Do you still fear the Cookie Monster? EU cookie law explained

Important this blog post was written pre-GDPR see update at the base of the page.

Why should you care?

EU legislation passed in May 2011  means websites in the EU cannot place cookies on a visitor’s computer without permission. (26 May 2011 the EU’s Privacy and Communications Directive)

Since then we have also dealt with GDPR or General Data Protection Regulation and while it does not specifically cover cookies it does seem to have made people re-look at their treatment of cookies and take a stricter approach.

The Facts (as we know them)

There is still a lot of speculation about what needs to be done but here is an overview.

  • Permission has to be explicit.
  • The ONLY exception is if a visitor requests a service and a cookie is ‘strictly necessary‘ to that service.
    • Shop-carts or log-in functionality in a membership system may be exceptions
    • Google analytics, social media, or adverts are NOT ‘strictly necessary’ to services on your website
  • Simply visiting a page on your website does NOT count as requesting a service
  • Information in your privacy policy alone is NOT consent

So what is a cookie?

At a basic level a cookie is a text file that stores information about your visit to a website. It can be as simple as a random number used to identify you when you log-in.  At the other end of the scale, it can hold personal information about you, from input in forms or the pages you visit while exploring a website.

What’s the fuss about?

The new legislation is meant to protect privacy and personal information.   Emphasis is being made when cookies are used to transmit information to third parties without permission.

Online businesses claim permission notices will effect the usability of websites and confuse website visitors.  Loss of tracking and analytics will also have a major effect on online market research and competition when other companies outside the EU do not have these restrictions.

Are all Cookies Bad?

  • Not all cookies are used to track personal information or behavior
  • Most online shopping sites use them to allow you make purchases using a shopping cart.
  • Membership sites use them to identify you so that you don’t have to log in on every page of their website.

How do I know if my website uses cookies?

You may not realise that your website places cookies. The most common sources:

  • Membership and log-in functionality
  • Newsletter subscriptions
  • Share and social media widgets for like and tweets
  • Google analytics used to track visitor behaviour
  • Associate advertising such as Google ads or Amazon associates
  • Comment forms on blogs
  • Remember me functionality.

What do I need to do to comply with the legislation?

The most important step is to see how drastically this will effect you.   Your site may have no cookies or you might find some you were not expecting.

  1. Audit your site for cookies
    • Identify which ones are essential to your site
    • Which can be removed
  2. Remove cookies you don’t need
  3. Ask permission for any that are not essential to a service your visitor has actually requested
  4. Update your privacy policy to list all the cookies your website might now place.


What happens if you do nothing?

Many website owners have not taken any action.   The guidance has been vague, and not everyone has easy access to the technical advice that they need. For many losing precious analytics data needed to run their business is a harsh blow.  It may even be a competitive disadvantage if your competitors ignore the new legislation or are outside the EU.

Complying means losing analytical data to run your site

The reality is few visitors will accept cookies if asked permission.  It may even deter some visitors from using your site.

For you to be fined a complaint about your website would need to be put to the Information Commission Office.  You will be given a written warning.   You will only be fined if you do not reply and do nothing to rectify the problem. Fines could be as much as £500,000

Any action or inaction should be taken with the full facts for your own website and business.  You should always know what your website is placing on potential customer computers.  At the very least do an audit now and start putting a plan into place.

Find more information

Information Commission Office – the official source for information about the legislation.

YouTube  video to explain the Cookie legislation – an easy way to explain what effect the ‘cookie law’ could have.

General Data Protection Regulation information on ICO Office website

Examples of Solutions

There are many companies offering you solutions.  One free examples that look promising is:

  • Civic – More designed pop-up.  They also have a plugin for WordPress.

If you need help auditing your site or complying with the legislation contact Leonie at Line and Form [email protected]

Update 23 June 2018

Since GDPR some major websites sites are updating so you can actually chose not to accept different types of cookies and still use the website.

Options to accept or decline

The BBC is an interesting approach.  You have the option to accept or change your settings.

Clicking on ‘Find out what’s changed’ brings you to a settings page.


While some sites still give you the choice to accept, or not use the site, the tide does seem to be turning.