UK 'cookie law' takes effect: What you need to know

UK 'cookie law' takes effect: What you need to know

Summary: Let's be honest: The U.K. has made a right hash-up of implementing the cookie law from start to finish. It came into force on May 26. Here's everything you need to know.


If you've seen a "cookie settings" warning like this recently, you're not the only one.

A few high-profile U.K. websites have in the past few days started to warn its visitors that it uses cookies on their sites.

If this is the first you've heard about it and you own a U.K. website that uses cookies --- such as those with shopping carts, adverts, a login function, or text-size preferences --- or develop for a mobile application platform... whoops.

You had until today to comply with the new European cookie law.

You won't be the only one, though. It is thought the majority of U.K. websites are breaking the law that dictates how users' are tracked and logged, despite having more than a year to prepare for the changes.

Here's what you need to know.

What's the lowdown: E.U. cookie law or U.K. cookie law?

The E.U.'s "e-Privacy" Directive, which first came into force in 2002, was amended in 2009. Each of the E.U.'s 27 member states were told to bring the Directive into their own member state's law by this time last year, including the United Kingdom.

The U.K.'s amended Privacy and Electronic Communication Regulations (PECR) Act 2011 was brought into force on May 26, 2011. The law stated, amongst other things, that companies operating in the E.U. and the U.K. must obtain the consent from its website users.

Cookies allow websites to offer a more personalised experience, such as remembering a user's preferences. Cookies can also be used for tracking user behaviour, and also by website owners to track how often their pages are being visited and other interesting non-personal user information.

Some major websites, such as the BBC, have implemented new systems to inform users and allow them to opt-out. However, most U.K. government websites aren't ready and already fall foul of the law.

The Directive dictates that users should be aware of which kind of cookie is being set, varying from "essential" cookies, such as those used to remember which goods are in your e-shopping cart, to "non-essential" cookies that can be used to track user behaviour.

But cookies are only a small part of online tracking, right?

Correct. The E.U. Directive contains only a portion relating to cookies, but also targets "non-essential tracking", regardless of whether a cookie is involved or not.

Arguably it has distracted many from the wider implications of the Directive. Website and Web application operators need to determine whether third-party trackers --- such as advertisers and analytics --- are used on their sites.

As much as 40 percent of tracking activity is often not related to cookies, so a "cookie audit" should look outside other tracking technologies.

Why is the U.K. 12 months behind everyone else?

Only three countries actually met the deadline. Denmark and Estonia met the deadline, and the U.K. came close but probably got no more than a D+ for effort.

The U.K.'s data protection agency, the Information Commissioner's Office (ICO), gave U.K. companies a 12-month reprieve because many were not ready by the half way point in the ICO's grace period.

The 12-month reprieve was given because many had to rip open the innards of their corporate websites and Web applications to work out where cookies were implemented and when they were set.

Define "consent", exactly.

In the vast majority of cases, a pop-up or some kind of obvious box will appear on a website asking a user to tick a box and hit a button. This means a user will give explicit consent to the use of cookies and other tracking tools. Users will also be able to determine the level of cookie and tracking use on the site.

But there's a problem. Only a few days before the May 26 deadline, the ICO updated its guidance to state that "implied consent" will suffice, seemingly going against the original European Directive. The ICO said that the continued use of a website or Web application would imply the user is consenting to the changes --- shifting the responsibility of consent to the user rather than the website owner.

On a practical level, as an ordinary Web user, what are my likely options in accepting or declining cookies?

BT, which has more than 8 million U.K. broadband customers, may have one of the best cookie settings examples available.

In this example, it allows the user to pick between strictly necessary cookies that allow the site to simply work, functional cookies that restrict social sharing and behavioural tracking code, and targeting which allows full user tracking and the fullest possible experience.

Unfortunately, because all websites and Web applications are set out differently and vary in size and structure, there is no one-size-fits-all solution to every site.

