Dishing out your cookies: All the little things you need to know about the new cookie law and cookie compliance

With the new ‘cookie law’ in force from the 26th of May, UK websites are now bound by law to obtain consent from their users before dishing out their web cookies. The new regulation aims at protecting the online privacy of web users and helps them block out unwanted marketing – ensuring that web users are informed about the little data files called cookies that are placed on their computers, mobiles, tablets etc. when they visit a website, giving them the choice to accept or refuse the cookies.

Cookies: What exactly are they?

To start right at the beginning, ‘cookies’ are small pieces of data placed by a website on a user’s computer or internet device. The cookies help the user navigate between pages efficiently, remember preferences and help analyse the user’s behaviour, helping in improving the user’s overall experience on the website. They are not harmful to the computers or internet devices in any way, and cannot be used to read any information on the user’s system or spread viruses or spyware. But, the downside is that they can be used to analyse the users surfing behaviour and help draw up their profiles without their knowledge or consent.

What is the new regulation?

The cookie law is a modification of the EU Privacy and Electronic Communications Directive, which was formed in November 2009, and was adopted by all EU countries on May 26, 2011. The regulation requires UK and EU websites to obtain permission from their users before placing cookies on their internet devices. With the UK updating its Privacy and Electronic Communications Regulation, and adopting the regulation into a law, the UK was given a further time period of one year for ensuring compliance (which ended on 26 May 2012).

Why the new regulation?

Before the implementation of the new directive, users were not given any direct information regarding the placement of cookies on their machines. What existed was an opt-out process, where users could disable cookies by changing their settings on the browser, if they wished. However, this was rare as the average web user is unaware of the technicalities and often fails to read or understand the jargon-packed terms of use (displayed in some obscure corner of the website). It is under these circumstances that the new cookie law was introduced by the Information Commissioners Office ICO, changing the ‘opt-out’ process to an ‘opt-in’ process, stipulating that all websites must obtain ‘informed consent’ from the users before placing cookies on their machines – providing them information that is understandable and easy to access.

What should a website owner do to conform to the new cookie regulation?

  1. Know your cookies: The first step is to know what kind of cookies is being used on your website. To do this, you can try out tools like Bitstorm View Cookies, Attacat cookie audit or even seek professional help and get a cookie audit done. This will help in identifying the cookies used on your website, and will help you compile the information that is to be presented to the users. Your website developer will be able to help you with this.
  2. Decide on whether you will seek ‘explicit consent’ or rely on ‘implied consent’: As per the latest amendment made to the ICO directive (on 24 May 2012, 2 days prior to its deadline for implementation in the UK), ‘implied consent’ can be considered sufficient for UK websites as long as the website operator ensures that ‘the user understands his actions will result in cookies being set’. However, to ensure this, you must provide clear and relevant information that is readily available to the user, explaining:
      • What information will be collected and how it will be used
      • Will the information be shared with a third party
      • Will the information specifically help in identifying user
      • How long will the cookies be retained on the users device
      • What are the methods for disabling the cookies

Though seeking ‘explicit consent’ would be ideal for ascertaining compliance, the obvious drawback is that it can affect the user experience on your website.

3. Choose the method for drawing the user’s attention to the provided information:  

As the very intent of the regulation is to ensure that the users are ‘informed’ about cookies and any consent derived from them is ‘informed consent’, the focus should be on ensuring that the user sees the information, reads it, understands it and becomes fully aware that his continuing on the website will result in cookies being set on his device.

There is no set form or process for obtaining consent. But, as per the ICO, the ideal method would be to explain briefly what the functions of each type of cookies are and display a message asking for consent for the placement of cookies.

What to say?

Given below are the different types of cookies generally used by websites, and examples of wording for consent as given by the ICO:

Strictly necessary cookies: These cookies are essential to help users navigate smoothly around the website, and use services like shopping baskets, e-billing etc. They help users to access secure areas of the website. As these are strictly essential for providing services, ICO does not insist on obtaining user consent for this category of cookies.

Performance Cookies: These cookies gather information about the users’ browsing habits, such as the pages that they visit most often and if they get error messages from web pages etc., and are used to improve the functioning of the website. They do not collect any information that specifically identifies the user.

Example of wording for consent: “By using our (website) (online service), you agree that we can place these type of cookies on your device”.

Functionality cookies: These cookies enable the website to remember the user, their user name, location, language etc, and provide them with features that are customised to their preferences. For instance, a website setting that provides a user with local weather reports does so by storing the user’s current location in one of these cookies. Along with that information, these cookies also retain the user’s preferences of language, font etc. and helps the user customise subsequent pages according to his preferences. These cookies can be anonymised and these cannot track the user’s activity on other websites.

Example of wording for consent: “By using our (website) (online service), you agree that we can place these types of cookies on your device.”


Obtain function/setting led consent by displaying the following message at the point where the user selects the function or setting: “When you choose this (option) (setting), you agree that we can place [customisation cookies][icon] on your device.

Targeting cookies/ Advertising cookies: These cookies help websites deliver advertisements that are relevant to the user and their interests, and are placed on the user’s device by advertisers with permission from the website operator. These cookies remember the user’s visit to a website, and passes on this information to other organisations for advertising purposes. Consent can be obtained for these cookies in the same way as that of functionality cookies.

How to say it?

This can be done in the following ways:

As part of privacy policy or as a separate cookie policy: It is possible to set the information as a separate section on ‘cookie policy’ or as ‘privacy and cookie policy’, as done on the John Lewis website. While using this option, it is best to make sure that the link to the information is placed in such a way as to attract the attention of the user, and not hidden away from view. eg)

As part of terms and conditions while signing up: As in ‘The Times’ website, the information about cookies can be given as part of the terms and conditions while a user signs up. Consent can be obtained with a further tick box which explains that the site will be placing cookies.

A pop-up box: Another option is a pop-up box which is displayed on the home page. This draws immediate attention of the user, and would ideally contain a link to the site’s ‘cookie policy’ which explains the cookies used, in detail. Eg)

However, the disadvantage is that it can affect the appearance of the website, and could act as a hindrance to users as they cannot proceed on the website until they have clicked the box off.

A banner displayed on the homepage, with a link to your detailed cookie policy: A banner at the top or bottom of the website is a good way of drawing the user’s attention without hindering then from navigating across your website. We have used on our IMRE website – displaying a banner at the bottom of the homepage, with a link to our ‘cookie audit’ information, listing the cookies we use on our website.

What happens if your website isn’t compliant?

Though a lot of uncertainty does still exist regarding the law, and the industry is still split regarding the adoption of compliance measures, it is best not to seek the course of inaction, as you would be running the risk of facing enforcement action and a fine up to £500,000.

Now, if you are still indecisive, please do review the ICO guidance, and don’t hesitate to give us a call for any assistance.


The information contained in this article is not legal advice or information drafted by lawyers. The article is solely intended to provide our clients with a simplified picture of the much debated ‘cookie law’, help them understand its implications and choose the necessary course of action, and has been compiled with references from various sources.