EU cookie law compliance

This article was originally published in May 2012.

We hope this answers most people’s questions about the cookie law and how to comply.

We don’t want to duplicate what you can find easily elsewhere but rather consider the various interpretations of compliance and help business website owners make a considered decision. If you have any questions which you think should be included here, please email us at rob@reactor15.com.

New legislation came into operation on 26th May 2012 – the so-called EU cookie law, but which is part of the Electronic Commerce Directive.

In essence, the cookie law states that you must ask visitors to your website permission to place cookies on their computer.

What are cookies?

Cookies are little bits of information placed on users’ computers when they visit your website. They do things like help track traffic and visits, personalise content and remember you next time you visit.

Essentially the law says that you have to ask permission to place code of this sort onto a user’s computer – you need permission and the user must be aware of what is happening.

Does the law apply to me?

The law applies to every website used for business purposes.

Does my website use cookies?

Many businesses use cookies to track visits from their customers with tools like Google Analytics. Though Google sets the cookie, you’re responsible for telling users about what cookies are used when they visit your site.

What third parties use cookies?

If you use Google Analytics, or you’ve installed social media widgets on your site, the chances are that you will be using cookies.

Why isn’t everybody complying?

Compliance has been slow. The Information Commissioner’s Office has had to write to the 75 largest websites in the UK to prompt compliance. Part of the issue is that the ICO wanted to leave the industry to “discover” what best practise was. So companies have been left largely to find their own solutions. Over the last few weeks, though, we’ve seen practises gradually emerge.

What is explicit consent and implied consent?

At the last minute, the ICO changed its guidance. The guidance previously said that consent had to be explicit e.g. like ticking a box before cookies are allowed to be set. The guidance changed to make “implied consent” an acceptable form of compliance.

We understand that a Freedom of Information request to the ICO meant that they revealed their recorded traffic dropped by 90% when they implemented their solution.

We don’t know if this is true, but it’s a rule of thumb that wherever users are required to take action, something has to be in it for them. We can see why recorded traffic would plummet, because many users just won’t bother to tick the box during their website visit.

What does implied consent mean?

Here is what the ICO have said:

  • Implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies.
  • If you are relying on implied consent you need to be satisfied that your users understand that their actions will result in cookies being set. Without this understanding you do not have their informed consent.
  • You should not rely on the fact that users might have read a privacy policy that is perhaps hard to find or difficult to understand.
  • In some circumstances, for example where you are collecting sensitive personal data such as health information, you might feel that explicit consent is more appropriate.

ICO cookie guidance

Our interpretation of these words is:

  • Users don’t necessarily have to tick an agreement box for you to be compliant
  • If you’re not seeking explicit consent, you need to make sure that your customers know if they continue to use your website, then cookies will be set
  • A privacy policy alone is not enough – both because the language they use is often complex and because people rarely read these policies as a result.
  • Our interpretation (and this is only our interpretation) is that even a prominent link on your website (such as Privacy Policy or Cookie Policy) may not be enough
  • If you are collecting sensitive personal data (as opposed to anonymous traffic data) then it’s down to your judgement about whether you need to seek more explicit consent

BUT many people across the industry have done different things.

What is everybody else doing?

FT.com

The FT uses explicit consent by placing a window in the middle of the screen that you have to close. By closing the window, the user accepts that cookies will be used and has been informed about how they can change the settings on their browser. See it in action.

The Guardian

The Guardian, on the other hand, tells you with a bar placed near the top of the informing the user that continuing to use the website means that the user is agreeing to cookies being set on their computer. See it in action.

The ICO

The ICO uses a tick box and asks for specific agreement. If the stories are true, requiring action of users in this way means that you lose 90% of traffic data. For massive sites this is bad, but for small to medium business websites we think it’s absolute disaster because you are losing 90% of a much smaller volume of traffic information. See it in action.

John Lewis

John Lewis again takes a different route. They have made their privacy and cookies information highly visible in the top right hand corner of the site – but there are no explicit warnings about cookies being set. See it in action.

Figleaves.com

Figleaves is a prominent opponent of the law. Their site has a link to the cookie policy at the bottom of the page, but nothing else. Visit the site.

