What is affected?

We've broken down the most common uses of cookies and explained how the law affects them.

Analytics

Status: Prohibited in current form
Inconvenience: High

analytics

Analytics software is used to measure the behaviour of visitors on a website, for example the number of people visiting a site, or making it from one part (say your homepage) to another (your checkout). The most famous analytics software includes Google Analytics, Omniture and WebTrends.

To do any kind of analysis of individual viewers - i.e. measure a series of pages, not just a single page - cookies are essential.  Nearly all of the valuable analysis that analytics does is at this level: for example, determining how long people spent on a website, or working out what search terms resulted in the most valuable customers.

All of this requires using cookies for one purpose only: to track the behaviour of your visitors. The UK's regulator (the Information Commissioner's Office) says:

"... some uses of cookies can involve creating detailed profiles of an individual's browsing activity. If you are doing this, or allowing it to happen, on your website or across a range of sites, it is clear that you are doing something that could be quite intrusive - the more privacy intrusive your activity, the more priority you will need to give to getting meaningful consent."

It would be difficult to argue that tracking your visitors is "strictly necessary for a service requested by the user", and indeed the same UK government body now require their own website visitors opt-in to be tracked with Google Analytics.

(We dive into the meaning of "strictly necessary" in more detail in our FAQ, but suffice to say it is meant to be very restrictive).

So it appears the only way to use cookie based analytics in the UK is to ask your visitors for permission.

For the rest of the EU, the jury is still out, but early signs suggest that other countries will adopt conflicting approaches. This would create a muddled situation where analytics is enabled or disabled based on the country of the user.

There are some forms of cookie-less analytics as well, such as web log analysis. These appear excluded from this law but offer far less information than their cookie based alternatives. They're also impractical for many website owners to install.

Advertising

Status: Behavioural ads prohibited
Inconvenience: Potentially devastating

advertising

Advertising by itself isn't affected by the law, but nearly all web adverts are measured and targeted automatically via cookies, based on the behaviour of that user over time. The reason for this is simple: behavioural ads are vastly more effective - some studies have shown them to be twice as effective.

Unfortunately behavioural ads are explicitly prohibited by the EU without prior consent from the user, which is not going to easy to obtain (how do you ask "can we track you to make our advertising more effective?"). This could mean a real financial hit to anyone dependent on online ads.

In the EU's own guidance they acknowledge this problem, but say privacy is more important:

"Behavioural advertising entails the tracking of users when they surf the Internet and the building of profiles over time, which are later used to provide them with advertising matching their interests. While the Article 29 Working Party does not question the economic benefits that behavioural advertising may bring for stakeholders, it firmly believes that such practice must not be carried out at the expense of individuals' rights to privacy and data protection.
... advertising network providers are bound by Article 5(3) of the ePrivacy Directive pursuant to which placing cookies or similar devices on users' terminal equipment or obtaining information through such devices is only allowed with the informed consent of the users."

EU Data Protection Working Party

Websites that use behavioural ads will have to consider either untargeted ads, or asking their users an intrusive question. Either option will hit their revenues. Any technical solutions will have to come from the advertising network (e.g. Google AdSense), so most sites can't do much themselves yet other than drop adverts entirely.

A minor note: most online advertising is now based on Google's model of Pay Per Click, where an advertiser only pays when their advert is clicked on. To avoid this model being abused by endless repeated clicks from a handful of users, cookies are used to track the user. We suspect that this use of cookies could conceivably be defended as "strictly necessary" if it doesn't impair the user's privacy, but even this is questionable.

Conversion tracking

Status: Debatable, but we're not hopeful
Inconvenience: Potentially devastating

A common use of cookies is to track conversions from a specific source. Amazon, for example, pay people who bring them customers a small slice of their profit. Many websites track whether a specific ad results in a conversion on their website.

These are popular for clear reasons and it remains unclear whether their use is permitted by the law; sadly we suspect not. In contrast to behavioural advertising, the EU hasn't specifically stated this isn't allowed, so we're forced to guess.

Tracking a user without their consent is clearly frowned upon, but you could argue that clicking on an advert made it "strictly necessary" that this would happen. Unfortunately while it may be necessary for the poor website owner, the law is aiming to protect the user. It could be interpreted either way - we suspect that the user wouldn't see being tracked as necessary though.

If that's the case, we can't see any sane way users could be asked for permission for this. Imagine if every time you clicked on an ad you then had to agree to be tracked in case you bought something. You may as well force all advertisers to write their copy in Japanese.

This is one of the finest examples of why this law is so confusing.

Anti-spam filtering

Status: God only knows
Inconvenience: Minor

Most websites with a form on them attract an unholy amount of spam. A common technique for reducing this is to set a cookie in the browser using Javascript, which spam bots won't send when they submit a form. The result is less spam for website owners.

