'Action needed' to meet UK's cookie tracking deadline

Laptop Research suggests UK-based organisations have not digested the upcoming computer cookie law

Related Stories

There are on average 14 tracking tools per webpage on the UK's most popular sites, according to a study.

Privacy solutions provider Truste suggests that means a user typically encounters up to 140 cookies and other trackers while browsing a single site.

The research was published less than 40 days before strict rules come into effect governing cookie use.

The study was carried out in March and covered the UK's 50 most visited organisations.

The firm said that 68% of the trackers analysed belonged to third-parties, usually advertisers, rather than the site's owner.

"The high level of third-party tracking that is taking place is certainly an area of question and scrutiny," Dave Deasy, Truste's vice president of marketing, told the BBC.

"It's not illegal to do the tracking - the question is whether you are giving consumers enough awareness that it is happening and what you are doing with the data."


On 26 May the UK's Information Commissioner's Office (ICO) imposes an EU directive designed to protect internet users' privacy.

The law says that sites must provide "clear and comprehensive" information about the use of cookies - small files which allow a site to recognise a visitor's device.

It says website managers must:

  • Tell people that the cookies are there
  • Explain what the cookies are doing
  • Obtain visitors' consent to store a cookie on their device

"The information needs to be upfront - without information people can't give consent," the ICO's principal policy adviser for technology, Simon Rice, told the BBC.

ICO cookie permission box screenshot The ICO says the vast majority of visitors to its site refuse to allow themselves to be tracked

The ICO says the rules cover cookies used to provide information to advertisers, count the number of unique visitors to a page and recognise when a user has returned to a site to adjust the content that is subsequently displayed.

However, it says exceptions are likely to be made if the cookie is only being used to ensure a page loads quickly by distributing the workload over several servers, or is employed to track a user as they add goods to a shopping basket.

Many sites have yet to add a feature asking for users' consent.

95% of 55 major UK-based organisations surveyed on behalf of KPMG were still not compliant with the cookie law at the end of last month, the accountancy firm reported.

Truste acknowledges that the vast majority of those who took part in its study had published a privacy policy - but adds that only 16% had a summary section that was "easily digestible", and 80% did not disclose how long data about visitors was retained.

Cookie flavours

Cookies are small files that allow a website to recognise and track users. The ICO groups them into three overlapping groups:

Session cookies

Files that allow a site to link the actions of a visitor during a single browser session. These might be used by an internet bank or webmail service. They are not stored long term and are considered "less privacy intrusive" than persistent cookies.

Persistent cookies

These remain on the user's device between sessions and allow one or several sites to remember details about the visitor. They may be used by marketers to target advertising or to avoid the user having to provide a password each visit.

First and third-party cookies

A cookie is classed as being first-party if it is set by the site being visited. It might be used to study how people navigate a site.

It is classed as third-party if it is issued by a different server to that of the domain being visited. It could be used to trigger a banner advert based on the visitor's viewing habits.

Half-baked idea?

The move has proved controversial.

A survey published last month by the digital marketing firm, Econsultancy, found that 82% of 700 marketers contacted did not believe the cookie law was a positive development.

One respondent said: "Plain and simple - this will kill online sales."

The claim reflects a belief that when presented with a choice, most users would refuse to allow cookies to track them - making it impossible, for instance, for a retailer to target adverts for a computer at a user who had previously looked at an article about upgrading IT equipment.

The ICO's own research suggests this could be an issue. Since asking users to click a box if they agree to accept cookies from its site, the organisation says just 10% of visitors have complied.

However, BT's experience points to a possible solution.

Since March a pop-up message on its home page has told first-time visitors that unless they take up an offer to change its settings, then they have consented to its "allow all cookies" default rule.

"So far, we can see that customers are generally choosing to keep the cookies that we use to provide the best experience on our webpages," a spokeswoman told the BBC.

Early adopter

The ICO says it has not been prescriptive about the wording that firms use.

However, organisations need to be careful about relying too heavily on opt-out schemes.

BT website screenshot BT offers first-time visitors the chance to opt out of its default cookie settings

"At present evidence demonstrates that general awareness of the functions and uses of cookies is simply not high enough for websites to look to rely entirely in the first instance on implied consent," the regulator warns.

It adds that those who fail to implement its rules properly could be fined up to £500,000.

Truste says companies across the EU and beyond will closely watch how the regulator enforces the directive.

"A lot of this starts with making sure companies understand what level of third-party tracking is actually happening on their sites - in many cases they don't," said Mr Deasy.

"The UK is somewhat taking a leadership role in terms of actually following through and having a hard date for when compliance needs to start taking place."


More on This Story

Related Stories

The BBC is not responsible for the content of external Internet sites


This entry is now closed for comments

Jump to comments pagination
  • rate this

    Comment number 316.

    this is all well and good but erm... has anyone else noticed that the ico's own website doesn't display any information on the cookies there websites store, no an opt out option?

    seems all website developers are gona have to learn new and intresting ways to make this easier on everyone

  • rate this

    Comment number 315.

