'Action needed' to meet UK's cookie tracking deadline

Laptop Research suggests UK-based organisations have not digested the upcoming computer cookie law

Related Stories

There are on average 14 tracking tools per webpage on the UK's most popular sites, according to a study.

Privacy solutions provider Truste suggests that means a user typically encounters up to 140 cookies and other trackers while browsing a single site.

The research was published less than 40 days before strict rules come into effect governing cookie use.

The study was carried out in March and covered the UK's 50 most visited organisations.

The firm said that 68% of the trackers analysed belonged to third-parties, usually advertisers, rather than the site's owner.

"The high level of third-party tracking that is taking place is certainly an area of question and scrutiny," Dave Deasy, Truste's vice president of marketing, told the BBC.

"It's not illegal to do the tracking - the question is whether you are giving consumers enough awareness that it is happening and what you are doing with the data."


On 26 May the UK's Information Commissioner's Office (ICO) imposes an EU directive designed to protect internet users' privacy.

The law says that sites must provide "clear and comprehensive" information about the use of cookies - small files which allow a site to recognise a visitor's device.

It says website managers must:

  • Tell people that the cookies are there
  • Explain what the cookies are doing
  • Obtain visitors' consent to store a cookie on their device

"The information needs to be upfront - without information people can't give consent," the ICO's principal policy adviser for technology, Simon Rice, told the BBC.

ICO cookie permission box screenshot The ICO says the vast majority of visitors to its site refuse to allow themselves to be tracked

The ICO says the rules cover cookies used to provide information to advertisers, count the number of unique visitors to a page and recognise when a user has returned to a site to adjust the content that is subsequently displayed.

However, it says exceptions are likely to be made if the cookie is only being used to ensure a page loads quickly by distributing the workload over several servers, or is employed to track a user as they add goods to a shopping basket.

Many sites have yet to add a feature asking for users' consent.

95% of 55 major UK-based organisations surveyed on behalf of KPMG were still not compliant with the cookie law at the end of last month, the accountancy firm reported.

Truste acknowledges that the vast majority of those who took part in its study had published a privacy policy - but adds that only 16% had a summary section that was "easily digestible", and 80% did not disclose how long data about visitors was retained.

Cookie flavours

Cookies are small files that allow a website to recognise and track users. The ICO groups them into three overlapping groups:

Session cookies

Files that allow a site to link the actions of a visitor during a single browser session. These might be used by an internet bank or webmail service. They are not stored long term and are considered "less privacy intrusive" than persistent cookies.

Persistent cookies

These remain on the user's device between sessions and allow one or several sites to remember details about the visitor. They may be used by marketers to target advertising or to avoid the user having to provide a password each visit.

First and third-party cookies

A cookie is classed as being first-party if it is set by the site being visited. It might be used to study how people navigate a site.

It is classed as third-party if it is issued by a different server to that of the domain being visited. It could be used to trigger a banner advert based on the visitor's viewing habits.

Half-baked idea?

The move has proved controversial.

A survey published last month by the digital marketing firm, Econsultancy, found that 82% of 700 marketers contacted did not believe the cookie law was a positive development.

One respondent said: "Plain and simple - this will kill online sales."

The claim reflects a belief that when presented with a choice, most users would refuse to allow cookies to track them - making it impossible, for instance, for a retailer to target adverts for a computer at a user who had previously looked at an article about upgrading IT equipment.

The ICO's own research suggests this could be an issue. Since asking users to click a box if they agree to accept cookies from its site, the organisation says just 10% of visitors have complied.

However, BT's experience points to a possible solution.

Since March a pop-up message on its home page has told first-time visitors that unless they take up an offer to change its settings, then they have consented to its "allow all cookies" default rule.

"So far, we can see that customers are generally choosing to keep the cookies that we use to provide the best experience on our webpages," a spokeswoman told the BBC.

Early adopter

The ICO says it has not been prescriptive about the wording that firms use.

However, organisations need to be careful about relying too heavily on opt-out schemes.

BT website screenshot BT offers first-time visitors the chance to opt out of its default cookie settings

"At present evidence demonstrates that general awareness of the functions and uses of cookies is simply not high enough for websites to look to rely entirely in the first instance on implied consent," the regulator warns.

It adds that those who fail to implement its rules properly could be fined up to £500,000.

Truste says companies across the EU and beyond will closely watch how the regulator enforces the directive.

"A lot of this starts with making sure companies understand what level of third-party tracking is actually happening on their sites - in many cases they don't," said Mr Deasy.

"The UK is somewhat taking a leadership role in terms of actually following through and having a hard date for when compliance needs to start taking place."


More on This Story

Related Stories

The BBC is not responsible for the content of external Internet sites


This entry is now closed for comments

Jump to comments pagination
  • rate this

    Comment number 36.

    Tracking can be eliminated by installing 'Do Not Track Plus' on Chrome and Firefox. All you 'blue E' users there's nothing to see here....move along.

  • rate this

    Comment number 35.

    Use a browser that has the option of deleting cookies when it is closed .

  • rate this

    Comment number 34.

