.

  1. A user must explicitly request a service.

  2. Cookies must be strictly necessary to provide that service.

So if cookies are set for a service the user did not specifically request, they're not allowed. And if the service they did request didn't need those cookies, they're not allowed.

Analytics, behavioural advertising and conversion tracking therefore seem clearly excluded.

Login, adding items to a basket and most user preferences appear to be allowed.

If in doubt, remember the spirit of the law is to protect the privacy of users; if necessary at the expense of website owners:

"While the Article 29 Working Party does not question the economic benefits that behavioural advertising may bring for stakeholders, it firmly believes that such practice must not be carried out at the expense of individuals' rights to privacy and data protection."

What is clear is that cookies are not permitted just because they are "strictly necessary" for the website owner. They must be explicitly requested by the user as well.

The UK regulator also clarified that "strictly necessary" is a narrow definition, as is unlikely to accept much wiggle room:

"The only exception to this rule is if what you are doing is 'strictly necessary' for a service requested by the user ... This exception needs to be interpreted quite narrowly because the use of the phrase "strictly necessary" means its application has to be limited to a small range of activities and because your use of the cookie must be related to the service requested by the user."

What about states in the EU other than the UK?

They haven't published laws yet, and they could be different.

At the moment only the UK has published any guidance at all, and it is possible that the other EU member states will set different laws. If that's the case, website owners may need different solutions for different parts of the EU.

Isn't this just going to be all ignored?

By small companies, possibly. But services you depend on will likely be affected, and you might be compelled to act.

In effect the law criminalises the vast majority of existing EU websites. Currently there are - by the government's own admission - inadequate technologies to make compliance with the law practical. So change will be slow.

The first people to be prosecuted will also probably be the largest. It'll take a test case or two for more people to take the law seriously.

You may find that services you depend upon - particularly those which use 3rd party cookies, like adverts, social media plugins and analytics - start to change or limit their capabilities for users in the EU.

What exactly is meant by "cookies"?

Web cookies and anything like them stored on your user's computers.

The law isn't actually about cookies, but because it affects them so much people have started calling it the 'Cookie Law'. It's actually about all technologies which store information in the "terminal equipment" of a user. The EU directive says:

"Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent".

You might be thinking that doesn't even mention cookies, and you would be right. The only reference to cookies occurs later in their clarifying statements:

"Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access."

So essentially this law lumps the storage of cookies together with spyware and viruses, for the same regulation.

The UK regulator also clarified that all similar technologies are covered by the law:

"The Regulations also apply to similar technologies for storing information. This could include, for example, Locally Stored Objects (commonly referred to as "Flash Cookies")."

What about cookies we can't remove?

You probably have wiggle room here, if you can prove it.

Many existing Content Management Systems, programming languages and other technologies set cookies automatically. For website owners and developers who didn't write those technologies, they need updated software with the option to turn off cookies before they can become compliant.

This is likely to be an expensive and time consuming process. The software companies have to rewrite their technology - if they care to - and the website owners have to upgrade to it.

If you look at the UK's regulator (the Information Commissioner's Office) own website, they have two cookies which they freely admit they can't remove just for this reason:

"We have recently become aware of this cookie. We are working with the supplier of our content management system to remove it or, if it can't be removed, to find another solution."

Assuming that the ICO doesn't hold other organisations to a double standard, we would assume some leniency when trying to remove some cookies from their websites.

Can't people turn off cookies in their browser?

Sadly this is not enough.

All modern browsers have the ability for a user to change their settings concerning cookies, and block websites from storing cookies on their machines. Previously, the law said if your website does store cookies, you need to let your users know why you store cookies, and give them clear instructions on how to 'opt out' if they objected. Many websites did this by writing a privacy policy.

The new law however ignores the settings you currently have set in your browser, saying:

"At present, most browser settings are not sophisticated enough to allow you to assume that the user has given their consent to allow your website to set a cookie. Also, not everyone who visits your site will do so using a browser. They may, for example, have used an application on their mobile device. So, for now we are advising organisations which use cookies or other means of storing information on a user's equipment that they have to gain consent some other way."

