Cookie law makes most UK websites illegal: what you need to know

Girl looking at real cookies in a jar
Update: We’ve started a protest against the cookie law.

Most UK websites became technically illegal on May 26th 2011, due to a new law on cookies. Websites now need to ask for permission before they can set most cookies.

We’re going to look at what the law means for you, and what you can do about it.

Does this affect me?

If you’re based in the EU, almost certainly, yes.

The law which comes into effect this week is for the UK, but stems from the EU’s Privacy and Electronic Communications Directive, which will ultimately apply to all websites in the EU. The UK, Denmark and Estonia have published official guidelines, with 21 other member states to follow (they missed their deadline).

The law affects any website which uses ‘non essential’ cookies, such as visitor tracking code or advertising, and does business in the UK. For example, if your website uses Google Analytics, this law affects you.

Is this a joke?

Unfortunately not – despite many complaints this law is very real.

So far I’ve not found a single person with anything good to say about this new law, with most web developers confused about what they actually need to do to, and jokes about how to implement the recommendations. There’s a huge backlash against the regulations, and quite a lot of scaremongering about the implications.

The EU’s arrogance in presuming to legislate for a global world wide web is matched only by its hilarious technological incompetence: cookies have dozens of uses besides the advertising and tracking purposes that this directive is aimed at “protecting” against, most of which enable key features of web pages that users will be severely inconvenienced without. Cookies are a core component of how today’s internet works.

Milo Yiannopoulos, technology columnist for the Telegraph.

If you need convincing, you can find the official ICO guidelines here.

But can’t people turn off cookies in their browser?

Sadly this is not enough.

All modern browsers have the ability for a user to change their settings concerning cookies, and block websites from storing cookies on their machines. Previously, the law said if your website does store cookies, you need to let your users know why you store cookies, and give them clear instructions on how to ‘opt out’ if they objected. Many websites did this by writing a privacy policy.

The new law however ignores the settings you currently have set in your browser, saying:

“At present, most browser settings are not sophisticated enough to allow you to assume that the user has given their consent to allow your website to set a cookie. Also, not everyone who visits your site will do so using a browser. They may, for example, have used an application on their mobile device. So, for now we are advising organisations which use cookies or other means of storing information on a user’s equipment that they have to gain consent some other way.”

ICO guidelines

This means for now it’s up to the owner of the website to ask for the user’s consent when they visit their website. It’s possible that we’ll be able to rely on browser settings sometime in the future. But who knows how long that will take?

Are all cookies affected?

All cookies that are not “strictly necessary for a service requested by a user” are affected.

For example, if a user adds an item to their shopping basket, that would be considered necessary – a cookie is technically required to remember that user and retain their basket contents. Similarly, to log in to a website a cookie may be necessary.

However a cookie which was set to welcome a user back to a website, or to record what pages they view would not be strictly necessary. In particular, this means you can’t use traditional analytics without permission.

Many cookies serve multiple purposes, and if any of these are not strictly necessary they must be explicitly opted into. This is an obvious problem with technologies that set a single session identifier, including virtually all server side programming languages (PHP, .NET, JSP etc).

What are the penalties?

Penalties are financial and potentially severe.

The ICO (the body responsible) has the power to serve penalties of up to £500,000 (about $800,000) to organisations that seriously breach the law. Details are still being defined and are likely to be tested in court.

What happens if I don’t comply in time?

The ICO announced at the last minute that companies have until May 2012 to comply.

The ICO says:

“The government’s view is that there should be a phased approach to the implementation of these changes. In light of this if the ICO were to receive a complaint about a website, we would expect an organisation’s response to set out how they have considered the points above and that they have a realistic plan to achieve compliance. We would handle this sort of response very differently to one from an organisation which decides to avoid making any change to current practice.”

ICO Guidelines

Which means we at least have some time to change our websites, as long as we tell them that we’re planning to make the change. According to the ICO, although our time runs out around May 2012 they expect to see us working towards that deadline in advance.

