Implementing The EU Cookie Law

You may have noticed a lot of fuss being talked, of late, about the EU Cookie Law. And it’s just termed that, and in the UK everyone’s referred only to the ICO guidance on the matter.

You may also have noticed that here at interconnect/it we’ve been, shall we say, quiet about it.  That has a lot to do with me.  I’m not really one to fuss over new laws because mostly they pan out quite differently to how everyone expects.  So I waited, and I waited.  Only recently has it become really prominent.  We certainly didn’t advise our clients – partly, because they didn’t ask.  But I knew that eventually the day would come that one client piped up in a panic.

Today was that day.

So, for the benefit of worried clients, and everyone else, here’s the relevant article from Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws Text with EEA relevance

(66) Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities.

There’s a couple of things to mention, in here.  First is that you don’t necessarily need any sophisticated technology, browser spoiling pop-ups or anything.  Just read the following bit:

Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application.

In essence, have an easy to find page marked ‘cookies and privacy’ on your site (we’ll be adding one soon, I’m no rush) and on that page explain what cookies are, what you do with them, and tell the user how to block cookies.  That’s it.  That’ll do just fine.  They can opt out like that.

The ICO’s guidance, bless them, was well meaning, but over the top.  It was also, you should be aware, just guidance.  Not law.  There’s an important difference.  It just put the heebie-jeebies up a lot of people and did no real good… and they changed it at the last minute anyway.

So – no need to have a horrid pop-up, no need to do anything complicated with your site’s CMS. Just tell the user a simple way to block your site’s cookies using browser settings and/or a suitable piece of software they can use.

An excellent example of how to do it well has been done by Barnsley Hospital on their Privacy page.  And they explained their pragmatic way of dealing with this on their development blog.

Another more detailed approach can be seen on the John Lewis site.

So, if you’d like to spend money with us on clever opt-in cookie options, by all means give us a call.  But you don’t need to.  And to be honest, we’d rather be doing cool things that improve your business than adding unnecessary solutions to your website.


It’s been suggested that the amendment to Article 5(3) as below suggests that consent must be given and that that’s what’s really caused the problem:

3. Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.

I’m guessing this is what was interpreted by the ICO as meaning consent has to be given.  Yet they’ve just changed their guidance to suggest that this consent can be implied.  Confusing, huh?

I believe implied consent is the only way this can work.  And even then, it’s unlikely to make much difference – the makers of sites with dodgy tracking cookies didn’t care about your private data anyway.  Better, then, if browsers start to implement some technology that chooses how you work with cookies.

You also have to consider what impact this would have on any other software – eg, I use various services that store data locally using client software.  Do they also need an opt-in provision in order to store data on my computer? I don’t think so, but they do need to provide, in the license agreement, an explanation of what they do, why, and how you can undo that should you uninstall.  That’s the same for websites.  On your cookies and privacy page you can explain how to delete the cookies your website will leave on your site.

It gets more complex than that, of course.  Websites can include bits of other websites in iframes.  I can imagine a website with some social linking tools could need twelve pop-ups before you can actually use the site properly.  That’s… awkward, to say the least.  The consequence is that if you wish to interpret the directive in the strictest possible way you’re going to have a lot of trouble on all but the most basic, static websites.  The reality is that the implied consent approach is likely to be the one that becomes the standard.  So my advice stands, but there’s a little more working out now shown above!

  • Carl Potts 4 / Jul / 2012 at 9:55 pm

    As a web developer based in the uk, this Eu Cookie law worries me a bit

  • Chris Ransom 4 / Jul / 2012 at 12:24 pm

    So basically the only people who are likely to take any notice of it and amend their sites are the ones who aren’t doing anything wrong or underhand in the first place – the crooks will just ignore it!

  • Roy Tucker 16 / Jun / 2012 at 5:52 pm

    What a relief and brilliantly explained and written, Thank you.

  • Good Hotel Guide 11 / Jun / 2012 at 10:54 pm

    Splendidly practical and down-to-earth advice about the EU cookie regs, Scary pop-up messages definitely not required. Keep up the good work. …and thanks for posting.