Cookie law makes most UK websites illegal: what you need to know

Cookie law makes most UK websites illegal: what you need to know

Cookie law makes most UK websites illegal: what you need to know

Most UK websites became technically illegal on May 26th 2011, due to a new law on cookies. Websites now need to ask for permission before they can set most cookies.

Girl looking at real cookies in a jar

We’re going to look at what the law means for you, and what you can do about it.

1. Does this affect me?

If you’re based in the EU, almost certainly, yes.

The law which comes into effect this week is for the UK, but stems from the EU’s Privacy and Electronic Communications Directive, which will ultimately apply to all websites in the EU. The UK, Denmark and Estonia have published official guidelines, with 21 other member states to follow (they missed their deadline).

The law affects any website which uses ‘non essential’ cookies, such as visitor tracking code or advertising, and does business in the UK. For example, if your website uses Google Analytics, this law affects you.

2. Is this a joke?

Unfortunately not – despite many complaints this law is very real.

So far I’ve not found a single person with anything good to say about this new law, with most web developers confused about what they actually need to do to, and jokes about how to implement the recommendations. There’s a huge backlash against the regulations, and quite a lot of scaremongering about the implications.

The EU’s arrogance in presuming to legislate for a global world wide web is matched only by its hilarious technological incompetence: cookies have dozens of uses besides the advertising and tracking purposes that this directive is aimed at “protecting” against, most of which enable key features of web pages that users will be severely inconvenienced without. Cookies are a core component of how today’s internet works.

Milo Yiannopoulos, technology columnist for the Telegraph.

If you need convincing, you can find the official ICO guidelines here.

3. But can’t people turn off cookies in their browser?

Sadly this is not enough.

All modern browsers have the ability for a user to change their settings concerning cookies, and block websites from storing cookies on their machines. Previously, the law said if your website does store cookies, you need to let your users know why you store cookies, and give them clear instructions on how to ‘opt out’ if they objected. Many websites did this by writing a privacy policy.

The new law however ignores the settings you currently have set in your browser, saying:

“At present, most browser settings are not sophisticated enough to allow you to assume that the user has given their consent to allow your website to set a cookie. Also, not everyone who visits your site will do so using a browser. They may, for example, have used an application on their mobile device. So, for now we are advising organisations which use cookies or other means of storing information on a user’s equipment that they have to gain consent some other way.”

This means for now it’s up to the owner of the website to ask for the user’s consent when they visit their website. It’s possible that we’ll be able to rely on browser settings sometime in the future. But who knows how long that will take?

4. Are all cookies affected?

All cookies that are not “strictly necessary for a service requested by a user” are affected.

For example, if a user adds an item to their shopping basket, that would be considered necessary – a cookie is technically required to remember that user and retain their basket contents. Similarly, to log in to a website a cookie may be necessary.

However a cookie which was set to welcome a user back to a website, or to record what pages they view would not be strictly necessary. In particular, this means you can’t use traditional analytics without permission.

Many cookies serve multiple purposes, and if any of these are not strictly necessary they must be explicitly opted into. This is an obvious problem with technologies that set a single session identifier, including virtually all server side programming languages (PHP, .NET, JSP etc).

5. What are the penalties?

Penalties are financial and potentially severe.

The ICO (the body responsible) has the power to serve penalties of up to £500,000 (about $800,000) to organisations that seriously breach the law. Details are still being defined and are likely to be tested in court.

6. What happens if I don’t comply in time?

The ICO announced at the last minute that companies have until May 2012 to comply.

The ICO says:

“The government’s view is that there should be a phased approach to the implementation of these changes. In light of this if the ICO were to receive a complaint about a website, we would expect an organisation’s response to set out how they have considered the points above and that they have a realistic plan to achieve compliance. We would handle this sort of response very differently to one from an organisation which decides to avoid making any change to current practice.”

ICO Guidelines

Which means we at least have some time to change our websites, as long as we tell them that we’re planning to make the change. According to the ICO, although our time runs out around May 2012 they expect to see us working towards that deadline in advance.

7. What are the official recommendations?

They are vague, but there are some suggestions you can act on now.

Now that we’re all suitably panicked about this new law and know we might go to court if we ignore it, we expect some detailed and clear instructions for what we should do next. Unfortunately this is where the guidelines fall short. The recommendations are vague and it’s not exactly clear how we could ask users without ruining their user experience.

The official recommendations are:

  1. Check what type of cookies and similar technologies you use and how you use them.
  2. Assess how intrusive your use of cookies is.
  3. Decide what solution to obtain consent will be best in your circumstances.

Whilst the first two are straightforward, the third is not.

The ICO make broad suggestions involving pop ups, and getting users to accept your terms and conditions. Which website developers and owners won’t be happy about these as they are a major distraction from the website’s content. They haven’t specified any firm examples however, and seem reluctant to do so:

“However, we do not intend to issue prescriptive lists on how to comply. You are best placed to work out how to get information to your users, what they will understand and how they would like to show that they consent to what you intend to do.

You can look at what the ICO have done on their own website. We will be posting our own detailed recommendations on this in the near future, and we’re adding more cookie testing to our own SiteBeam website testing tool in the coming weeks.

What about similar technologies to cookies?

All “similar technologies” to cookies are covered by this law.

This includes Locally Stored Objects (so called ‘Flash Cookies’), HTML5 Local Storage and anything else which stores information about a user. For brevity, these are all usually referred to as ‘cookies’.

What the ICO has made clear is that websites can’t comply with this law by using another technology that does that same thing as cookies.

8. Does it only affect websites hosted in the UK?

It’s not clear at the moment if websites outside the UK will be forced to adhere to this same law when users from within the UK use their websites. This could lead to a different user experience for people inside and outside the UK.

“It’s not beyond the realms of possibility that the Wall Street Journal or New York Times will decide it’s simply not worth serving pages to the UK when it’s impossible to monetise them and the user experience is so poor.”

Milo Yiannopoulos, technology columnist for the Telegraph.

The implications of this could be catastrophic. Users within the UK could be blocked from viewing international websites, or it’s possible that our favourite UK companies will move elsewhere.

“We should also expect British advertising technology firms — one of the hottest sectors in British tech — to decamp to the US, where the law is less restrictive.”

Milo Yiannopoulos, technology columnist for the Telegraph.

9. What does the EU have against cookies anyway?

The concern is that current mechanisms are considered inadequate to protect user’s privacy.

Like any technology, cookies can be used for good as well as bad. For example, almost any time you log in to a website, you’re using cookies. This ‘essential use’ would be protected by the new law, however.

A more intrusive example might be that your favourite shopping website could set a cookie to track which websites you’re visiting to find out your hobbies and interests. They can then use this to customise what products they recommend to you in future. You can look at this two ways; as an advantage because you receive better and more customised service, or as a disadvantage because it invades your privacy. With this law at least users will have a clearer idea about what information is being collected about them.

10. What should we do?

Almost nobody likes it, but this law will be hard to ignore. It’s possible that a long term solution will be found in browser technology, but until then it’s us as web developers who need to start taking action.

There are only three real options for website owners:

We go into these in more detail in this video.

Everyone is still figuring out how best to make the law work. We’ll be following up this article with our own detailed recommendations as we work on our own websites. Stay tuned.

More news & opinions on the cookie law

Official resources

Share on Facebook Share on Twitter


Once enabled, you'll be able to comment on our blog articles. By doing so, Facebook will know you have visited this webpage and may use this information to deliver personalised advertising.