What are the official recommendations?

They are vague, but there are some suggestions you can act on now.

Now that we’re all suitably panicked about this new law and know we might go to court if we ignore it, we expect some detailed and clear instructions for what we should do next. Unfortunately this is where the guidelines fall short. The recommendations are vague and it’s not exactly clear how we could ask users without ruining their user experience.

The official recommendations are:

  1. Check what type of cookies and similar technologies you use and how you use them.
  2. Assess how intrusive your use of cookies is.
  3. Decide what solution to obtain consent will be best in your circumstances.

Whilst the first two are straightforward, the third is not.

The ICO make broad suggestions involving pop ups, and getting users to accept your terms and conditions. Which website developers and owners won’t be happy about these as they are a major distraction from the website’s content. They haven’t specified any firm examples however, and seem reluctant to do so:

“However, we do not intend to issue prescriptive lists on how to comply. You are best placed to work out how to get information to your users, what they will understand and how they would like to show that they consent to what you intend to do.

You can look at what the ICO have done on their own website. We will be posting our own detailed recommendations on this in the near future, and we’re adding more cookie testing to our own SiteBeam website testing tool in the coming weeks.

What about similar technologies to cookies?

All “similar technologies” to cookies are covered by this law.

This includes Locally Stored Objects (so called ‘Flash Cookies’), HTML5 Local Storage and anything else which stores information about a user. For brevity, these are all usually referred to as ‘cookies’.

What the ICO has made clear is that websites can’t comply with this law by using another technology that does that same thing as cookies.

Does it only affect websites hosted in the UK?

It’s not clear at the moment if websites outside the UK will be forced to adhere to this same law when users from within the UK use their websites. This could lead to a different user experience for people inside and outside the UK.

“It’s not beyond the realms of possibility that the Wall Street Journal or New York Times will decide it’s simply not worth serving pages to the UK when it’s impossible to monetise them and the user experience is so poor.”

Milo Yiannopoulos, technology columnist for the Telegraph.

The implications of this could be catastrophic. Users within the UK could be blocked from viewing international websites, or it’s possible that our favourite UK companies will move elsewhere.

“We should also expect British advertising technology firms — one of the hottest sectors in British tech — to decamp to the US, where the law is less restrictive.”

Milo Yiannopoulos, technology columnist for the Telegraph.

What does the EU have against cookies anyway?

The concern is that current mechanisms are considered inadequate to protect user’s privacy.

Like any technology, cookies can be used for good as well as bad. For example, almost any time you log in to a website, you’re using cookies. This ‘essential use’ would be protected by the new law, however.

A more intrusive example might be that your favourite shopping website could set a cookie to track which websites you’re visiting to find out your hobbies and interests. They can then use this to customise what products they recommend to you in future. You can look at this two ways; as an advantage because you receive better and more customised service, or as a disadvantage because it invades your privacy. With this law at least users will have a clearer idea about what information is being collected about them.

What should we do?

Almost nobody likes it, but this law will be hard to ignore. It’s possible that a long term solution will be found in browser technology, but until then it’s us as web developers who need to start taking action.

There are only three real options for website owners:

  • Ignore the law
  • Stop using cookies
  • Start asking for permission

We go into these in more detail in this video.

Everyone is still figuring out how best to make the law work. We’ll be following up this article with our own detailed recommendations as we work on our own websites. Stay tuned.

More news & opinions on the cookie law

Official resources


Watch quick video tour of Sitebeam

Test your website with

or see prices & plans
  • James

    On the contrary, I think this law will be very easy to ignore for web developers. No-one’s going to enforce it, unless there’s a specific complaint.  If there is a specific complaint, well shit, you need to come up with a plan to behave better.

    Most of the worst offenders will be non-EU based companies, who can ignore this legislation.  Those who do, and get nailed down on it can pull features for EU customers, which will probably kick in some counter non-discriminatory legislation, which will then negate this cookies ruling.