This means for now it's up to the owner of the website to ask for the user's consent when they visit their website.

Won't future browsers handle this for me?

We don't believe browsers can completely satisfy the law for years, if ever.

Officially we've heard a lot of talk about browsers changing in a way that means websites don't have to. We'd argue this is wilful bunk, and never going to happen.

We know why the theory is popular - because this change appears to involve the least disruption possible. It's easier to update a web browser than rewrite all the affected websites in the EU.

But in reality we don't think it's possible, there's more about this here.

What about Flash cookies, HTML5 or similar technologies?

All "similar technologies" to cookies are covered by this law.

This includes Locally Stored Objects (so called 'Flash Cookies'), HTML5 Local Storage, Silverlight, Java and anything else which stores information about a user on their computer. For brevity, these are all usually referred to as 'cookies'.

What has been made clear is that websites can't comply with this law by using another technology that does that same thing as cookies:

"The Regulations also apply to similar technologies for storing information. This could include, for example, Locally Stored Objects (commonly referred to as "Flash Cookies")."

Information Commissioner's Office

It also appears that if anything, these alternatives to cookies are more frowned upon by the law than traditional cookies:

"Therefore, since flash cookies cannot be as simply deleted as other third party cookies (whether by browser setting or manually) they circumvent the user's personal browser settings and therefore also circumvent the consent issue, i.e. article 5.3 of the e-Privacy Directive becomes applicable. The same goes for other devices, such as HTML5- techniques, Java API, Silverlight or similar technique."

Alexander Alvaro, European Parliament Deputy

Who is responsible for 3rd party cookies?

The website the user is visiting, at least for now.

Websites frequently embed plugins or scripts from third parties which themselves set cookies. Often these cookies are not even visible to the website which embeds them - for example, if you add a Facebook Like button to your site, your website can't access any of Facebook's cookies, and they can't see any of yours.

Your website can't therefore read or write any of the cookies which those third parties set - but - your users will still have those cookies set on their devices.

This gets into an awkward situation where you're responsible for cookies which are outside of your control.

The EU said:

"... the consent obtained to place the cookie and use the information to send targeting advertising would cover subsequent 'readings' of the cookie that take place every time the user visits a website partner of the ad network provider which initially placed the cookie."

Note that they specifically state the permission belongs to the "website partner" of the "ad network provider". So you couldn't just have - say - Google ask one question for all of their adverts on all sites. They'd have to ask for each and every site that shows Google's ads.

The UK regulator concluded they don't know how this will work yet:

"This may be the most challenging area in which to achieve compliance with the new rules and we are working with industry and other European data protection authorities to assist in addressing complexities and finding the right answers."

What about saving a session in a query parameter?

That's probably OK, which is a bit of a loophole.

The law refers to information stored on the user's own "terminal equipment" (e.g. their computer).

Query parameters, like this:
www.example.com/?session=1234

Are part of the communication mechanism between the user and the server which provides the website. Of course they're also stored on the user's computer, but only in the sense that URLs are needed to visit any webpage.

So if websites started to put sessions in their URLs instead of cookies, it is hard to see how they would be covered by this law. They aren't being stored, just passed from page to page.

Of course this approach has numerous problems - it's less secure, less user friendly - and it can't remember a user between visits. But it probably isn't illegal, so expect to see it used as a get-out-of-jail pass.

The only thing more ridiculous than this exception would be if the EU decided to try and prohibit it, so let us be grateful that query parameters don't also require consent.

What about IPv6? Won't that implicitly track everyone?

More or less, yes.

IPv6 is the next generation technology for addressing devices on the Internet, and is being slowly adopted around the world. It provides a frankly insane number of addresses1 - so many that in theory, every device on the internet would have its own fixed IP address. (At the moment, your IP address is not a reliable indicator of who you are).

If and when this happens, tracking a user would be almost unavoidable, and cookies wouldn't be needed for many tracking purposes. IPv6 is many years away from being widespread.