Thousands of websites in breach of new cookie law

Computer hard drive The cookie laws were drawn up to help privacy on the web

Related Stories

Thousands of UK websites are now in breach of a law that dictates what they can log about visitors.

European laws that define what details sites can record in text files called cookies came into force on 26 May.

Cookies are widely used to customise what repeat visitors see on a site and by advertisers to track users online.

The Information Commissioner's Office (ICO) said it would offer help to non-compliant sites rather than take legal action against them.

Action plan

The regulations say websites must get "informed consent" from users before they record any detailed information in the cookies they store on visitors' computers.

Among websites that have complied with the law, getting consent has involved a pop-up box that explains the changes. Users are then asked to click to consent to having information recorded and told what will happen if they refuse.

UK firms have had 12 months to prepare for the change and the ICO has spent much of that time reminding businesses about their obligations.

The ICO has also updated its policy to allow organisations to use "implied consent" to comply. This means users do not have to make an explicit choice. Instead, their continued use of a site would be taken to mean they are happy for information to be gathered.

However, it was a "concern" for the ICO that so many sites were not yet compliant, said Dave Evans, group manager at the ICO who has led its work on cookies in the last 18 months. However, he added, it was not necessarily easy for companies to comply with the laws because of the amount of work it involved.

On busy sites, he said, an audit of current cookie practices could take time because of the sheer number of cookie files they regularly issue, monitor and update.

Mr Evans said the ICO was expecting sites that were not compliant to be able to demonstrate what work they had done in the last year to get ready.

Fines for non-compliance were unlikely to be levied, he said, because there was little risk that a non-compliant site would cause a serious breach of data protection laws that was likely to cause substantial damage and distress to a user.

It was planning to use formal undertakings or enforcement notices to make sites take action, he said.

"Those are setting out the steps we think they need to take in order to become compliant and when we expect them to be taking those steps," he said. "If they comply with one of those notices or sign one of those undertakings they are committing to doing this properly and that's the main point."

As well as advising firms, the ICO has also issued guidance to the public that explains what cookies are, how to change cookie settings and how to complain if they are worried about a site's policy.


More on This Story

Related Stories

The BBC is not responsible for the content of external Internet sites


This entry is now closed for comments

Jump to comments pagination
  • rate this

    Comment number 75.

    Stupid, just because a few people in the EU are paranoid we as web developers have to put up intrusive and pointless messages scaring users.

    Cookies are absolutely harmless, collecting a bit of advertising data is hardly going to kill you and if you're that worried install adblock etc.

    This is just red tape gone mad, the majority of cookies help web apps like ecommerce work or stats.

  • rate this

    Comment number 74.

    Everybody already had fine-grained personal control over their cookies before this law, right from the Preferences in their own browser. This new law is apparently aimed at people who are too lazy and/or too stupid to click on Preferences and mange their cookies. In effect, the EU has now legislated laziness and stupidity. An education campain on the basics of computer use would have been better.

  • rate this

    Comment number 73.

    You would think that the EU had bigger problems at the moment that passing useless directives that will be ignored and few people gives a monkeys about. The only cookie Im interested in is chocolate chip.

  • rate this

    Comment number 72.

    @inqa. You're drifting off course friend. Not all Cookies are trying to scam you, and those that are will already be in violation of both the Data Protection Act and the Computer Misuse Act. Why not enforce those? Do you think another directive is going to make any difference to violators?

  • rate this

    Comment number 71.

    If anyone is concerned about receiving marketing from a UK organisation then they can opt out of all direct marketing by submitting a section 11 DPA98 request to the data controller. This will opt you out of all direct marketing including marketing by post, e-mail, phone, text, fax, online targeted adverts and online generic adverts that appear within a logged-in account.

  • Comment number 70.

    This comment was removed because the moderators found it broke the house rules. Explain.

  • rate this

    Comment number 69.

    This is bit like any new law change - the implentation of the law or directive is easily dictated, but much harder to enforce.
    Yeah,ICO will easily enforce against the large corporations, and govs...Then what? ' I really can't see how this is workable.
    A "Control" attempt. It's laughable, I woke up this morning to this news - that they have already 'backed down

  • Comment number 68.

    This comment was removed because the moderators found it broke the house rules. Explain.

  • rate this

    Comment number 67.

    I wonder how many people below checked a tick box "remember me on this computer" while signing in to leave/rate comments...
    Cookies are useful for allowing the user the option of not having to sign-in with user credentials each visit. What they should not be used for is to share that you have an account with this website and what you bought when you visit another - even if they are "affiliated".