    As far as I can see, the worst hit will be EU-based tracking, analytics and marketing companies, who’ll have to give up and leave the internet to the rest of the world.

    • http://www.facebook.com/oliver.emberton Oliver Emberton

      One thing that will have to be tested in court: who is liable for using analytics – the analytics companies or the website owner? I would assume the latter (and almost guarantee that the analytics companies have watertight T&Cs that put all liability on us).

      So they might just carry on and see how long it takes for their customers to get sued, if at all.

      • James

        It’d be interesting to know if anyone ever got sued over the disability discrimination rules that came around a few years back. Certainly nothing that I’m aware of.

        Although the plus side is that the spectre of legislation worked to change peoples’ opinions on accessibility, maybe this will work in the same way for privacy!

        • http://www.facebook.com/oliver.emberton Oliver Emberton

          Regarding the DDA:

          “The RNIB has approached two large companies with regard to their websites. When they raised the accessibility issues of the websites under the DDA, both companies made the necessary changes, rather than facing the prospect of legal action (in exchange for anonymity).

          The DRC launched a formal investigation into 1000 websites, of which over 80% were next to impossible for disabled people to use. They issued a stern warning that organisations will face legal action under the DDA and the threat of unlimited compensation payments if they fail to make websites accessible for people with disabilities.”

          They raised a “stern warning”. Scary, huh?

      • http://www.facebook.com/AlanCarlBrown Alan Carl Brown

        The liability for using a thing should be with the one using it.  Toyota can’t accept responsibility for what I do with my car and lemon meringue pie makers aren’t responsible for Bill Gates’ cleaning bill.

        • Dave Bell

          But you can’t use that car on a public highway without a driving licence, and it has to meet a whole set of government design standards. We’re made very aware that we’re responsible. It stretches the comparison, but who is responsible for what the cookie does if the site user isn’t told about it?

    • Mark

      An EU law not being enforced in the UK? Wishful thinking there I reckon.

      There is no doubt that the worst offenders will be (and I am certain ARE) outside the EU, which just makes the law all the more unfortunate.

      That most people agree that it’s totally daft and not going to achieve a thing (and I’m speaking as someone who does prefer for people to be informed and in control of their information), the fact that we’re getting the law regardless tells you how likely it is to be enforced.

      “We must comply”.

  • http://twitter.com/Sanfire_IA Andy Cowin

    I agree with you, James. However, I can see this being a great money spinner for unscrupulous developers. Will this be another moment for web users to rise up, declare ‘I’m Sparticus!’ as 70,000 tweeters did over the super injunction gag and openly flout the law?

    One thing’s for sure, I’m going to be watching government and EU websites to see if they bother to implement yet another ill-conceived piece of internet legislation.

    • David Ball

      I think there will be many companies who are going to try and profit from this, and charge their clients for implementing a ‘solution’ that will reduce the user experience of their website.

  • http://www.facebook.com/oliver.emberton Oliver Emberton

    I noticed the ICO’s own website uses 5 cookies, all of which appear to exist to track users! Google Analytics accounts for 4 of them.

    Still, they’ve got another 2 days to fix that, I’m sure they will…

  • Pingback: Can we use analytics with the new UK Cookie law? | Silktide blog

  • Pingback: Cookie law delayed for one year + first example of new laws in effect | Silktide blog

  • http://beneaththewig.com/ Milly Bancroft

    Oh my goodness, this is a world of factual wrong! I wrote about it here: http://beneaththewig.com/cookies-not-oats-and-raisin
    There is nothing to panic about!

    • http://www.facebook.com/oliver.emberton Oliver Emberton

      Thanks for the link. The way we read it, the DMCS and ICO don’t quite agree on the issue, which isn’t helping anyone understand it any better. 

      We’ve added a link to your article at the bottom of our own.

  • anon

    Why don’t you just move out of that corporate martial-law like state?

