Cookie law: websites must seek consent from this weekend

A person uses a laptop keyboard The EU wants to put a stop to tracking cookies logging a user's activity without their knowledge

Related Stories

Friday marks the last working day for UK businesses to prepare their websites for a new law governing the use of cookies.

From Sunday, sites must obtain "informed consent" from visitors before saving cookies on a machine.

Cookies are pieces of personal data stored when users browse the web, sometimes to power advertising.

The Information Commissioners Office (ICO) is to launch a tool for the public to report non-compliant sites.

It is expected that the vast majority of websites will not be ready in time.

However, the ICO has said it would not take immediate action over non-compliant sites, and would instead offer guidance.

Tracking data

The rules are designed to tackle privacy issues resulting from the growing use of cookies which track users' browsing habits.

The guidelines, set by the EU, mean visitors must be told what cookies are being placed on their machine.

Start Quote

Some organisations may be made an example of in order to set the parameters of compliancy moving forward”

End Quote Vinod Bange Data privacy lawyer

Typically, this will mean a pop-up window seeking consent.

The BBC, which brought its site in line with the guidelines on Thursday, allows users to opt out of certain cookies the first time they visit the website.

An Ipsos MORI poll, commissioned by privacy solutions provider Truste, suggested that while 84% of online consumers aged 16-64 were aware of internet cookies, just 24% knew about the new guidelines.

The owners of non-compliant websites face fines of up to £500,000, but the ICO has played down the threat of such serious action, telling the BBC it would take a soft approach to enforcement.

"Up until now, if we received a complaint about your website we would point you in the direction of our guidance," said Dave Evans, group manager for the ICO.

"Given that everyone has had a year [to comply], we're going to shift from that kind of approach to one which will be very much more focused on those people who don't appear to have done anything and asking them 'why not?''"

Last week the government admitted that most of its sites would not comply with the new rules in time. It said it was "working to achieve compliance at the earliest possible date".

Cookie flavours

Cookies are small files that allow a website to recognise and track users. The ICO groups them into three overlapping groups:

Session cookies

Files that allow a site to link the actions of a visitor during a single browser session. These might be used by an internet bank or webmail service. They are not stored long term and are considered "less privacy intrusive" than persistent cookies.

Persistent cookies

These remain on the user's device between sessions and allow one or several sites to remember details about the visitor. They may be used by marketers to target advertising or to avoid the user having to provide a password each visit.

First and third-party cookies

A cookie is classed as being first-party if it is set by the site being visited. It might be used to study how people navigate a site.

It is classed as third-party if it is issued by a different server to that of the domain being visited. It could be used to trigger a banner advert based on the visitor's viewing habits.

The ICO insisted this weekend was not a deadline, but an attempt to help companies focus on their general cookie use.

"We never said was that if you're not compliant by 27 May we will come and get you," Mr Evans told the BBC.

"What we want is good compliance, not rushed compliance. If it's focused people's minds, that's a good thing."

Changed stance

The ICO has come under criticism from businesses for not being entirely clear about what constitutes compliance.

Vinod Bange, a data privacy specialist from law firm Taylor Wessing, said many businesses were nervous about implementing solutions.

"A lack of education and clear guidelines from the ICO on what constitutes compliance has left many businesses unsure of how to meet the directive with only one working day to go," he said.

"Few businesses want to be the first to adopt a specific approach. This is a risky game, as some organisations may be made an example of in order to set the parameters of compliancy moving forward."

This concern was shared by Tim Gurney, managing director of Wolf Software, a firm which helps websites become compliant.

He said the lack of clear guidance had led to some firms adopting systems which damaged the way visitors interacted with sites.

Start Quote

What we want to do is look at where our resources can best be put”

End Quote Dave Evans ICO

"Some of the implementations are very poor. For me, they're making a mistake because users will stop using their sites.

"Those kind of solutions I can see being changed as the user starts to say 'I don't like that'."

Industry help

Mr Evans defended the ICO's approach, saying the ambiguity was to enable websites to interpret the rules to best suit their own audience and website design.

He also told the BBC that he believed that in the long term issues over cookie use should be regulated by the industry rather than government.

"What we want to do is look at where our resources can best be put," he said.

"If we were putting all our resources into investigating cookies, well, the people would quite rightly be asking where our priorities lie.

"Regulators have got resources that are not infinite. The best solutions are where industry sits down and develops it themselves. The more they can do, the easier it is for us to regulate."


More on This Story

Related Stories

The BBC is not responsible for the content of external Internet sites


This entry is now closed for comments

Jump to comments pagination
  • rate this

    Comment number 221.

    206. U12171424
    'much of the internet won't work with cookies off'

    This is the whole point. Most organisations with websites won't let you use their websites without enabling cookies so people are forced to agree to this. As most cookies are used to gather web browsing history, personal preferences and sometimes personal data without the explicit consent of the user, this is long overdue.

  • rate this

    Comment number 220.

    Why is it that whenever a small measure that helps to protect the consumer is discussed, someone will say it is going to put small businesses out of business? There's nothing more annoying to the consumer than seeing niggling little unwanted pop-ups or increasingly pop unders appear on your screen when you're trying to look at YouTube etc. If you're going to do online advertising, do it properly.

  • rate this

    Comment number 219.

