How to deal with the new EU cookie law

Richard Fergie of digital management consultancy Reform has ten tips for making sure you don't fall foul of the new EU cookie legislation.

by Richard Fergie
Last Updated: 09 Oct 2013

On 26 May 2012, the EU e-Privacy Directive will come into force in the UK. It’s known as the 'cookie law' because it requires all websites to get the informed consent of users before setting a cookie (a small text file that remembers details such as logins and email addresses) on their computer.

Businesses that don’t comply could face a fine of up to £500,000 as well as negative publicity. Here's how to make sure you stay on the right side of the law:

1. Do a cookie audit. You need to be aware of exactly what cookies your website is using and what they are used for.

2. Get rid of the trash. This audit will probably reveal a lot of cookies that aren’t really used for anything anymore. These should be removed from the site immediately.

3. Classify your cookies. You need to break down the cookies your site uses into the following categories:

i. Essential. For example, a cookie used to mark a visitor as a logged-in user

ii. Non-essential but benign. For example, remembering a user’s email address on a login form. This isn’t essential for website functionality but makes it easier to use.

iii. Moderately intrusive. These cookies are used to track user behaviour but in a minimally intrusive way. For example, the default cookies used by Google Analytics are available only to the owners of the site the user is browsing and don’t reveal personally identifiable information.

iv. Highly intrusive. For example, the Facebook ‘Like’ button or cookies that track products you’ve looked at on a retail website and send you adverts for those items when you visit other sites. Highly-intrusive cookies leak user information to third parties or track personally identifiable information about your users.

4. Don’t worry about the essentials. You don’t need to get user permission for cookies that are essential for the operation of your website, such as remembering logged-in users.

5. Create a compliance plan. For all the other classes of cookie you need a plan to answer two questions:

i. How can we prevent our website from using this cookie? This is something for your IT/web team to determine.

ii. How are we going to ask the user’s permission to use this cookie? For example, you could have a pop-up box, ‘cookie status’ bar or warning bar on the website. Each option has pros and cons you need to analyse.

6. Decide how risk-averse you feel. Breaking the law can carry a fine of up to £500,000, but anything other than minimal compliance could put businesses at a competitive disadvantage. Unfortunately, the Information Commissioner’s Office (ICO) is currently giving out mixed messages – suggesting it may not prosecute businesses using less-intrusive cookies.

7. If you’re conservative, cover everything. A risk-averse business should implement a plan to require user consent for all non-essential cookies before the 26th May.

8. If you’re feeling brave, do nothing. Businesses with a larger appetite for risk or those for whom highly-intrusive cookies are important for revenue can adopt a 'wait and see' strategy. As it becomes clearer how the law will be enforced and what breaches the ICO prosecute first, they can implement an appropriate compliance plan.

9. If you’re in the middle, just go for the worst offenders. The middle way, and one that will be appropriate for most online businesses, is to require consent for (or simply don’t use) highly-intrusive cookies.

10. Stay up to date. This law is big news for any business with a website – and particularly those with e-commerce platforms – and no one is quite sure how it will be applied. Keep your compliance plans handy and be ready to implement or change them depending on how the law develops.

Find out more about Reform

Find this article useful?

Get more great articles like this in your inbox every lunchtime