    • Anonymous

      because only puny elf men run away from their problems

      • Guest

        On the internet you can run away from your problems without running away from your customers.

        Add to that, the fact that the internet is a major part of a significant number of businesses, and you may hear a giant sucking sound as businesses leave the EU.

        Assuming this law becomes a real problem…

        The EU needs to attract business not scare it off.  Well, just one less continent the rest of the world has to compete against.

  • http://twitter.com/Lirodon Lirodon

    God, I’m glad I’m not the only person who thinks that this is yet another unenforcable technology law.

  • Remi Grumeau

    is using HTML5 localStorage is banned too?

    • http://www.facebook.com/oliver.emberton Oliver Emberton

      Yes. All equivalent technologies.

      Of course in practice it’ll be far harder for people to notice that, but don’t say I mentioned it…

  • Pingback: Cookies | Aaron Jackson

  • Pingback: Stephen's Blog » Blog Archive » More on UK / European law on website cookies and tracking

  • http://twitter.com/Dave_Child Dave Child

    You said: “A more intrusive example might be that your favourite shopping website could set a cookie to track which websites you’re visiting to find out your hobbies and interests.”.

    How? Cookies are restricted to a single domain and have no inherent ability to track anything. Even Google Analytics uses first-party cookies and so cannot use its cookies to track you across multiple sites. Banning third-party cookies (or subjecting only third-party cookies to this law) would have the desired effect of preventing tracking.

    • http://www.facebook.com/oliver.emberton Oliver Emberton

      Whilst I entirely agree with you, I believe the ‘spirit’ of the law is that people don’t *know* they’re having information about them stored, and they’re concerned that this information could violate their privacy somehow (e.g. we know you looked at our naughty DVDs, or what referring sites you come from). It’s pretty hard to think of a first-party example worth worrying about though. 

      Clueless politicians – who would have thought it?

  • http://www.facebook.com/profile.php?id=1059333409 Mark Entingh

    This law is a joke (even though I’m in the USA). First of all, a cookie could simply track one variable, a session ID, then store all the tracking data ON THE SERVER. What a bunch of retards, these politics are.

    • Dave Bell

      In which case the Data Protection Act, and other countriy’s laws implementing that Directive, would likely apply. Still not a problem for you in the USA, but I rather think this “cookie” business is partly to plug a hole in the Data Protection area.

      • Simoncox

        It’s a problem for a US company operating in the EU or possibly even targetting EU users – so when you switch tot he Apple Store for the UK for example…

  • http://rambleon.usebox.net/ Juanjo

    It’s a directive, not a law directly applicable:

    https://secure.wikimedia.org/wikipedia/en/wiki/Directive_%28European_Union%29

    • http://www.facebook.com/oliver.emberton Oliver Emberton

      The Directive was issued in 2009, the member states had until May 25th 2011 to implement their own laws.  

  • Anonymous

    I guess its time to start banning all UK users from websites.

    • David Ball

      That’s one of my serious concerns. I just hope big websites don’t share this same view and start blocking content from people in the EU – That would be horrible!

  • Facebook User

    People have cheered on the EU as it legislated on browser choice or MP3 playback choice, when most people have no clue what these things are, let alone a cookie. Did anyone expect the EU to become *less* intrusive in the technical minutiae of what people do on their computer? They may as well legislate on the varieties of microflora in allowed in the human gut.

  • Bob

    My question is how quickly can we fire the people at ICO?

  • http://twitter.com/Tom Tom

    Doesn’t this screw over people who use ads? I mean, pretty much any ad provider’s gonna set cookies.

    • http://denny.me Denny

      That’s basically the whole point of the law, yes.