    All this will do is impose more red tape and expense on UK business. It will make it harder for the UK to be competitive online and will hamper trade.

  • rate this

    Comment number 314.

    Where have you advocates of web privacy been? for over ten years the likes of Internet Explorer, Safari & Firefox contained a well known bug that allowed any website to read the users entire surfing history regardless of privacy settings or protective addons. (don't panic it was finally fixed in the 2012 releases)

  • rate this

    Comment number 313.

    If you use FireFox, add Ghostery. That will prevent tracking cookies from passing information about you to the advertisers.
    How many website operators actually know about these new rules? Not too many is my guess. It's not been well publicised.

  • rate this

    Comment number 312.

    This law is not going to protect people in any way. If people were creeped out by ads that targeted them with things from sites they just visited all they had to do was clear their cookies or even block them from being set in their own browsers. Its just left us web designers and owners with one big headache if we want to use advertising to pay for some of the services we offer users for free!

  • rate this

    Comment number 311.

    use CCleaner - you can opt (in it's settings) to keep the 'password remembering' cookies if you want - takes seconds to use

  • rate this

    Comment number 310.

    Totally bonkers! Why not simply enforce that all browsers (of which there are about four) prompt by default rather than insisting that millions of sites each implement inconsistent and irritating prompting. Once again the EU comes up with craziness and the UK just follows without question. Argh!

  • rate this

    Comment number 309.

    It looks like the main problem is adverts following people around, and creeping them out. So why don't they just ban that? Speak to a few companies, job done! Let the rest of us get on with things as we are used to.

  • rate this

    Comment number 308.

    If you make your website/company outside the EU you can do what you want to UK users. The web is supposed to be unrestricted and free, apart from anything illegal of course.

    I bet they don't restrict cookies in China where the internet is policed, they want to do business.

  • rate this

    Comment number 307.

    For all those people complaining about adverts following them around. Every company supplying these ads have and always have had an opt-out option for this type of tracking. The main culprit is Google, just search google for 'google opt out targetted ads' !!

    Now that's sorted internet-wide with one click are you still going to be happy having to click a consent box on EVERY UK website you visit?

  • rate this

    Comment number 306.

    Having to ask for users permission to store a cookie is ridiculous. That means that nearly EVERY website you visit will have to ask your permission, how annoying would that be?

    And lets face it, lots people probably still wont understand what a cookie is and just accept anyway.

    The should be the responsibility of the browser to ask about cookie settings.

  • rate this

    Comment number 305.

    continuing from #303 (ran out of space then had to wait 10 minutes...)

    but... I can't imagine my own usages such as remembering a logged in member for a return visit or holding some web site preferences as being thought of as strictly necessary.

  • rate this

    Comment number 304.

    "should I pay a high street business money for simply entering their premises?"

    Funny you should mention that - major retailers do count people in and out electronically and mine the footfall data. Really no different

    Ah but it is. They don't plant ads on my web pages. If they can send junk mail it goes straight in the bin, but few do.

  • rate this

    Comment number 303.


    Apparently you don't need consent where the cookie is:

    "(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or

    (b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user."

    And no I'm not clear on what that means but...

  • rate this

    Comment number 302.

    Where does the gov really stand on this. If it wishes to snoop on sites we visit, doesn't that involve cookies?

  • rate this

    Comment number 301.

    Think for both website owners and websiteuser this is going to be nightmare very soon. The ICO guidance very vague and from a web user point of view I'm not looking forward to having to say I accept / don't accept cookies for every website I visit, considering I have set this up through my browser, which going by the comments here most people are fully aware of.

  • rate this

    Comment number 300.


    That's just the point though... This legislation will affect every site that uses cookies, not just targeting the unwanted third-party cookies that both you and I find annoying!

    The analogy I'd use would be cracking a nut with a sledgehammer.

  • rate this

    Comment number 299.

    A pity people like southpawpete are so complacent about the use of cookies.There is a world of difference between a swipe card,cctv (whose intrusiveness I find objectionable and whose value far from proven) and the world of cookies.I prefer to avoid other than session cookies and one browser I use is set to refuse all.Website owners need to get over this "register" nonsence as well.

  • rate this

    Comment number 298.

    Perhaps we should look to implement a cookie-notification-popup-blocker. Just been on the ICO website, and the banner at the top about cookies is *SOOOO* annoying...

  • rate this

    Comment number 297.

    The ICO want to fine people who aren't complying £500k, but the rules are so vague the only thing I can gather is that anything facilitating logins or online shops are fine, and advertising networks are the targets. Or are they? Does anyone actually know?!

    This is a ridiculous counter-innovative, and restrictive law on a technology that has been around more than a decade.


Page 1 of 16


More Technology stories



BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.