UK 'cookie law' takes effect: What you need to know

Let's be honest: The U.K. has made a right hash-up of implementing the cookie law from start to finish. It came into force on May 26. Here's everything you need to know.
Written by Zack Whittaker, Contributor

If you've seen a "cookie settings" warning like this recently, you're not the only one.


A few high-profile U.K. websites have in the past few days started to warn its visitors that it uses cookies on their sites.

If this is the first you've heard about it and you own a U.K. website that uses cookies --- such as those with shopping carts, adverts, a login function, or text-size preferences --- or develop for a mobile application platform... whoops.

You had until today to comply with the new European cookie law.

You won't be the only one, though. It is thought the majority of U.K. websites are breaking the law that dictates how users' are tracked and logged, despite having more than a year to prepare for the changes.

Here's what you need to know.

What's the lowdown: E.U. cookie law or U.K. cookie law?

The E.U.'s "e-Privacy" Directive, which first came into force in 2002, was amended in 2009. Each of the E.U.'s 27 member states were told to bring the Directive into their own member state's law by this time last year, including the United Kingdom.

The U.K.'s amended Privacy and Electronic Communication Regulations (PECR) Act 2011 was brought into force on May 26, 2011. The law stated, amongst other things, that companies operating in the E.U. and the U.K. must obtain the consent from its website users.

Cookies allow websites to offer a more personalised experience, such as remembering a user's preferences. Cookies can also be used for tracking user behaviour, and also by website owners to track how often their pages are being visited and other interesting non-personal user information.

Some major websites, such as the BBC, have implemented new systems to inform users and allow them to opt-out. However, most U.K. government websites aren't ready and already fall foul of the law.

The Directive dictates that users should be aware of which kind of cookie is being set, varying from "essential" cookies, such as those used to remember which goods are in your e-shopping cart, to "non-essential" cookies that can be used to track user behaviour.

But cookies are only a small part of online tracking, right?

Correct. The E.U. Directive contains only a portion relating to cookies, but also targets "non-essential tracking", regardless of whether a cookie is involved or not.

Arguably it has distracted many from the wider implications of the Directive. Website and Web application operators need to determine whether third-party trackers --- such as advertisers and analytics --- are used on their sites.

As much as 40 percent of tracking activity is often not related to cookies, so a "cookie audit" should look outside other tracking technologies.

Why is the U.K. 12 months behind everyone else?

Only three countries actually met the deadline. Denmark and Estonia met the deadline, and the U.K. came close but probably got no more than a D+ for effort.

The U.K.'s data protection agency, the Information Commissioner's Office (ICO), gave U.K. companies a 12-month reprieve because many were not ready by the half way point in the ICO's grace period.

The 12-month reprieve was given because many had to rip open the innards of their corporate websites and Web applications to work out where cookies were implemented and when they were set.

Define "consent", exactly.

In the vast majority of cases, a pop-up or some kind of obvious box will appear on a website asking a user to tick a box and hit a button. This means a user will give explicit consent to the use of cookies and other tracking tools. Users will also be able to determine the level of cookie and tracking use on the site.

But there's a problem. Only a few days before the May 26 deadline, the ICO updated its guidance to state that "implied consent" will suffice, seemingly going against the original European Directive. The ICO said that the continued use of a website or Web application would imply the user is consenting to the changes --- shifting the responsibility of consent to the user rather than the website owner.

On a practical level, as an ordinary Web user, what are my likely options in accepting or declining cookies?

BT, which has more than 8 million U.K. broadband customers, may have one of the best cookie settings examples available.

In this example, it allows the user to pick between strictly necessarycookies that allow the site to simply work, functionalcookies that restrict social sharing and behavioural tracking code, and targeting which allows full user tracking and the fullest possible experience.

Unfortunately, because all websites and Web applications are set out differently and vary in size and structure, there is no one-size-fits-all solution to every site.

Some websites will offer "implied consent" that gives no option except the choice to leave the site, while others will simply allow users to check a box and allow all non-essential cookies in.

I'm a U.S.-based company with a U.K. and E.U. presence. Am I affected?