Some websites will offer "implied consent" that gives no option except the choice to leave the site, while others will simply allow users to check a box and allow all non-essential cookies in.

I'm a U.S.-based company with a U.K. and E.U. presence. Am I affected?

U.S.-based companies with a presence in the European Union, no matter how small, are still liable to E.U. laws, regardless of whether your website or Web application is hosted in the E.U. or elsewhere. Mobile application developers are also subject to the E.U. laws (see below).

In this scenario, while your U.S. website and all other non-E.U. websites are not liable to this law, your dedicated pages for the U.K., Italy, France, Germany, and so on, are all affected. It's just the U.K. has taken a little longer to get the wheels in motion.

What are the penalties for failing to comply?

At the moment: there aren't any.

The ICO can normally issue massive fines if a company, organisation, or governmental body is in breach of the U.K.'s data protection or privacy laws. For the cookie law, the ICO said it has the power to fine up to £500,000 ($780,000), but said it wasn't going to suddenly "launch a torrent of enforcement action."

The regulator will instead keep its eyes peeled and continue to push for sites to become compliant --- despite having a year to stand on the right side of the law. As long as companies are willing to make the changes and can prove they are making steps to become compliant, it's likely the ICO will carry on with its softly-softly approach.

But I heard most U.K. government websites will miss the deadline?

How very ironic. Indeed, ZDNet UK reported that most U.K. government websites will not be compliant by May 26.

The Cabinet Office said it was "working to achieve compliance at the earliest possible date," which is government speak for, "by the time the next election comes." Again, the ICO is fully aware that compliance is not an overnight job, and some can work all year with no avail.

A ICO official said earlier this month that the U.K. data protection and privacy regulator may give organisations "years" to comply with the law.

"Some of the timescales don’t match the May 2011 to May 2012 deadline. We recognise that some of the people we speak to don’t have web development cycles that start just because the ICO has set a deadline," said David Evans, an ICO senior policy manager.

I develop Android, iOS, Windows Mobile apps. Am I affected?

Indeed, you are. All downloadable apps from applications stores --- such as Apple's App Store, Google Play or the Windows Phone Marketplace --- are subject to the new laws. The ICO said it would be examining the stores closely to ensure compliance.

This of course does not mean just cookies --- it includes any in-built tracking code that would enable access to a user's smartphone data.

"Apps are one of the items on our list," warned David Smith, deputy commissioner for the ICO. "It's quite clear that if someone is storing something on a device, or accessing information that is already stored on a device, one of the issues might be the form of consent when an app is downloaded."

I heard the E.U. just 'outlawed' website analytics?

Not quite, and far from.

It's true that if you use Google Analytics, or any other service that gives you basic numbers through to pretty graphs to show you how many people visit, when, and what they look at, you will be affected.

But the new law has to accommodate the fact that website tracking is extremely common and is all but impossible to outlaw. It's therefore down to the website owner or Web application developer to inform its users that it wants to track you.

The ICO said it wants to "focus its regulatory efforts on the most intrusive cookies or where there is a clear privacy impact on individuals" which may or may not include cookies that count you as a visitor to its statistics. The ICO remains frustratingly vague in this area.

Two-thirds of cookies are for adverts, but ads keep the Web free?

It seems somewhat counter-intuitive for the European authorities to impose stricter rules on how online advertisements work because its those advertisements that keeps the Web vastly free.

Interestingly, the Financial Times report that more than two thirds of cookies are for ads. As you'll imagine, this means that unless sites become complaint, the ads displayed on sites will be in breach of the law.

This very site is free. This site doesn't charge you to view its articles or leave feedback. But it does install a whole bunch of cookies on this very device that you're reading this article on. It also installs a whole boatload from third-party advertisers.

But one of the major concerns is if users fail to accept the cookies, many sites will not see you as a statistic nor will the website be allowed to display ads, leading to the website owner losing money.

What is the ICO doing to chase big companies over the cookie law?

