What is the Cookie Law?

Cookie law is a new piece of privacy legislation that requires websites to obtain consent from visitors to store or retrieve any information on a computer or other web-connected device, like a smartphone or tablet.

It has been designed to protect online privacy by making consumers aware of how information about them is collected by websites, and enabling them to choose whether or not they want it to happen. It started as an EU directive adopted by all EU nations on 26 May 2011. At the same time, the UK updated its Privacy and Electronic Communications Regulations, bringing the directive into law.

Requirements and responsibilities

Many people will be unaware that the law is already in effect in the UK. However, the UK’s regulator, The Information Commissioner’s Office (ICO), gave everybody a one year ‘grace period’ before enforcing it. That grace period expired on 26 May 2012.

What is a cookie?

Cookies come in many guises, often shrouded by impenetrable names, which is why you need an audit to identify them and understand what activities they perform. Some of these are vital to making a website work, but others track what users do online and pass that data to third-parties. It’s mainly this latter cookie type that has caused the shift in cookie compliance.

There are two types to consider:

Is a cookie first party- or third-party (set by a web service you may not be aware of)?

First party cookies are generally ‘good’ – helpful and fairly low risk.

It’s third-party cookies that pose the most compliance issues. Examples of ‘bad’ cookies are those used in behavioural advertising, where they identify what you click on and tell advertising websites to display that type of product or service wherever you go afterwards. From 26 May, website owners must disclose or seek permission to use this type of cookie.

How to categorise cookies

Zero compliance risk or ‘strictly necessary’ cookies
Always first-party and not persistent. These include functional navigation and user session cookies for shopping baskets.

Low compliance risk
Always first-party and may be persistent. These cookies include accessibility options for visually impaired users and, arguably, analytics cookies.

Medium compliance risk
Usually first-party and persistent. These might be used to store personally identifiable information, or limited cross-site tracking, in order to present content based on previous visits. Another good example is the Facebook Like button.

High compliance risk
Third-party and persistent. These are mainly used to track and record visitor interests without prior consent, and aggregate this data for use by third-parties, normally advertisers. This also includes cookies set through the provision of embedded content which is not ad-related, such as Google Maps and YouTube videos.

What to do as a website owner

Once you have identified what cookies are used on your website and understand them you can then tell visitors about them.
You can do one of the following:

Explicit opt-in/opt-out
If your site is heavy with third-party advertising and social media connectors, the safest bet is to seek explicit opt-in from visitors via some kind of intervention, such as a ‘This site uses cookies: allow’ notice on your homepage. Bear in mind that if your adverts come from a variety of ad serving networks and regularly change, you’ll need to update your disclosure statement to reflect any new cookies. You might find analytics numbers dropping. This doesn’t mean people aren’t visiting your site, but if they opt out they won’t be included in your Google Analytics.

Implied consent via notice
If your site doesn’t feature advertising and uses cookies for functional purposes (accessibility, Facebook Like buttons and Google Analytics), then you may be fully compliant if you have a cookie notice displayed clearly on your website referencing details on your privacy page. You will need to make sure this notice remains up to date when new features are added.


It’s vital to comply with regulations, but there’s flexibility built into the UK cookie law enabling various responses to a range of compliance risks, maybe this is what makes it confusing. Take practical steps to comply and the chances are you’ll be compliant; it’s that simple. Doing nothing is the worst thing you can do right now.

If you would like help on making your website compliant please email us here