Website cookies
Back to all articles

Understand EU Regulations on Cookies: Making Sure you are Within the Law

You may have noticed a lot of news recently concerning how personal data is used by large internet publishers such as Google, Apple and Facebook, for either improving service or as a pervasive and targeted tool for advertising.

It seems that the desire by the internet giant to simplify and blend some current 60 privacy policies into one is (currently) falling fowl of EU regulators.

There has been a huge amount of publicity about this, but buried deep in this news is a far more potent change that is already law and comes into effect within the EU (yes, which includes the UK) on 25 May 2012 – the EU cookie law.

As there has been no clear directive by the government on how best to adhere to this new law, it is important to understand the fundamentals of the policy, what the effects are for your site and what you must do to comply. To make this easier, we have broken this down into a simple Q&A:

What is the new EU Cookie Law?

To give it its official title, the Privacy and Electronic Communications (EC Directive) Regulations 2003, will be taking effect on 25 May 2012. Most sites use cookies to track visitors and information on the visitor. The main part of the new legislation will require website owners to gain consent from users before a cookie can be stored on their computer. The type of cookie being used and what the cookie is for must be made clear before the user gives consent.

This European directive is being driven in the UK by the Information Commissioner’s Office or ICO. On the ICO website it clearly states:

Cookies or similar tracking methods must not be used unless the subscriber or user of the relevant terminal equipment:

(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and

(b) has given his or her consent.

You can find out more from the ICO website.

What is a Cookie?

A cookie is a piece of information in the form of a very small text file that is placed on a website user’s hard drive. The information the cookie contains is set by the website and it can be used by that website whenever the user visits.

There are a variety of different cookies. Here are a few:

  • Session cookie – also known as transient cookies. These are stored on the user’s computer until they leave the website, at which point they are deleted.
  • Stored cookie – Where the cookie is downloaded onto the hard drive and used to identify a visitor whenever they return. The lifetime of this cookie varies from website to website but 30, 60 and 90-day cookies are common.
  • Flash cookie – If you are viewing a video or visit sites that use Adobe, there may be small files downloaded when you watch a video.

Why Does a Website Need Cookies?

The information stored in a cookie allows the website to identify you when you visit and present information accordingly. Below are some examples of cookie usage:

‘Remember me/ Keep me logged in’ – If a website has the functionality available only to signed-in users it can be frustrating for them to log in every time they visit. In this situation a cookie allows the user to return to the website and be taken to their account immediately. Example: Facebook – can you imagine filling in your details every time you visit?

Preferences – Some websites allow you to set preferences on the look and feel, content you want to see and functionality you don’t need. A cookie may be used to ensure your preferences are remembered when you return (please note this is less common these days, where preferences are stored in the database rather than on your computer)

Shopping baskets and recently viewed products – An e-commerce website such as Amazon tries to make the shopping experience as easy as possible for users by storing the contents of your shopping basket and products you’ve recently viewed without you needing to be signed in so that as you browse the site you don’t lose everything you’ve done. These cookies are usually short-lived and may exist only while you’re on the website or for a few hours after you leave.

Analytics/website usage tracking – Many websites rely on analytical software to record how people arrived at the site, what they did while they were there and how and when they left. While this might sound a little ominous, the website owners are not able to identify individuals; there’s no way to know what a particular user viewed, only that an unidentified person did view that particular page.

This information is used to improve a website and ensure the visitors are able to find what they need as quickly and easily as possible.

Third-party advertising services – Some advertising platforms that display their adverts on websites in their network make use of cookies to track whether you’ve seen a certain advert and whether you clicked; however like Analytics, you remain anonymous – the service does not have access to your individual information, only that someone on your computer saw or interacted with an advert.

In truth, it is this type of cookie usage that has driven the push for an EU cookie law as it’s unfortunately open to abuse.

What Type of Cookies Run on your Site?

Though this may seem to be an obvious question with an obvious answer, the truth is that many site owners and publishers do not know. If they do know, they know the basics or make assumptions of what cookies are used.

The best way to determine the cookies your website creates for users is to carry out a full audit. Record cookies that are created, identify what they’re for and decide whether they’re critical to the functionality of your website. Be sure to include third-party services that create cookies, such as Google AdSense, AdWords and Analytics – while you may not be responsible for creating these cookies, they are delivered via your website.