The ICO is in the process of chasing around 50 large companies with a U.K. presence in a bid to set a good example, reports ZDNet UK.

The ICO said [PDF] it had contacted Facebook, Google, Amazon, AOL, and Apple UK --- including dozens more to 'remind' about compliance with the new law. It also includes major media websites, such as the BBC --- which is now compliant, a BBC spokesperson said --- along with other media organisations, such as Associated Newspapers Ltd., which owns the Metro and Daily Mail websites.

Image credit: BT/ZDNet.


Topic: Legal

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Let me see if I understand this

    US companies forced to adhere to silly European cookie laws = good.

    European companies forced to adhere to US anti-terrorism and tax avoidance laws = bad?

    Is that the gist of it?
    Your Non Advocate
  • US anti-terrorism and tax avoidance laws = bad?

    Is that the gist of it?

    Oakley frogskins
  • film indir

    Merhaba. 1 Ay boyunca sadece 15 TL'ye yerli-yabanc dizileri, HD-Bluray filmleri internetinin destekledii en son hzda indirmek istemezmisin? Hem de dizi yayndan ktktan 5 dakika sonra indirmeye sunulmaktadr.

    Google a vipmerkezi yaz ilk kana gir.
  • thoughts on enforcement

    "U.S.-based companies with a presence in the European Union, no matter how small, are still liable to E.U. laws, regardless of whether your website or Web application is hosted in the E.U. or elsewhere."

    I'd love to see the EU try to enforce this, though, if a website has no hosting or other physical presence in the EU. They can declare they have reach outside their boundaries all they like, but if a nation isn't a member state of the EU, then they really have no control over the actions of the other nation. The other nation can simply ignore any requests for extradition or demands for compliance.

    And no, I don't believe that U.S. based companies are still liable to EU laws - the U.S. may be tied to European states in many ways (Geneva convention, NATO, the UN, etc), but we're not a member of the EU.
    • Or they can say

      Here's a fine -- either pay up, or we're going to ban your company from operating in the E.U. --- which, don't forget, has a greater population than the U.S. by nearly double. Yeah, they can do that.
      • Assuming they have a way to enforce the ban.

        First of all, I'm assuming a business that is [i]not[/i] operating in Europe. It just happens to have a website that's open to the public internet, and as a result people in Europe can access it.

        And of course, assuming the EU has a way to enforce the ban.

        Which would essentially mean that they'd have to build a "great firewall of Europe" similar to what China does.

        I've never heard of such a thing, though, so enforcement may still be problematic.
  • Browser/User Responsibility

    Not to state the obvious, but shouldn't it be the browsers/users responsibility to control what gets downloaded/uploaded from/to their computer to/from a web site. Browsers give users the ability to accept or block cookies on an individual basis or turn cookies off entirely already. Further many browsers have an option to block third party cookies as well, that being cookies that do not belong to the website you are visiting (i.e. advertiser/stat tracking cookies). What use is it to force a website to give the user a third option because people are not smart enough to protect themselves. The browser has good control over what gets sent to a website, and as I understand it, it can change any of the information it wants, except the ip, which can be changed other ways.

    I would think a simple solution would be to create a law requiring browsers to give further user control over cookies and other tracking information. Then the government would only need to regulate the thousands of browser companies rather than the millions of websites.

    If this was implemented then the advertisers would have to accommodate the browser/user as they already do and change according to what information is available/transmitted.

    Am I missing something or does the user not have full control of their computer?

    Doesn't HTML5 have a better storage system that is more secure than cookies? If so, shouldn't this new technology be required by browsers/websites and simply phase out cookies?

    I realize these laws are not just about cookies, but it still seems that it would be up to the browser to control information rather than the website receiving it.

    Also like most internet laws the law truly targets good websites rather than bad, good websites will comply and bad websites wont. Isn't it the bad ones we are worried about. On top of that the law will lull users into a false sense of security and users will be less likely to be cautious and assume any prompt is legitimate.

