The EU Cookie Law

In a little over a month, some major changes will be occuring in the European Union in regards to Internet privacy protection. On May 26, sites that fail to comply with the EU ePrivacy Directive disclosure requirements could be subject to fines up to £500,000.

These changes were outlined in the European Directive 2002/58/EC, primarily in article 5. The EU Cookie Law passed last year, and this required website proprietors to provide upfront information about what information they are recording and receive user consent. Sites across the EU, including SpeckyBoy (based in the UK), will have to adhere to these new privacy requirements.

The Cookie Law is a bit of misnomer–the bill is not just about cookies. Instead, it targets ways that websites have been identifying or profiling users by implanting something directly on their device. This means that any locally stored files (in Flash, HTML5, or even cached images) are equally restricted, if they impact privacy.

The Information Commissioner’s Office (ICO) website is an example of this, which has a pop-up that links to the website’s privacy disclosure notice and requires the user to acknowledge that the site will collect cookies. Some other sites, such as BT will have a small unobtrusive pop-up that asks if it can continue collecting information in the future.

It’s important to note that when the ICO asked visitors for their consent, they received a 90% fall in recorded site traffic.

The United Kingdom’s Government Digital Service recently highlighted an important point for EU-based web analytics in the Implementer Guide to Privacy & Electronic Communications Regulations. Quoting the ICO, as long as “clear information” is given about activities, the ICO is “unlikely to prioritize first-party cookies used only for analytical purposes in any consideration of regulatory action.”

Taking into consideration this guidance from the ICO and the fact that the vast majority of websites across the EU have yet to comply, the course of action many seem to be taking is wait-and-see.

Reception does not seem especially welcoming, as an Econsultancy survey of 700 EU marketers found that the majority (82%) believed that the e-Privacy Directive is not a good or positive development. A new Econsultancy guide focused on best practices for the new rules had an excellent five brief checks to work towards compliance with the new requirements:

  1. Carry out a cookie audit
  2. Evaluate the privacy impact of each cookie
  3. Carry out a business risk assessment
  4. Figure out how you can inform users about cookies
  5. Investigate methods for gaining consent

Does the EU Cookie Law Affect Your Site?

We would love to hear from you in the comments below about how this new cookie law will be affecting your site?
And please share any resources or solutions.


  • I work as a Designer/FE Developer for an insurance company and we run 60+ quote engines. These engines/journeys are all run on behalf of partners who have their own interests as well.
    We obviously track a lot of anonymous information to gather statistics on the journeys and pricing points etc, and as they are multi-step journeys we need to determine how the user interacts all the way through (and figure if they are purchasing or not). Losing even 2% of the ability to monitor these websites will be a massive blow for sales and marketing.

    Managing this change has been a major headache and the shifting goalposts don’t help one iota!
    I came up with a solution very similar to BT’s, but obviously it has to be scalable and transferable to 60+ websites… it’s not just a simple modal dialogue, we need to have logic to enable or disable all the tracking JS on 10+ pages for each journey too.

    some math:
    60 * £500,000 = bankrupt.

    Good article, Speckyboy! I’m a big fan :)

  • Amaury

    The fun part it’s you have to use a cookie to remember if the user wants to use cookies or not :D

  • Simon

    I was reading about these changes on another site recently. There were lots of comments from paranoid people talking about how you can use AdBlock and delete cookies etc after sessions etc.

    Of course once this law is enforced and people continue to do this it means every time they go to any UK based site it is going to ask them if they want to use cookies. It is really going to make for a poor user experience.

    I guess I am hitting 50-100 sites per day and endless popup messages are going to drive me crazy. If you are a heavy web user and make any attempt to delete your tracks you are going to get an endless bombardment of annoying popups and tick boxes. You will pretty much be forced to accept them if you don’t want to be bothered by these messages all the time. 

    This could really be detrimental to sites, particularly smaller ones. Websites don’t run themselves for free and people need to wake up to this fact.

    Too many people want no Ad’s and everything for free…. they also don’t understand how tracking can help improve user experience.

    Not to mention the fact that I bet there are millions of sites/blogs out there where their owners are not even aware that they are using cookies!

  • James

    It’s a pain in the ass.

    For our authenticated apps, it is easy, we’re adding a note stating that by logging in they agree to blah blah blah first born child blah.

    For our non-authenticated apps, we’re having to remove Google Analytics and ensure that all of our cookie usage falls within the very narrow exemptions to the law. It’s not the end of the world, but I have more exciting tasks that are stuck on the back burner as a result.

    It’s worth noting that the ICO has said that it wont just bitch slap you with a fine. They’ll look at everything on a case by case basis and determine what, if anything, you’ve done to make yourself compliant. If you’ve made a genuine effort, I think they’ll give you time to fix any lingering issues. If you’ve just ignored it, then I expect they’ll be less forgiving.

    Until the law takes a couple of trips through the courts, it is not entirely obvious what solutions are going to be acceptable or not. The issue of informed consent is important, which means sticking a bit of boilerplate into a T&C that nobody knows is there, probably isn’t going to impress the ICO.

    I’m hoping that the browser manufacturers (or at least plugin authors) come up with a way to automate the acceptance process. It wont ease the pain of refactoring existing applications, but it might make surfing the web less cumbersome.

  • dwuser

    By making every website illegal but saying, “Don’t worry — we won’t prosecute,” it seems to me that the purpose is purely political.  As pointed out in the video, these laws won’t help protect non-technical users; they will just make life more difficult.  

    Now, any website that garners the ire of a governmental bureaucrat can be selectively prosecuted.  Or, if a large corporation has close governmental ties and doesn’t like a smaller rival, it can pull strings to get that smaller rival litigated out of existence.Welcome to the politicized web.-KB

  • Grant Tailor

    cookies aren’t that bad

  • This is really going to impact sites that rely on revenue from advertising. Most advertisers request site stats to get some idea of the traffic they can expect to receive. Sites that utilise Google Analytics may have to switch to providing traffic stats from their web logs.

  • E

    This is going to sound silly, but as a Canadian owning a .EU domain, does this bill apply to websites (servers located in the EU) and/or .EU domain names?

  • E

    Well, this sucks. Thanks for your help.

  • Carlos Gomes

    Oh you, old suited farts, pretending you have a clue about the internet…

  • I know, hilarious! What’s wrong with cookies anyway? I know they can be misused for evil, but that’s only about 1%, cookies are a very useful technology!

  • Technically this law applies to absolutely anybody who has a website with a European audience, which includes companies outside of Europe, and it doesn’t matter where your website is hosted. 

    Luckily though the EU will have a hard time fining anyone based outside the EU though which means you’re probably safe for now, but technically still liable. 

    Stupid law!

  • I know. My favourite is oatmeal :-)

  • I agree. The ICO totally undermined themselves in the last guidance documentation they released in December which said:
    “Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals.” 
    Sounds a bit wishy-washy to me!

  • Well a good example of that is the Disqus comments box I’m using to type this very message – it’s extremely popular and easy to plug into your blog, and I bet many non-technical blog owners don’t know they’re breaking the law just by using it. 

  • As someone new to the web design world, this doesn’t mean any retrospective editing of websites for me, however it does cause a bit of thought on how best to implement this on my current projects.

    Ah well!

  • jwdbiz

    Do you intend to comply come May 26th with this website then? I see you are using Google Analytics and also native Tweet and Facebook Like buttons – all of which will be outside of the legislation… What a pickle we all find ourselves in! I am all for privacy of peoples data – but this directive just feels too wide-sweeping for me currently – needs a revision to make it far more commercially sensible!

  • Pepa

    lol,its something like database,you know.