We don't see any way in which this compromises the privacy of web users, so we believe it would be protected as a necessary technology, or at least not frowned upon heavily as an invasive one.

Load balancing

Status: OK
Inconvenience: None

Some websites use cookies to spread the load to their website over multiple servers. The cookie remembers which server they're talking to so their experience is consistent.

These cookies are almost unquestionably permitted as technically essential for the provision of the service that the user would expect. They also tend to be unique, so it's extremely unlikely that a cookie would do double-duty and say track the user as well - you should of course check to be sure.

Social media plugins

Status: Prohibited, but with contentious liability
Inconvenience: Frustrating

social media plugins

Social media plugins - such as the Facebook Like button - almost all use cookies to track their visitors in a way that goes beyond what a user might expect. If you visit a website with a Facebook Like button on it, then Facebook know about it - even if you're not logged in to Facebook, and don't click their button.

Of course these plugins have to use some cookies to work. Without cookies these buttons would need to ask you to log in every time you clicked on them. But to justify the cost of providing these buttons, they generally go further and mine for information, which specifically violates the new privacy law.

Future versions of these social plugins could arise which wouldn't do this, but we wouldn't hold our breath.

User preferences

Status: A mess
Inconvenience: Minor

Many websites use cookies to set and recall a user preference - for example, to allow larger text for visually impaired users. Without cookies this would be impossible.

Shockingly, the UK regulator appears to specifically question whether even this is allowed:

"The only exception to this rule is if what you are doing is 'strictly necessary' for a service requested by the user ... The exception would not apply, for example, just because you have decided that your website is more attractive if you remember users' preferences ..."

Try not to spit your own teeth out when reading that.

Qualifying their own guidance, they later say:

"It might be useful to think of this in terms of a sliding scale, with privacy neutral cookies at one end of the scale and more intrusive uses of the technology at the other. You can then focus your efforts on achieving compliance appropriately providing more information and offering more detailed choices at the intrusive end of the scale.

The more privacy intrusive your activity, the more you will need to do to get meaningful consent."

The vast majority of user preferences are privacy neutral - the user's preferred font size, or what order they would like their news articles to be displayed in. We therefore understand that websites would need to do less to comply with user preferences cookies; presumably with a small disclaimer underneath the affected feature.

But wait. The above quotes are from the UK regulator of this law, and seem to contravene what the EU directive allows:

"This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service."

We would argue that if a user sets a preference for a website - say by clicking on a button - that they "explicitly requested" a service, and that to provide that service cookies are "strictly necessary".

In essence, we think the ICO's mention of user preferences is false or at the very least confusing. But remember, we're not lawyers.

The one thing we know for sure is that no-one seems to know anything for sure.

Add to basket

Status: OK, with caution
Inconvenience: None

add to basket

Adding something to a basket is almost impossible without cookies. The user clearly expects this action to store something about them for a short while - accordingly cookies are "strictly necessary" and allowed. The ICO even cited this as a specifically permitted use of cookies.

"This exception is a narrow one but might apply, for example, to a cookie you use to ensure that when a user of your site has chosen the goods they wish to buy and clicks the 'add to basket' or 'proceed to checkout' button, your site 'remembers' what they chose on a previous page. You would not need to get consent for this type of activity."

There is a caveat: the cookies which allow adding to a basket sometimes are shared for other purposes. Because many sites implement this through general purpose 'session' cookies, this can be quite common, and you should check to be sure.

Login

Status: OK, with caution
Inconvenience: None

login

Logging in to a website is almost impossible without cookies, and the "remember me" checkbox that appears below most login forms is entirely impossible. The user clearly expects a login facility to remember who they are for a time - accordingly cookies are "strictly necessary" and allowed in most cases.

There is a caveat: the cookies which allow login sometimes are shared for other purposes. This is particularly true if they don't expire when the user has logged out; the user may still be tracked and didn't implicitly consent to this. Because many sites implement login through general purpose 'session' cookies, this can be quite common.

Remembering whether cookies are allowed

Status: Hilarious
Inconvenience: Moderate

this website wants to use cookies

So this is at least funny.

Assume you ask a visitor whether they consent to using cookies. How do you remember their response - with a cookie?

If you want to avoid asking the user the same question on every page, you'll have to. Of course if they accept the use of cookies, you can set a cookie and never ask them again. But if they don't, you can't remember, so you have to ask them the same annoying question on every page.

What this means is you can't really show a popup window like the one above. There's no point giving them a "No way" button because you'll have to ask them again, and the popup would appear on top of your page and drive any visitor to insanity.

So you'll probably need an accordion strip like this instead, with a single button:

I want to set some cookies

The strip would appear at the top or bottom of every page. It would be mildly intrusive of course, but at least the user could dismiss it with a single click.
Nevermind that storing a single on/off cookie that holds no private information whatsoever and specifically recalls that you don't want to be tracked is actually in violation of the law that it would be upholding.

Still, at least it's funny.