    Defining what constitutes personal information and then legislating that such personal information must not be stored (and note that transmitting *requires* storage) without the permission of the person to whom the information applies would be a fair law that would be simple to implement and comply with.

  • rate this

    Comment number 33.

    So while the government actively seeks to universally monitor emails and web activity in the UK it also seeks to curtail legitimate site monitoring for commercial reasons by the general public. 'Do as we say, not as we do'. One has to wonder why the rush and efforts to role out ever faster broadband across the country for an internet that is to be strangled to death.

  • rate this

    Comment number 32.

    "No personal information is transfered by cookies" - not strictly true. A cookie is a name, value pair and as such can contain virtually any information, so long as the website setting the cookie has that information.
    Most cookies are completely benign, even 'marketing/tracking' cookies, they are merely a means of a website determining where their traffic comes from so they can analyse the ROI.

  • rate this

    Comment number 31.

    @22 FredCM

    Getting rid of cookies is not that simple. If a website ask you if they can store cookies and you say no, a cookie is stored to "remember" you said no. If the cookie is not stored then the site will have to ask you every single time you view a new page.
    True, but no doubt there will be a Firefox security plugin that automatically answers no to all those annoying questions for me :)

  • rate this

    Comment number 30.

    Many people probably think this sounds good as it gives the appearance of protecting them. But the free Internet they love would change if such a law came into place.

    I run a site that provides quality info about computers. It takes a LOT of effort but the hosting costs (not running costs) are recouped by advertising which requires a cookie. A lot of good free sites would vanish without cookies.

  • rate this

    Comment number 29.

    Hmm, tricky. I wonder how many website owners realise how many of those nice advertisers they receive money from drop cookies on people's machines like they are going out of fashion?

    Sure, that website owner may reduce or remove their own cookies, but those advertisers may have clauses that mean the site owner has GOT to allow theirs.

    I see litigation looming...

  • rate this

    Comment number 28.

    USe Firefox with Adblock Plus and Ghostery add-ins. These will block virtually every advert and tracking cookie between them

  • rate this

    Comment number 27.

    A poorly thought out law where the "solution" is much worse than the problem.

    If a user clicks 'No' indicating that they don't accept cookies, how do you record this choice? The only way to do so is with a cookie. Since the user has just refused your cookies you can't store it, and you have to present the user with the same annoying popup on every page they click on to.

  • rate this

    Comment number 26.

    I cannot shout loudly enough how stupid and unnecessary this legislation is. Do people realise you will have to click this box for nearly *every* uk website you visit. Webbrowsers already have an ability to block cookies if that is what you want (if it bothers you that much).

    All it will succeed in doing is making the uk webspace, a more annoying and worse user experience for everyone

  • rate this

    Comment number 25.

    We all know we are being spied on every time we do anything on the web. This is no longer acceptable. It may, possibly, have been ok when use of the web was our choice and it was mostly geeks, but now so many are dependent on it for so many things it needs stricter controls and better protection.

  • rate this

    Comment number 24.

    As a web developer, like many in the industry I am waiting to see how this will pan out with regards to Google Analytics. By the strict letter of the law analytics cookies would definitely require consent, however this would basically make the service useless if large numbers of visitors opt out. Google are maintaining their usual Delphic silence on the issue.

  • rate this

    Comment number 23.

    Cookies are required legitimately for many websites & most good browsers have additional security plugins available to manage them.

    Websites that record too much information in cookies are really just exploiting the people who don't even know how to clear their browser cache.

    Whilst the new law might seem a bit over the top, it could also protect against any new more persistent tracking methods.

  • rate this

    Comment number 22.

    Getting rid of cookies is not that simple. If a website ask you if they can store cookies and you say no, a cookie is stored to "remember" you said no. If the cookie is not stored then the site will have to ask you every single time you view a new page.

  • rate this

    Comment number 21.

    It makes me smile that the Category 4 cookies that this law is targeting is the basis for Facebooks revenue model.

    If Facebook can't target adverts based on yout history it can't charge as much for them.

  • rate this

    Comment number 20.

    Megan (15), they read your post below... :)

  • rate this

    Comment number 19.

    Programs like "Adblock" and "Simple Adblock" will remove all the adverts and leave a nice blank space, as well as blocking the tracking cookies.

    People wouldn't need them if advertisers were responsible.

    Particularly useful is that they block those annoying Flash adverts that appear on top of the web page, blocking access to the pages content until you can fine the well hidden "X" to close them.

  • rate this

    Comment number 18.

    My browser gives me the option of not only disabling cookies but also telling sites i visit that i do not want to be tracked.

    We have the ability at our finger tips to stop intrusive cookies, we just need to elect to use it.

  • rate this

    Comment number 17.

    Ah yes, misleading as ever! If anyone bothers to read the actual directive it states that if cookies are integral to the use of the site (such as on e-commerce sites) then the user doesn't need to be informed. I thought better of the BBC, I didn't think it was in to scaremongering.


Page 15 of 16


More Technology stories



Copyright © 2015 BBC. The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.