How to Comply With the Law

Firstly, we would like to stress that at the moment there are no official guidelines on how best to adhere to the new law – this has been left open for interpretation by individuals and their websites so the guidance provided below is based on the information currently available, is subject to change and should not be considered definitive.

Furthermore, it’s worth noting that there has not yet been confirmed as to what the penalties will be for failing to comply with the new law. MTM will bring you updates and news as and when we have them.

Asking for permission – This is essentially what everything boils down to – getting permission from the user before placing the cookie on their computer without misrepresenting its purpose or your intentions with the information that results from the cookie. So how can we ask for permission and what’s the impact likely to be?

If we use this as our guidelines there are a number of ways we can approach the problem depending on the number of cookies that your website uses. In the case of our website, we would be required to ask permission for Analytics tracking as soon as someone arrives at the website.

This addresses a few problems

  1. We have asked permission to add Analytics tracking cookies, explained how long they will exist for and that they cannot be used to identify the individual. We’ve provided the option to accept this cookie or reject it depending on how comfortable the user is with us collecting this data.
  2. In the opening line we are linking ‘cookies’ to the corresponding Wikipedia page, should the visitor be unsure of what a cookie is.
  3. To remember what the user has selected we must add a cookie (catch 22!) – but if they are not happy with this we give a final option to close the box.

Of course the issue with this is the box will appear on every page that the user visits – hardly ideal.

Now that’s probably not the most aesthetically pleasing way of solving the problem, but it gives you an idea of what is possible and this method should be suitable for one or two different cookies, but what if you need to ask permission for more – very likely if you run an e-commerce or service-based website.

In this example, the site has managed to ask for permission, explain what each cookie/set of cookies is for and given the user the ability to choose between them or choose none of them – meeting all requirements the EU cookie law sets out.

Take note of the wording used in the example above – you’re asking the user for something so it’s important to be nice about it and make it clear they have a choice. A formal tone of voice with little explanation of what they are able to choose is likely to put people off.

Do I have to Explain Each Cookie?

While you must provide information on all cookies you wish to create it is not necessary to do so next to a request of permission – linking to a privacy notice that includes the information is also acceptable. However, we do not believe this to be as effective and by hiding the information on another page you are making the visitor work – remember you want something from them not the other way around. It’s much easier to click ‘No’ then go and search for an explanation on another page.

Possible exceptions – The ICO has suggested that cookies vital to the correct operation of your website may not need prior permission before being added to a user’s computer, however, this is not confirmed. Those that may fall under this category are shopping basket cookies, where the visitor must be able to store their items in a basket as they navigate through the website.

How Big an Impact Will This Have?

It’s fair to say that when given the choice many people would rather not allow you to collect data on their activities and so we must inevitably accept that there will be a reduction in the amount of data available through your analytics package and all other third-party tools. The ICO itself implemented a similar permission-based technique as explored in the above screenshots and the result was a 90% drop in visitors being tracked by Google Analytics – that’s nine in 10 who declined the cookie.

If you run a website that provides a service or sells products, the impact of this is potentially massive. As marketers as well as business owners, we rely on this data to make educated decisions on how to improve the website and to refine the conversion funnel to grow sales. With a 90% reduction in available data, these decisions will be far from informed.

We must, therefore, make the permission process as effective as possible to drive the 10% of opt-ins up as high as we can.

What Can I do in the Short Term?

Carry out an audit to identify all of the cookies that may be added to the computer of a visitor to your website, whether they are created by you or a third party such as an ad network. Where possible, you should stop these being created or limit their creation to only when they’re strictly necessary.

Where a cookie is required to allow you to achieve your business goals you must ask permission to add them, even cookies vital to the operation of your website – at least until the ICO can bring some clarification on the matter.

We would also recommend keeping up to date with the ICO and any announcements it makes which may offer more official guidance on the subject. You can find them at

To summarise, at the moment there’s no clear directive on the best way to comply with the new law so everyone’s in the dark, to a degree. It’s worth keeping an eye on the big online retailers and website publishers to see what they are doing. Meanwhile, stay tuned to for updates and announcements as and when they happen.

Further information:

  • Google Groups