New Cookie law comes into force

The Cookie Law and what you need to know about it.

An EU directive (Cookie Law) covering the use of cookies by websites has now come into force, and a study by KPMG has revealed that a startling 95% of UK businesses are unprepared for the updated policy.

The ICO (Information Commissioners Office) says that the Cookie Law directive demands that: “a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met. (2) The requirements are that the subscriber or user of that terminal equipment-

(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and (b) has given his or her consent. “Regulation 6 of the Privacy and Electronic Communications Regulations 2003 as amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011)”

This means that those setting cookies must tell people that the cookies are there, explain what the cookies are doing and obtain their consent to store a cookie on their device.

What is a cookie?

“A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is usually a small piece of data sent from a website and stored in a user’s web browser while a user is browsing a website. When the user browses the same website in the future, the data stored in the cookie can be retrieved by the website to notify the website of the user’s previous activity”

Source Wikipedia

The ICO and the International Chamber of Commerce (ICC) has issued a set of guidelines that give a general explanation of the Cookie Law, describing the different types of cookie and how the Cookie Law legislation affects each.

Firstly, cookies defined as strictly necessary are covered but not affected by the legislature, as long as the website explains what the cookies are and why they are there.

Strictly necessary cookies enable a site to remember text entered in a page within the same session or to remember whether a user is logged in or not – they are cookies that are vital to the working functionality of the website.

The second category of cookies is performance cookies, which collect information about website usage to enhance the user’s experience and its performance. Examples of these include website analytics (i.e. Google Analytics) and ad-response rates (where data is collected exclusively for calculating click-through rates). They don’t collect information that can identify a particular visitor. These cookies are usually persistent and have fairly long expiry rates.

Functionality cookies fall into the third category. These remember the choices that users make within a web page, such as usernames, language or region to provide an enhanced, more personalised web experience. They cannot track your activity on other websites and are anonymised.

The final type of cookies is the main target of the legislation. Targeting or advertising cookies collect information about your browsing habits to tailor third-party advertising to meet your interests. They are usually placed by advertisers with the website operator’s permission.

Do I comply?

This is the vital question and there are a range of different views on the subject. To view what the ICO has to say on the matter please click here to go to their website.

Top Tips:

  • Understand how the EU Directive applies to your site
  • Review the cookies that are used on your site – are they all necessary?
  • Evaluate the information obtained by them and whether this is vital for your business
  • Begin adding consent requests to cookies relating to login, registration and similar processes
  • Clearly link to explanations of what each cookie is, the information they store, and when they expire
  • Build a plan to extend this to the rest of your site.


Don’t waste any more time! Ensure that you know which cookies your site uses, understand how the law applies to these by seeking legal counsel if it’s needed and set a schedule to make sure that your site complies before the May 26th deadline.