  • Κωνσταντίνος Σέρβης

    I am always impressed how any law that protects the individual from
    group entities never fails to ignite hysteric spasms of fearmongering
    from the usual crowd (mostly the usual English EU hater crowd also known
    in the UK as “eurosceptics” who have a very simple algorithm really.
    They will take any input from the UK slightly and “innocently” pervert
    it to sound absurd or extremely restrictive and then will publish their
    theories somewhere with a grandiose heading. They are so predictable,
    that we would say their lot’s variance is 0 and can be substituted by a
    single symbol, zero is suitable given the quality of information they
    emit :-) ) “most websites will be illegal” is just utter nonsense as the
    link, “accidentally” linked to another document when the actual
    document is here:
    http://www.ico.gov.uk/~/media/documents/library/Privacy_and_electronic/Practical_application/advice_on_the_new_cookies_regulations.pdf)
    clearly states that you are not allowed to track people on the net
    (very reasonable) but if you want to use cookies to preserve state
    across requests, because this is an essential part of providing the
    service to the user that they have requested, that is fine. For all
    other uses, you need to advise the user. In my opinion this law is long
    overdue, and whoever by default does sensible use of cookies (including
    sensible expiry settings) have nothing to worry about. In particular I
    am glad the Flash cookies are going to be better regulated, given the
    fact that Adobe has a virtual monopoly on this and that you are not
    allowed, on your own browser, to set “clear all cookies on exit” by
    default, a fact that I find outrageous. 

  • Pingback: Nearly all UK business websites now technically illegal (EU sites to follow) « Successful Software

  • Pingback: The stupid EU cookie law in 2.5 minutes

  • Pingback: The stupid EU cookie law in 2.48 min.

  • Pingback: The Internet Crisis | IAmDann

  • Pingback: Confusion of the EU Cookie Law | Toasted Digital

  • Pingback: World News Roundup « A Gaming Girl's Take on Life

  • Pingback: Why the cookie law is total clownshoes

  • Scott Herbert

    Don’t know if it’s any use to people but I’ve written a small JS script to enforce the user to accept cookies.

    See http://code.google.com/p/cookie-warning/

    If there are any CSS wizards out there it could do with some work, but it’s a start at lease.

  • Pingback: EU Cookie law.. the most stupid thing ever!!! « nooblikeaboss

  • Pingback: Cookie Law | Musings of a MBA student, small business owner, and coffee enthusist

  • Pingback: EU Cookie Law - 90% drop in use

  • Pingback: EU Cookie Directive, what it means to you | Foolproof

  • Pingback: » The EU cookie directive saga » Found | Found

  • Pingback: Cookie law: Analytics are illegal, but we won’t prosecute you. Probably | Silktide blog

  • Wolf Software

    Wolf Software have a number of solutions with regards to cookie consent, including GA specific solutions etc.

    We have put together a single page of links and demos hope this helps.

    • http://twitter.com/nocookielaw nocookielaw

      Can we have a link to your solutions?

  • tangoReee

    She is so cute, give her a cookie!
    Anon-How.tk 

  • Pingback: Anonymous

  • Pingback: Cookie Law May 2012 - Usefull information links |

  • Pingback: New Cookie Law 26th May 2012 | White Fire Web Design Salisbury Wiltshire

  • Trokara

    all these months later – another comment – brilliant law! let’s have more like them. Maybe businesses will note they can do REAL work instead of vacuuming people’s details to milk them for money they haven’t worked for.

  • Pingback: Can we use analytics with the new UK cookie law? | Silktide blog

  • Pingback: If you have a website (personal or company) you could be fined if you don't comply

  • Pingback: Mostly Harmless… » Andrew Ball Consulting Ltd

  • GrzegorzDufajn

    You can download a script from here: http://sbx.sk/A6IE

  • EXPUNGEMENT BUREAU THE

    The Expungement Bureau is a
    National Firm dedicated to quality customer service and exceptional results.
    Our attorneys are respected members of the legal community with impeccable
    credentials and expertise in all areas of criminal record removal. We provide
    our clients with the results of an exceptional law firm at the lowest price

  • Don Sha

    What a waste of a law, time and money…