    The silly thing is that this will present little more than a bump in the road for marketing companies. They really really want this data, stopping them using cookies just makes it a tiny bit harder to get it. Don't believe me... watch as they start tracking you based on your IP address, should be even simpler once we get IPv6 and we do less NATign.

  • rate this

    Comment number 218.

    Lot of complaining on here, and marking down on those who advocate for privacy, but I note NONE of you (myself including) are using their full name and post code as a username on here....

    Why might that be I wonder?

    Privacy does have a place in modern society & that choice is a fundamental principle. Businesses take our money but they cannot take our rights. Are you listening Facebook?

  • rate this

    Comment number 217.

    Tracking cookies have been around for 15 years. I'm not sure why it has suddenly flared up as an issue. Newsworthy in the technology section of this site but I would hardly consider this as front-page news (as it is at the moment I type this).

  • rate this

    Comment number 216.

    Having actually read the guidelines, I don't see what the fuss is about. If you sell goods from a website, and you need to collect people's payment/shipping address data, in order to actually send them the goods they've ordered, then you are exempt, as this data is deemed essential to the transaction. It's non-essential data, harvested for other purposes, that this law is trying to prevent.

  • rate this

    Comment number 215.

    Sad to say, a lot of the misinformation about cookies has been spread by the media. This has not been malicious, it has largely been ill-informed. The media like to spread panic. Good news is no news. The fact is that cookies are the preferred way of enabling the functionality of all but the most basic web sites. On many sites they actually help to protect the security of your data.

  • rate this

    Comment number 214.

    Almost the lowest rating. Woohoo!

    As other are boasting: 3 domains, 10,000 unique vistors last month, been doing this since 1997 with vanilla HTML...

    Proper tech sites and their users "get it", this one doesn't.

    What about huge, nasty, hard-to-delete Flash cookies (LSOs)? HTML5 local storage? Ah bless, you think HTTP cookies are the same thing.

    Do some research. Don't be ignorant.

  • rate this

    Comment number 213.

    @wobblycogs : it's not about your browser- it's about the internet side radius server and the logs

  • rate this

    Comment number 212.

    Can anyone explain the discrepance:

    The British don't care if e.g. police record & save number plate/vehicle (incl. driver!) sightings all over the country using CCTV. and save them for years- without suspicion.
    Ppl are being watched (not trusted!) all over the UK by various govt. and private institutions.

    What's the problem with cookies now? You can have the broswer delete them on exit.

  • rate this

    Comment number 211.

    The only trouble with this, you have to deal with it every time you close your browser as I for one have my browsing history cleared automatically. What an enormous drag!!

  • rate this

    Comment number 210.

    Prepare for a barrage of intrusive and frustrating pop-ups.

    This should have been handled in the browsers, not the website.

    I suspect most websites would be best ignoring the rule and wait for it to be cancelled.

  • rate this

    Comment number 209.

    What an unbelievable bun fight about basically nothing. Yet another law written by people who know nothing about the subject because of pressure from another bunch of people who no nothing about the subject. Even the BBC articles show total ignorance about the subject. Every browser lets you block cookies, just allow the ones you want if you care so much.

  • rate this

    Comment number 208.

    @Gort2012 #198

    As I am seemingly the only person who has read the rules, I will answer your Q. If the basket cookie *only* contains data for the essential running of the basket then it will be exempt. If as well as needed data it has things purely for the purposes of marketing to the user then it won't That is where the "likely" comment comes, to avoid loopholes via phrases like "always exempt"

  • rate this

    Comment number 207.

    Until the major government websites comply with this regulation (as yet none are) the ICO won't be able to do a thing. No judge in the land will uphold a ruling when the government has not taken steps to comply itself.

  • rate this

    Comment number 206.

    Another piece of pointless legislation (and I say that as owner of an internet software developer, which will do well from the sales of upgrades).

    If people don't want cookies they can use their browser to block them.

    This law is just extra expense for businesses, more hassle for website users and won't help to protect people (since much of the internet won't work with cookies off).

  • rate this

    Comment number 205.


    ""Too expensive" for small businesses? Ridiculous. If you can't afford to set up a business, don't do it."

    That's exactly the attitude this country needs right now to get out of this economic mess.

    Come on admit it, you're Ed Balls aren't you?

  • rate this

    Comment number 204.

    UK is actually the only EU country who implemented this nonsense so far. Everyone else is simply ingoring this useless and stupid directive.

    The only people who benefit from this are contractors who implement this feature on every single web site in the UK.

  • rate this

    Comment number 203.

    as a matter of fact that law is coming from the need to cut off the storage resources- since the network is expanding, no more dusty noisy routers and switches- everything will be virtual applications soon.
    instead of multiple cookies- they need to profile and tag every single user in a more efficient way.the only problem is ignoring the browsing security flaws.

  • rate this

    Comment number 202.

    55 Minutes ago You may, I don't.
    There is an army of "click" allow/next/OK/go people out there, that have found to their cost that they shouldn't do things automatically, as though it's just a formality. Measured actions make for safer, trouble-free internet use. That's why so many non-technosavvy people are always getting their PC knickers in a twist with viruses, malware, worms etc.


Page 3 of 14


More Technology stories



Copyright © 2015 BBC. The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.