    I can see spam sites now. You go to a spam site, it prompts you to accept their cookies so you click yes or any of the other options and instead of just installing cookies with your required click, they take you to 50 spam sites too, or start a download, or any other thing that a prompt can do.

    This whole idea is idiotic. You can tell it was developed by a group of old out of touch people that don't understand even the basics of the internet.
    • thoughts

      "Not to state the obvious, but shouldn't it be the browsers/users responsibility to control what gets downloaded/uploaded from/to their computer to/from a web site"

      Except that most users are clueless about cookies. Not to mention browsers can use other methods, such as Flash cookies and HTML 5 storage. As long as there's way to store information in the browser, any web site can use it similarly to cookies.

      "I would think a simple solution would be to create a law requiring browsers to give further user control over cookies and other tracking information."

      I think we need less laws, not more. Our government is broken enough as it is. The last thing we need is more laws right now. I'd rather use methods that don't involve more laws to fix this stuff.

      "Doesn't HTML5 have a better storage system that is more secure than cookies?"


      "If so, shouldn't this new technology be required by browsers/websites and simply phase out cookies?"

      Well, cookies are more lightweight and easier to use. And if you block third party cookies, it ends up being basically the same as HTML 5, but smaller/faster.
      • Less Laws

        I completely agree, we need less laws, but law makers aren't going to stop. They think the fastest and best way to stop something from happening is to add a law, rather than letting the internet take its course. I am just stating that if a law is required isn't there a more obvious and natural path than the law makers are taking?

        As you stated HTML5 will have better protections against some of these exact issues. But instead of doing the logical thing and changing the core of the internet to be better for its users, the law makers are doing what they know, which is to make laws.

        They should leave internet regulations alone and let internet standards continue to develop unhindered by laws, but they wont. Now that standards are finally being accepted the internet is a better place, the generally free market works and is growing to a better future. But the government/officials want to claim the internet and control it as much as or more than the things they already control, so laws will continue to be made to try and control the internet.

        I am glad that the US, thus far, has turned down bad internet regulation laws rather than letting the fear of the internet force them to make bad decisions as the UK/EU has made. (I know this statement is not that true, but they haven't let all the legislation pass at least. Nor have they passed something that is this useless as far as I know.)

        Hopefully the free market will stay free a bit longer.
  • Privacy Sandbox API

    I think that the main challenge here is gaining consent with regarding to cookies. Unless you chose to walk in the "implied consent" pattern, you need to provide some mechanism that will not render any script that may product tracking cookie, such as provided by social-plug-in and ads, before gaining user consent. Or at least treat users with an attitude of high transparency with regarding to scripts that may require privacy concern, and in a way that can not be ignored by user.
    And on the other end, you don't want to irritate. This is the challenge.

    I developed for my websites the [b]"Privacy Sandbox API"[/b] that provide website with high level of user's on-the-fly personalization. Meaning that sections in the website will not be rendered unless user's give his her permissions for that. This is the way I address the requirement for gaining user's consent. Also at first time user is visiting my websites I show a small popup on the bottom/left corner that tell the user what "channels" are available. Channels are customizable by website owner. For example: "social plug-in" channel may be set to take care of rendering Google+, Facebook like, Add to any etc'.

    The API can be used by other websites, and you can find it on Rhizome Networks website. Just Google this "inurl:privacy-sandbox-api"
  • Cookies Law

    Does anybody else find this new cookies law also annoying?

    Nowadays all website that you visit you have to click away the warnings.

    Is there any company that has created an Add-on for my browser so that I can take away all warnings. I have never really cared that websites create cookies (there are many other ways of storing data, whihc don't have to be reported to the user) and I still really don't care about this. Websites having annoying and uggly messages at the top of the screen is something that I find quite annoying.
  • WTF UK?

    What the fuck UK? What happen to the internet being free and all, if you hate it so much, fucking isolate yourself like a fucking cave-country.