EU Cookie Law

On May 26th 2011 a new EU cookie law came into effect. The new law states that UK businesses and organisations running websites in the UK need to get consent from visitors to their websites in order to store most cookies on users’ computers.

The Information Commissioner’s office has given organisations and businesses up to 12 months to ‘get their house in order’ before enforcement of this law begins.

What are cookies?

Cookies are little files that almost all websites use as a kind of memory. They are stored in your browser and enable a site to remember little bits of information between pages or visits. This is often used to store a user’s preferences.

Who is in charge of this?

The DCMS (Department for Culture, Media and Sport) are legislators they write and pass laws.
The ICO (Information Commissioner’s Office) are regulators they police and enforce the laws. ICO is obliged to investigate any complaints it gets about the use of non-compliant cookies.

Are all cookies affected?

According to the legislation the vast majority are - all cookies that are not "strictly necessary for a service requested by a user". The law allows an exception for "strictly necessary" cookies, such as those used to remember when something has been added to a shopping basket. These cookies would be expected by the user implicitly for the action they requested to be carried out. Another example would be login.

How do I comply with the new law?

The ICO has issued some guidance on how to comply ( This can be summed up as:

  • Find out what cookies you are using on your site.
  • Work out which cookies you need to obtain consent for (there are some exceptions)
  • Build a process of obtaining consent into your website.

The ICO have implemented a bar at the top of their website ( which allows people to consent to cookie use.

Can I still use Google Analytics?

Google Analytics uses cookies to track user behaviour and therefore before its use you need to obtain users consent. There are systems that have been developed to obtain consent before google analytics is used on a site (

However when ICO changed their website in order for it to conform to the requirements it resulted in a 90% drop in analytic data gathered!

Google have only made one comment so far on their Web Analytics tv
Basically they said they are working with European governments to come up with a solution.

Until May 2012…

Until May 2012 ICO will be satisfied if your business is preparing for a change in the law on website cookie usage. In order to comply you would need to:

  • Conduct an audit of Cookie usage on your website. Detail how each cookie is being used by the website and when it expires. Ensure you note any cookie usage connected with third party advertisements, as these will be the highest concern to the law makers.
  • Make sure you have a website privacy/cookie statement, which include details of cookie usage.
  • Make sure your privacy/cookie statement explains in plain English what a cookie actually is.
  • Provide instructions on how to switch on web browser cookie screening, including all the major web browsers.

After May 2012

After May 2012 ICO will start enforcing the law. Nobody really knows what this means yet.

Essentially the next step is to wait until there is a further announcement by the UK government. It will worth keeping an eye on government website such as or organisations such as the to see how they react.


April 2012 Update

The Register asked ICO for clarification concerning the use of cookies for analytical purposes. The responed saying;

"Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals."

More information is available here

So it looks like there is a repreive for google analytics!

| Date Submitted:


2012-05-12 11:19:37.0
Haydn Cooper
Useful blog entry. Thanks for the info, but I don't quite agree with your conclusion that there's a "reprieve".

Yeah, they say "highly unlikely" but that's like saying it's highly unlikely that you'll be stopped by the police for travelling 33mph in a 30 limit zone. They haven't actually said it's ok to do it. They're just acknowledging that they won't make that a priority (which we all knew anyway).

I know that I am priority number 6-billion-and-three to the internet cops, but it's more about what message I'm giving to my visitors. Maybe over time, cookie legislation compliance will look like the professional thing to do, whereas to have a site that doesn't do it will be bad form. So by complying now, you're saying to visitors "call me a stickler, but here we like to do things right."
Your email address will not be displayed on the site
* indicates a required field