Everything You Need to Know About the Cookie Law in Five Minutes


In 2009, the EU amended their 2003 directive on electronic privacy to include provisions for the use of cookies on web sites. After three years of build-up to implementation, which included a complete revision of the initial legal guidance, the cookie law went into effect in the United Kingdom in May 2012.

The UK’s implementing guidance requires web sites to:

  • Inform site visitors when a site uses cookies;
  • Explain what the non-essential cookies are and what they do;
  • Obtain consent to store non-essential cookies on the visitor’s device.

Disclaimer: this post, which is targeted at a UK audience, is not legal advice.

What kind of cookies are considered essential?

These are the ones that keep you logged in to a web site, or keep your items in your shopping cart, or keep your language preference stored. You do not need to explain them or gain consent for them. Non-essential cookies include things like third party advertising beacons, social media connections, and analytics cookies. (You could always use cookie-less analytics.)

What is the best way to comply?

A simple information notice – “Cookies” – which links to your cookie disclaimer, placed discreetly into your header or footer, will do. You can also combine your cookie disclaimer with other policies in a “Terms and Cookies” link. Your disclaimer can simply be a data table listing what the cookies are and what function they serve. If you are offering an opt-out for potentially intrusive cookies, follow this example, which uses a simple button placed inline within the text of the Terms page.


You do not need to use special plugins, scripts, or third party services to meet your cookie law obligations. Nor do you need to use pop-ups, drop-downs, or overlays which request – or even demand – cookie consent. You do not have to reject site visitors who decline to grant their cookie consent by redirecting them to an external site.

(And whatever you do, don’t do this. Wait 10 seconds and then move your mouse. Ouch.)

What should I include in my disclaimer?

In your cookie disclaimer, you should advise your site visitors to grant their consent the responsible way – through their individual browser settings. After all, people have had control over their cookie preferences through their browsers since 1998. Why should you have to put in extra work because people can’t take personal responsibility? You can also suggest using browser add-ons like Disconnect.

The authors of the cookie law took the dreadful position of treating cookies as the source of a problem. They got that wrong. Cookies are merely carriers of information. The problem with cookies lies in what people choose to do with the information stored in them. If your site’s cookies have no impact on privacy, or if you collect analytics but never look at them, your cookie compliance strategy will be much shorter and simpler than the strategy required for a site which relies on advertising revenue or data collection.

Reality bites… into cookies

We all know what the cookie law requires on paper. That being said, we also have to measure our obligations to the law by the actual impact that it has had on the public since it went into effect in 2012. That impact has been wildly different from what the EU and UK governments had predicted.

In the United Kingdom, the cookie law is administered and enforced by the Information Commissioner’s Office (ICO), the independent government agency responsible for issues pertaining to data protection, consumer privacy, and information security. When it comes to the cookie law, ICO are not parking wardens. They are not patrolling the streets of the world wide web looking for British web sites to ticket and fine for cookie law violations, nor do they work to quotas or targets. ICO can only respond to specific cookie law complaints filed by the public through their formal reporting procedure. And, what ICO’s disclosed figures have shown so far is that the cookie law complaints they receive are about anything but privacy.

As I predicted well before the law came into effect, the cookie law is being misused as a griping mechanism by people with ideological complaints, personal grudges, and axes to grind. Businesses are reporting their competitors for “cookie law violations” to try to get one up over them; disgruntled customers are reporting businesses for “cookie law violations” in revenge for bad service or personal gripes; people are reporting politicians they don’t like for “cookie law violations” as a form of slacktivism; and people riding a privacy high horse are filing long-winded and ranty complaints that don’t actually say which web site they are complaining about.

In fact, abuse of the cookie law as a griping mechanism is so bad that a Freedom of Information request found that 90% of the 220 web sites ICO received complaints about in 2013 had only one complaint made about them. In other words, just one person in the entire United Kingdom had a problem with the site’s use of cookies (if indeed cookies played any real role in the complaint at all).

Add that knowledge to the fact that to date, no British web sites have had any action taken against them for cookie law issues – in fact, only two sites across all of Europe have been slapped for cookie law issues – and you have much ado about nothing. After all of the panic and scaremongering, the cold hard fact is this: if a site you operate is reported to ICO for an alleged cookie law issue, there is a 90% chance that the complaint is about you personally or your business, and not about any violation of privacy you might be committing. To their credit, ICO have openly stated that the vexatious, personal, and time-wasting complaints they receive in the name of the cookie law go straight into their corporate recycling bin. They frankly have more important privacy issues to deal with – as should you.

In Summary

If a lack of public interest mortally wounded the cookie law, Ed Snowden’s revelations inflicted the fatal blow. It should not fall to site administrators to shoulder the burdens of paying lip service to online privacy when every keystroke we make is recorded by a five-nation surveillance apparatus. Let’s make sure the EU hears that message loud and clear when the law is reviewed in 2015.

This post was written by Heather Burns. We are very grateful that Heather has written this post for us, however, the views expressed here belong to the author, and do not necessarily reflect the views and opinions of wpContent.


About Author

Heather Burns is a web site designer and consultant in Glasgow, Scotland, working with third sector organisations and charities. She writes extensively on internet laws and polices which affect the crafts of web design and development.

Leave A Reply

  • http://www.wojtekkutyla.com/ Wojtek Kutyla

    Heather, I’ve just found this – researching on the topic – and I think it’s massively useful. A good digest. Slainte ;)

    • Heather Burns

      Thank you very much Wojtek! I continue to post occasional articles on it over at http://idea15.wordpress.com/category/eu-cookie-law/. I think we’ll see a lot more movement in 2015 as the law reaches its scheduled three year review across Europe, which will factor in changes like the Internet of Things and state surveillance through cookies.

      • http://www.wojtekkutyla.com/ Wojtek Kutyla

        I’ll believe it when I see it ;) I don’t have much trust in public bodies or the EU when it comes to matters like these. But you’re doing a marvellous job and I’ll keep my eye on it. Gimme a shout when you’re in Edinburgh and I’ll buy you a coffee to thank you :D