Definitive guide to the Cookie Law

What is the law?

From May 2011 a new privacy law came into effect across the EU. The law requires that websites ask visitors for consent to use most web cookies.

Nearly all websites use cookies, which are an extremely common technology for remembering anything about a visitor between webpages. Cookies are commonly used for login, remembering preferences, tracking visitors and more.

The new law is intended to help protect people's privacy. For example, if you search for "cars" in Google, they uses cookies to remember this. Later in the day, on another website, Google may target car ads at you because they remember who you are. This might not sound too scary until you think how many thousands of searches you do on Google, and how much they probably know about you as a result.

The vast majority of small websites don't do this of course, but they do track visitors to their website, e.g. via a tool like Google Analytics, and they use social media plugins like Facebook Like buttons. As we will see, this law appears to outlaw all of this entirely.

What does this mean for websites?

Most EU websites will need to change, or break the law.

Over 92% of websites use cookies at the moment. They'll either have to stop using cookies, or start asking for permission.

To ask for permission, a website must interrupt their visitors - say, with a popup like this:

this website wants to use cookies2

No one wants to add this to their website, and most visitors are unlikely to be happy about it either.

There are other solutions which we explore later, but they all have a negative effect on the experience of a website. Websites could stop using cookies, but generally only by losing some functionality on their site - and because cookies are so ubiquitous, this isn't easy.

Does this only affect websites hosted in the EU?

The location of your hosting is irrelevant, but the location of your organization is not. Your organization must fall within the legal jurisdiction of the EU. Each member state has their own laws, which are based on the same EU directive, but may differ slightly.

For most small/medium organizations, being located in the EU will mean you must comply.

Are all cookies affected?

The vast majority are - all cookies that are not "strictly necessary for a service requested by a user".

The law allows an exception for "strictly necessary" cookies, such as those used to remember when something has been added to a shopping basket. These cookies would be expected by the user implicitly for the action they requested to be carried out. Another example would be login.

Last edited Jun 4, 2013 at 8:06 PM by gmbarlow, version 1


No comments yet.