How to comply with the new EU cookie law

How to comply with the ne...

How to comply with the new EU cookie law
22 May 2012

How to comply with the new EU cookie law

From the 26th May, technically, every website that is available in the UK/Europe should:

  • notify visitors of the cookies they use and what each cookie does
  • ask for explicit consent from the visitor on the first page load.

The EU Cookie Directive, which has come to be known as the Cookie Law, will present a massive step backwards for site operators who have grown accustomed to the masses of data available for analysis and more. But, there still aren’t any clear examples which do the job in a user-friendly way.

The Law

a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.

(2) The requirements are that the subscriber or user of that terminal equipment
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.

What The Law Means

Firstly, visitors must be clearly notified of the cookies that will be stored and be given comprehensive information about what each cookie does. Secondly, they must give their explicit consent for the cookies to be stored.

Let’s remember, that this is for any cookie set on a website. For example, most sites will set a session cookie at the very least; more complex sites will set third-party advertising cookies, preference cookies, past-behaviour cookies and more.

The comprehensive information you need to provide can’t just be “We set cookies to improve your experience”. The information should explain:

  • what a cookie is
  • why they are used on your site
  • what cookies, or the categories of cookies, are set
  • an example of what they do

Is There Anything Else?

Yes. There are several use cases for exceptions.

Some cookies are “strictly necessary” for the “provision of… services… requested by the… user”. An example given by the ICO is that of an online retailer, where a cookie is “used to ensure that when a user… has chosen the goods they wish to buy and clicks the ‘add to basket’ or ‘proceed to checkout’ button, the site ‘remembers’ what they chose on a previous page.”

This also includes load-balancing cookies and cookies set for security (by an online banking service, for example). However, cookies set for analytics or advertising are not seen as strictly necessary, and so need to be given explicit consent in order to be dropped.

My website is a personal site, do I still need to comply?

Even if your website is non-commercial, you should still comply with the EU cookie law if you drop non-essential cookies.

What About Browser Settings?

Browser settings aren’t enough – yet.

…if the user visits a website, the website can identify that their browser is set up to allow cookies of types A, B and C but not of type D and as a result can be confident that in setting A, B and C they have the users consent to do so. They would not set cookie D.

At present, most browser settings are not sophisticated enough…

But it could become an option in the future.

Anything Else?


The ICO guidelines make allowances for instances where a visitor is given clear notification and the chance to explicitly consent, but then clicks on an internal link elsewhere on the page.

In this case, all cookies can be set on what is effectively the second page load – as long as the initial notice is clear, you can infer that they have “actively indicated they are comfortable with cookies”.

The ICO does say though that you may want to prominently display a notice to remind users that you have set cookies.

Will We Be Prosecuted For Dropping Analytics Cookies?

Probably not.

Whilst he does not consider they are exempt from the rules the Commissioner is therefore unlikely to prioritise, for example, first party cookies used for analytical purposes and cookies that support the accessibility of sites and services…

How To Get Started

There are many different interpretations of the law, but below we’ve identified three steps to ensure you’re ready for the Cookie Law.

The First Step For Site Operators

Site operators need to firstly carry out a cookie audit. This means looking at:

All of the cookies your site sets and why

This is useful not just for this purpose, but because it can also help reduce things like page loads and get rid of redundant cookies which you may still be setting.

How intrusive each cookie is

The ICO document notes that “although the law makes no distinction between different types of cookie it is intended to add to the level of protection afforded to the privacy of internet users.”

Effectively, this means that the more intrusive your cookies, the more you should think about changing how it is used – although there is no need to notify users of how intrusive the cookies you set are.

Whether a cookie is “strictly necessary”

In some use cases, there will be cookies that are strictly necessary and that abide by the “spirit of the law” set out in the regulations – in which case these can be set automatically, without the need to gain consent. Remember that only cookies which are strictly necessary for the provision of a service requested by the user can be set.

Where can I find out more about the law and how websites are implementing it?

Econsultancy’s solution to EU e-privacy directive compliance

If you are unsure why not give us call or drop us a email on, we can help you to ensure you site is compliant