No wonder there is so much confusion! These 4 large brand names show how differently people are interpreting the whole issue. And it is this wide variation in interpretation which is causing confusion for smaller business owners.

Which version of the law should I follow?

We can only provide information to the best of our ability based on what we’re seeing in the industry

Explicit Consent

If you collect really sensitive information and/or don’t mind losing 90% of your analytics data and hampering other potential functionality run by cookies, then this is by far the safest, most compliant option. We think the kind of business data that analytics can give is essential and to live without it is commercial suicide. But apart from commercial suicide you’re totally compliant with the law…

Implied Consent

This means visibly informing customers that if they continue their visit on your site (from whichever page they land on first) then cookies will be set.

Prominent Cookie Link

Whilst some sites have gone for this, we’re not convinced it’s sufficiently compliant. Having said that, it’s the cheapest thing to do if you already have a privacy and a cookie policy. If the ICO were unhappy with this kind of approach, you might reliably bet that the big players would get their knuckles rapped first in court.

Ultimately, how you approach the cookie law is your decision, but it is now in UK law. The ICO want to see at the very least, visible movement towards compliance. They are unlikely to batter small business owners with the £500,000 they are empowered with.

It’s also possible that we’ll see browsers (like Firefox, Internet Explorer & Chrome) emerge with clearer options for accepting or refusing cookies.

The market has yet to truly crystallise in terms of its wholesale response and we think that the chips are still falling. What’s certain for us is that people are gradually complying and the ICO is definitely going to pursue compliance.

Information Sources:

ICO Cookies Guidance

ICO Updated Guidance


Ask us

Got a question? Give us a call on
01392 427 358


Join our mailing list

Recent articles

Thu 18 Feb | 2016
Following the launch of a new website, myhealth-devon.nhs.uk, Reactor15 have been helping to promote the website within Devon, in particular to improve the position within the search engines for users looking for support and advice on their health and wellbeing. MyHealth Devon has been developed by Devon Referral Support Service, part of the Wider Devon Sustainability and Transformation Partnership (STP) with the support of local clinicians. 
Read more


Thu 18 Feb | 2016
We have just launched a new app to help reduce waiting times in hospitals across Devon and Cornwall. The app, NHSquicker, allows people to view up-to-date waiting times for local emergency departments and minor injuries units. It also provides information regarding distance and time to different treatment centres, based on the user's location. Reactor15 have been working with Exeter Health and Care IMPACT Network, a collaboration between the NHS across Devon and Cornwall and academics from the University of Exeter to build an app which is widely available for smartphones and tablets, on Apple and Android. The NHSquicker app took six months to build and is a fully native app developed using our own custom framework. Using a native platform which allowed us to build a fast, responsive and reliable experience to users, when accuracy and speed of information is very important. The app also provides information about less urgent NHS services, including GPs, pharmacies, sexual health services, dentists and opticians. Mike Saunders, Managing Director of Reactor15 said: "It’s great, once again, to be involved in building a really useful NHS tool. We were asked to build an app which will not only help reduce waiting times in our local hospitals but will also help patients make the right choices with regards to how and where they receive their treatment. We believe our native app platform is both robust and versatile enough to meet the needs and brief of Exeter Health and Care IMPACT Network." Reactor15 have a good working relationship with the NHS and have already built the award winning HANDi Paedatric, POPs apps and the Devon and Wakefield Formularies. NHSquicker can be downloaded on iTunes and Google Play.
Read more


Thu 18 Feb | 2016
Reactor15 have been working with Exeter based commercial finance specialists Charterbank Capital, to help develop an intergrated digital marketing strategy. Targeting the south of England, Charterbank Capital have a range of packages for commercial customers including bridging loans, auction finance, development loans and farm finance. Reactor15 have been working on their main site www.charterbank.co.uk. Looking to generate enquires to their service, we have implemented our 11 point SEO plan on the site and have also created an AdWords campaign.
Read more


Thu 18 Feb | 2016
Reactor15 have been busy helping Exeter based Busy Bees Window Cleaning Services and Busy Bees Carpet Cleaning Service with some search engine optimisation. 
Read more