Cookie law: websites must seek consent from this weekend

A person uses a laptop keyboard The EU wants to put a stop to tracking cookies logging a user's activity without their knowledge

Related Stories

Friday marks the last working day for UK businesses to prepare their websites for a new law governing the use of cookies.

From Sunday, sites must obtain "informed consent" from visitors before saving cookies on a machine.

Cookies are pieces of personal data stored when users browse the web, sometimes to power advertising.

The Information Commissioners Office (ICO) is to launch a tool for the public to report non-compliant sites.

It is expected that the vast majority of websites will not be ready in time.

However, the ICO has said it would not take immediate action over non-compliant sites, and would instead offer guidance.

Tracking data

The rules are designed to tackle privacy issues resulting from the growing use of cookies which track users' browsing habits.

The guidelines, set by the EU, mean visitors must be told what cookies are being placed on their machine.

Start Quote

Some organisations may be made an example of in order to set the parameters of compliancy moving forward”

End Quote Vinod Bange Data privacy lawyer

Typically, this will mean a pop-up window seeking consent.

The BBC, which brought its site in line with the guidelines on Thursday, allows users to opt out of certain cookies the first time they visit the website.

An Ipsos MORI poll, commissioned by privacy solutions provider Truste, suggested that while 84% of online consumers aged 16-64 were aware of internet cookies, just 24% knew about the new guidelines.

The owners of non-compliant websites face fines of up to £500,000, but the ICO has played down the threat of such serious action, telling the BBC it would take a soft approach to enforcement.

"Up until now, if we received a complaint about your website we would point you in the direction of our guidance," said Dave Evans, group manager for the ICO.

"Given that everyone has had a year [to comply], we're going to shift from that kind of approach to one which will be very much more focused on those people who don't appear to have done anything and asking them 'why not?''"

Last week the government admitted that most of its sites would not comply with the new rules in time. It said it was "working to achieve compliance at the earliest possible date".

Cookie flavours

Cookies are small files that allow a website to recognise and track users. The ICO groups them into three overlapping groups:

Session cookies

Files that allow a site to link the actions of a visitor during a single browser session. These might be used by an internet bank or webmail service. They are not stored long term and are considered "less privacy intrusive" than persistent cookies.

Persistent cookies

These remain on the user's device between sessions and allow one or several sites to remember details about the visitor. They may be used by marketers to target advertising or to avoid the user having to provide a password each visit.

First and third-party cookies

A cookie is classed as being first-party if it is set by the site being visited. It might be used to study how people navigate a site.

It is classed as third-party if it is issued by a different server to that of the domain being visited. It could be used to trigger a banner advert based on the visitor's viewing habits.

The ICO insisted this weekend was not a deadline, but an attempt to help companies focus on their general cookie use.

"We never said was that if you're not compliant by 27 May we will come and get you," Mr Evans told the BBC.

"What we want is good compliance, not rushed compliance. If it's focused people's minds, that's a good thing."

Changed stance

The ICO has come under criticism from businesses for not being entirely clear about what constitutes compliance.

Vinod Bange, a data privacy specialist from law firm Taylor Wessing, said many businesses were nervous about implementing solutions.

"A lack of education and clear guidelines from the ICO on what constitutes compliance has left many businesses unsure of how to meet the directive with only one working day to go," he said.

"Few businesses want to be the first to adopt a specific approach. This is a risky game, as some organisations may be made an example of in order to set the parameters of compliancy moving forward."

This concern was shared by Tim Gurney, managing director of Wolf Software, a firm which helps websites become compliant.

He said the lack of clear guidance had led to some firms adopting systems which damaged the way visitors interacted with sites.

Start Quote

What we want to do is look at where our resources can best be put”

End Quote Dave Evans ICO

"Some of the implementations are very poor. For me, they're making a mistake because users will stop using their sites.

"Those kind of solutions I can see being changed as the user starts to say 'I don't like that'."

Industry help

Mr Evans defended the ICO's approach, saying the ambiguity was to enable websites to interpret the rules to best suit their own audience and website design.

He also told the BBC that he believed that in the long term issues over cookie use should be regulated by the industry rather than government.

"What we want to do is look at where our resources can best be put," he said.

"If we were putting all our resources into investigating cookies, well, the people would quite rightly be asking where our priorities lie.

"Regulators have got resources that are not infinite. The best solutions are where industry sits down and develops it themselves. The more they can do, the easier it is for us to regulate."


More on This Story

Related Stories

The BBC is not responsible for the content of external Internet sites


This entry is now closed for comments

Jump to comments pagination
  • rate this

    Comment number 241.

    This is a sad day in the world of the Internet. Complete nonsense. It will be fascinating to see if anyone will ever be fined £500k.

    And we wonder why our economy is in the toilet?

  • rate this

    Comment number 240.

    I'd rather be targeted by an online outfit that knows little more about me than the size of my screen and the pages I've seen than by an offline supermarket that even knows which teabags I buy. OK, they’re online too, but they're big enough to be the last to feel the impact of this. It's the small businesses more interested in a sale than in your data which will be the first to go under.

