Upcoming changes to cookie laws

As I’m sure most readers are aware, the European e-Privacy directive is due to be implemented in the UK in May and will result in a change in the law relating to cookies (small files stored on your computer’s hard drive). This change is getting increasing coverage on techie mailing lists and even on more mainstream news sites such as the BBC.

The law states that cookies or similar devices must not be used unless the subscriber or user:

  • is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
  • is given the opportunity to refuse the storage of, or access to, that information.

The only exceptions are cookies that are “strictly necessary” for provision of a service. The oft-cited example being session cookies for e-commerce sites etc.

The law will mean that consent must be obtained for all other cookies, including cookies used for Web analytics (such as Google Analytics), personalisation or any other non-essential purpose (e.g. advertisement tracking).

The Information Commissioner’s Office (ICO) is yet to issue clear guidance to developers on how to obtain consent. For example, this could be interpreted as having to implement functionality ensuring that users confirm consent in a web page/pop-up etc when a non-essential cookie is to be set. Alternatively it may be that consent could be implied by browser settings. Obviously any intrusive mechanism of consent is likely to present a barrier to users so developers are awaiting the guidelines from ICO with interest.

The ICO has said that they will give organisations time to adapt and so won’t be in a position to start enforcing the law immediately. So, for now, it’s perhaps just a case of being aware of the impending change and waiting for guidance from the ICO.

Further reading:

Update: 25/05/2011

The law comes in to effect tonight and, although the ICO has now issued guidance, the steps Web developers should be taking remain far from clear. At this time it’s hard to see how a site setting non-essential cookies (such as those used for Web analytics) could comply with the law without intrusive interstitials or pop-ups. These approaches could be seen to dramatically decrease usability and offer a competitive advantage to similar sites operating outside of the European Union.

In an ICO press release today they say that organisations have up to 12 months to comply with the new law.


  1. One of the things I’m unsure on: How does this law apply with regards to Geographic location? Surely it requires the website to know that the user is from an EU country so that it can display the required permission pop-ups?

    Or is it enforced by the location of the server?

    Otherwise, not only will it be bothersome to EU companies, it’s gonna be a pain in the ass for the whole world!

  2. Hi James

    My understanding (and I should point out I’m a techie and definitely not a lawyer) is that the location of the server or user doesn’t matter. The laws govern the organisation itself not the servers etc.

    So, organisations that are registered in an EU country are bound by laws arising from this directive irrespective of whether their site is hosted on servers outside of the EU. Similarly, if the user is outside of the EU then, when accessing a site run by a company registered in an EU country, this directive would still apply.

    An analogy being perhaps that an organisation in the UK is bound by the Data Protection Act. The protection that the Act provides encompasses all personal data held by the company irrespective of whether the data being held is about people in other countries.

    As I said, that’s my understanding but I’m sure the ICO will address these queries in their guidance.

Comments are closed.