  • rate this

    Comment number 66.

    @Richard C: No. I haven't chosen B simply because I'm doing A.

    I could say that by reading this comment you've chosen to agree to wage-docking. If you didn't want to agree to wage-docking, you shouldn't have been reading any comments on this site. I could make more effort than Google and merely tell you that by *continuing* to read this comment, you've agreed to wage-docking. You OK with that?

  • rate this

    Comment number 65.

    As a local govt web manager i have spent far too long over the past few weeks ensuring that 3rd party website providers are covering the directive off on websites we own. This has been like a game of poker to see who blinks first. Majority want me to sign off their approach. 1 I am not a lawyer and 2 if I did sign it off I am then liable. Plus they are charging for the work! It's a farce.

  • rate this

    Comment number 64.

    Seems pretty useless and a waste of money to me. Many browsers have built-in functions to help control what type of cookies are stored on your computer. Cookies generally help combat latency issues on servers, as parts of the info is stored on your computer, therefore you don't need to download as much on a server. The government needs to be dragged into the 21st century in terms of technology.

  • rate this

    Comment number 63.

    So while advertisers and large companies can't watch what we do on THEIR sites, the government has proposed an ineffective bill that will allow them to snoop on ALL of our communications at will, without warrant or without reasonable suspicion despite the fact that most intelligent criminals would have no problem bypassing it? Mad.

    Sign this:

  • rate this

    Comment number 62.

    I have seen some people talk about "if you don't want to visit a site then don't", it isn't that simple, cookies can be made from ads shown also for a specific site, so technically you can have information recorded at any time.

    Https information won't be recorded, as those sites have protection against cookies and never use them.

  • rate this

    Comment number 61.


    "NO thank you. I will choose who I log into, not you."

    I don't think you understand. I'm a webdeveloper and when you log in to my site (and only when you choose) my site issues you with an authentication cookie, so your browser can prove who it is to my site. When you log out this cookie is deleted. Without this logins won't work. (you can have cookieless login but it's just in the url)

  • rate this

    Comment number 60.

    A useful law would end up requiring Google to supply, on demand, all information it holds about you.

    Perhaps people would wake up if they realised that the [insert sexual subject here] site you accidentally[tm] stumbled upon half a decade ago is recorded for eternity, to be uncovered by any nefarious future Google employee or curious government with increasingly Big Brother laws.

  • rate this

    Comment number 59.

    It's a shame because I agreed with your post up until the last line where you rather arbitrarily linked the Conservative party to the creation of this ridiculous law. Read the article (and find out it is the fault of the EU) rather than just assuming that a party you dislike did it.

  • rate this

    Comment number 58.

    I can see in the very near future that using these cookies will result in having every detail recorded about every key stroke every site you visit even the Https sites you visit and everything what is on you pc/phone recorded.
    With new programs that can be made now days this will end everybody's privacy on the Internet forever. It will also be used against your will, has it already been created?

  • rate this

    Comment number 57.


    You haven't opted out, you have opted-in by choosing to visit the site. If I don't want to visit the city centre, I don't get on the bus to the city centre. When I visit a high street store I don't have to sign paperwork before I'm allowed to see their merchandise. It's implied by me being entering.

  • rate this

    Comment number 56.

    to 40 Jak322 -

    "the vast majority of cookie implementation is to let the site know who you are, sites need this when for example you log in to their service"

    NO thank you. I will choose who I log into, not you. You don't NEED to know who I am but I accept that you WANT to know. Then you can target me on return visits. If I WANT you to know who I am I'll TELL you - so please don't assume.


Page 6 of 9


More Technology stories



  • Bad resultsBlame game

    The best excuses to use when exam results don't make the grade

  • Police respond to a shooting in Santa MonicaTrigger decision

    What really happens before a police officer fires his gun?

  • Child injured by what activists say were two air strikes in the north-eastern Damascus suburb of Douma (3 August 2014)'No-one cares'

    Hope fades for Syrians one year after chemical attack

  • Lady AlbaGoing Gaga Watch

    Social media's use ahead of the independence referendum

  • Pro Israel activists hold a banner reading 'Against Anti-Semitism and hate of Israel' at a demonstration as part of Quds Day in Berlin, Germany, 25 July 2014'Rising tide'

    Do statistics support claims that anti-Semitism is increasing?

BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.