  • rate this

    Comment number 239.

    @236 SleepingSpurs

    I'm reasonably well versed actually, but thanks for the ad hominem. Privacy and consent. You state yourself that the data is sensitive; is it not the case that permissions should be acquired for that data. That data is shared across sites.

    Flexible, good business' will adapt and survive.

  • rate this

    Comment number 238.

    I certainly won't be complying with this pointless and illegitimate foreign-made law on any of my websites.

  • rate this

    Comment number 237.

    It would be interesting to know what ethical standard gives an individual the right to covertly obtain and store information on another individual without that individuals consent. Cookies have not been banned. You just need to ask now before being intrusive and nosy. Judging by the number of "security risk" cookies my system deletes every day this legislation is more than welcome.

  • rate this

    Comment number 236.

    "The issues are privacy and consent. Currently a large number of business' provide neither....."

    No the issue is that people who are commenting on this, such as yourself, obviously have no technical knowledge whatsoever. The issue about cookies is about safe storage of sensitive data, privacy isn't the issue as cookies are not shared across domains.

  • rate this

    Comment number 235.

    And that's the way the cookie crumbles......;0

    ....okay that was bad!

  • rate this

    Comment number 234.

    The government spying on us from every direction on the Internet and these guys are worrying about a cookie?

    Get a grip would you!

  • rate this

    Comment number 233.

    Can anyone explain what anyone can do with the information that a cookie gains apart from aim better targeted advertising at me online?

    I am a big boy now, I am able to ignore those ads that don't interest me.

  • rate this

    Comment number 232.

    Many websites, particularly those that offer free information, rely on advertising for funding. Without it, they wouldn't exist. If everyone turns off cookies, you may find your favourite sites disappearing!

  • rate this

    Comment number 231.

    ''8. 7Driver

    Full implementation of this crazy legislation would drive users away in their droves, and put a lot of websites out of business''

    Sorry, but you really do not know what you're talking about and the fact that you have +20 vote shows this ignorance is widespread. All that is needed to carry on as before is a simple disclaimer.

    PLEASE stop scaremongering, people!

  • rate this

    Comment number 230.

    @221 Do you honestly think this directive, or for that matter disabling cookies in your browser, prevents the serious end of privacy intrusion? All it does is cause inconvenience to those who're going to comply, and I absolutely promise you that it'll have zero discernable effect on the kind of data collection that's actually worth worrying about.

  • rate this

    Comment number 229.

    Making people sign a consent form before picking up a knife and fork to eat their dinner wouldn't reduce knife crime on our streets.

    This cookie law may lull people into a false sense of security, making them less likely to use browser cookie controls. Meanwhile unscrupulous sites will continue to employ cookies less hindered by browser settings. That is why this directive is so stupid.

  • rate this

    Comment number 228.

    196. Aidy
    "This law says that websites are no longer allowed to keep users logged in from page to page."

    Well another gray area. Keeping users logged in from page to page with in the current session would be valid example of site functionality. You can't expect a user to log in on every single page.

    Keeping a user loged in after they LEAVE & RETURN does not comply with out permission.

  • rate this

    Comment number 227.

    More entirely pointless legislation.

    I run a tiny company, but it has customers from all over the world. There is no way it can afford or justify the expense and hassle of trying to implement something that is totally unecessary anyway.

  • rate this

    Comment number 226.

    I welcome this although it will not affect me particularly as I block cookies already. At first I was appalled at the amount of tracking that goes on. I also block ads. It has been a joy not to have to suffer ads (targeted or otherwise) any more. I am not the sort of person to be influenced by advertising anyway, I'm not losing companies any money- just keeping my blood pressure down.

  • rate this

    Comment number 225.

    Use Tor and then try to access 99% of websites you will find they are utterly useless. Adobe flash is the real culprit. IP tracking will make cookies obsolete. They have been around since IE5! If you use a programme to recover deleted files you will be amazed at what appears. Control security with a good AV, browser, firewall and disk images to restore a clean OS. Privacy-don't fool yourselves!

  • rate this

    Comment number 224.

    I’m an IT consultant and other than generating work in our industry I see no point in this. Most browsers already give you the option to be prompted on first or third party cookies our both as well as to disable them altogether. It’s going to cost business millions to implement and annoy people using the internet with constant pop-up prompts, it really is absurd.

  • rate this

    Comment number 223.

    The ICO's guidance notes make a big deal about 'implied consent'. Does the fact that the user is voluntarily running a particular application whose intended functionality - openly explained for those who wish to actually understand what they're using - includes the storage of cookies provide sufficient implied consent?

  • rate this

    Comment number 222.

    Complying with this law is annoying bit not exactly difficult. I run an online magazine with a simple disclaimer ;
    You are hereby under EU Directive and UK Law required to give your permission to use this website. If you do not agree the website will not function and you will be unable to use our site and more than 90% of the Internet!'


Page 2 of 14


More Technology stories



BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.