U.S.-based companies with a presence in the European Union, no matter how small, are still liable to E.U. laws, regardless of whether your website or Web application is hosted in the E.U. or elsewhere. Mobile application developers are also subject to the E.U. laws (see below).

In this scenario, while your U.S. website and all other non-E.U. websites are not liable to this law, your dedicated pages for the U.K., Italy, France, Germany, and so on, are all affected. It's just the U.K. has taken a little longer to get the wheels in motion.

What are the penalties for failing to comply?

At the moment: there aren't any.

The ICO can normally issue massive fines if a company, organisation, or governmental body is in breach of the U.K.'s data protection or privacy laws. For the cookie law, the ICO said it has the power to fine up to £500,000 ($780,000), but said it wasn't going to suddenly "launch a torrent of enforcement action."

The regulator will instead keep its eyes peeled and continue to push for sites to become compliant --- despite having a year to stand on the right side of the law. As long as companies are willing to make the changes and can prove they are making steps to become compliant, it's likely the ICO will carry on with its softly-softly approach.

But I heard most U.K. government websites will miss the deadline?

How very ironic. Indeed, ZDNet UK reported that most U.K. government websites will not be compliant by May 26.

The Cabinet Office said it was "working to achieve compliance at the earliest possible date," which is government speak for, "by the time the next election comes." Again, the ICO is fully aware that compliance is not an overnight job, and some can work all year with no avail.

A ICO official said earlier this month that the U.K. data protection and privacy regulator may give organisations "years" to comply with the law.

"Some of the timescales don’t match the May 2011 to May 2012 deadline. We recognise that some of the people we speak to don’t have web development cycles that start just because the ICO has set a deadline," said David Evans, an ICO senior policy manager.

I develop Android, iOS, Windows Mobile apps. Am I affected?

Indeed, you are. All downloadable apps from applications stores --- such as Apple's App Store, Google Play or the Windows Phone Marketplace --- are subject to the new laws. The ICO said it would be examining the stores closely to ensure compliance.

This of course does not mean just cookies --- it includes any in-built tracking code that would enable access to a user's smartphone data.

"Apps are one of the items on our list," warned David Smith, deputy commissioner for the ICO. "It's quite clear that if someone is storing something on a device, or accessing information that is already stored on a device, one of the issues might be the form of consent when an app is downloaded."

I heard the E.U. just 'outlawed' website analytics?

Not quite, and far from.

It's true that if you use Google Analytics, or any other service that gives you basic numbers through to pretty graphs to show you how many people visit, when, and what they look at, you will be affected.

But the new law has to accommodate the fact that website tracking is extremely common and is all but impossible to outlaw. It's therefore down to the website owner or Web application developer to inform its users that it wants to track you.

The ICO said it wants to "focus its regulatory efforts on the most intrusive cookies or where there is a clear privacy impact on individuals" which may or may not include cookies that count you as a visitor to its statistics. The ICO remains frustratingly vague in this area.

Two-thirds of cookies are for adverts, but ads keep the Web free?

It seems somewhat counter-intuitive for the European authorities to impose stricter rules on how online advertisements work because its those advertisements that keeps the Web vastly free.

Interestingly, the Financial Times report that more than two thirds of cookies are for ads. As you'll imagine, this means that unless sites become complaint, the ads displayed on sites will be in breach of the law.

This very site is free. This site doesn't charge you to view its articles or leave feedback. But it does install a whole bunch of cookies on this very device that you're reading this article on. It also installs a whole boatload from third-party advertisers.

But one of the major concerns is if users fail to accept the cookies, many sites will not see you as a statistic nor will the website be allowed to display ads, leading to the website owner losing money.

What is the ICO doing to chase big companies over the cookie law?

The ICO is in the process of chasing around 50 large companies with a U.K. presence in a bid to set a good example, reports ZDNet UK.

The ICO said [PDF] it had contacted Facebook, Google, Amazon, AOL, and Apple UK --- including dozens more to 'remind' about compliance with the new law. It also includes major media websites, such as the BBC --- which is now compliant, a BBC spokesperson said --- along with other media organisations, such as Associated Newspapers Ltd., which owns the Metro and Daily Mail websites.

Image credit: BT/ZDNet.


Editorial standards