Monthly Archives: March 2011

Upcoming changes to cookie laws

As I’m sure most readers are aware, the European e-Privacy directive is due to be implemented in the UK in May and will result in a change in the law relating to cookies (small files stored on your computer’s hard drive). This change is getting increasing coverage on techie mailing lists and even on more mainstream news sites such as the BBC.

The law states that cookies or similar devices must not be used unless the subscriber or user:

  • is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
  • is given the opportunity to refuse the storage of, or access to, that information.

The only exceptions are cookies that are “strictly necessary” for provision of a service. The oft-cited example being session cookies for e-commerce sites etc.

The law will mean that consent must be obtained for all other cookies, including cookies used for Web analytics (such as Google Analytics), personalisation or any other non-essential purpose (e.g. advertisement tracking).

The Information Commissioner’s Office (ICO) is yet to issue clear guidance to developers on how to obtain consent. For example, this could be interpreted as having to implement functionality ensuring that users confirm consent in a web page/pop-up etc when a non-essential cookie is to be set. Alternatively it may be that consent could be implied by browser settings. Obviously any intrusive mechanism of consent is likely to present a barrier to users so developers are awaiting the guidelines from ICO with interest.

The ICO has said that they will give organisations time to adapt and so won’t be in a position to start enforcing the law immediately. So, for now, it’s perhaps just a case of being aware of the impending change and waiting for guidance from the ICO.

Further reading:

Update: 25/05/2011

The law comes in to effect tonight and, although the ICO has now issued guidance, the steps Web developers should be taking remain far from clear. At this time it’s hard to see how a site setting non-essential cookies (such as those used for Web analytics) could comply with the law without intrusive interstitials or pop-ups. These approaches could be seen to dramatically decrease usability and offer a competitive advantage to similar sites operating outside of the European Union.

In an ICO press release today they say that organisations have up to 12 months to comply with the new law.