EU Cookie Law – Impact on real world website marketing

I feel I must start this post with a disclaimer:

“The content of this post is very much my opinion, and although I have done my best to state how I think this will affect real businesses in the real world, it is NOT legal advice, and should not be considered as such.”

Next week (May 27th 2012 to be precise)  sees another EU law come into force. The law in question is the ” Regulation 6 of the UK Privacy and Electronic Communications Regulations 2003″ or “The Cookie Law”.

On the face of it, regulation 6 states that if your site sets cookies on a user’s computer/smartphone/device then you must obtain their permission before you set them. Ow!

But before we get too excited, we need to look at what the law it trying to protect against, and the detail of what it says.

I believe that the law is trying to ensure that websites which collect personal data to be used for marketing purposes (eg serving targeted adverts), must obtain people’s permission before doing so.

But cookies have many uses outside of this, most of which have no privacy issues whatsoever (for example analytics that track web usage anonymously, and do not contain any private data). Although both of these uses fall under the new law, I would hope that the ICO would focus on sites  using and abusing the former, rather than those using the latter, and my experience tells me that this will be the case.

I recommend that you read ICC UK Cookie guide –  by the International Chambers of commers (ICC UK) on the subject. The guide is not long, is clearly written, and I believe gives a good analysis of how the new regulations should be viewed in the real world.

But what do you need to do?

If you are concerned, the first thing to do is to download and digest the guide.

Secondly, talk to your web developer (if it’s us, we are happy to chat this through with you) and ask them how cookies are used on your site if at all.

I would also make the following suggestions:

  1. If your site has functionality that requires users to create an account and to log in (eg an e-commerce site), make sure that you require users to agree to your sites terms and conditions when they create an account, and ensure that those terms and conditions contain the consent to collect & store cookies.
  2. If you use a “re-marketing service” for example Google re-marketing an another form of web advertising targeting visitors either on your site or after they have left it, then you will need to make visitors aware of this, and gain their consent to do so. The ICC Guide gives some fairly clear advice on how to respond if you fall into this category.

A Word About Analytics

One of the most prevalent uses of cookies is Google Analytics. It’s use allows the anonymous tracking of visitors to a website in order to get usage & generic visitor data.  The cookies used by Google Analytics fall under the new law, and thus require express consent before they are set. Therefore, any site using Google Analytics after May 27th, and not obtaining opt in from users will technically be in breach of the new regulations. However the following statements put out by the ICO:

“Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals.”


“Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.”

Suggest that it is unlikely that they will prosecute sites for using Analytics, especially if you state clearly that you are doing so on your site.

To this end, we have added a “cookie usage” page to our site. You are welcome to copy this and adapt this for your own use.


In the real world, unless your use of cookies falls into category 4 (according to the ICC guide) in that they are used to target & manipulate advertising, then a making it clear what cookies you are using, how you are using them and a rewording of your Terms & Conditions/Privacy statement should cover it. Again, the ICC guide give suggestions as to wording for different circumstances.

I also believe that the ICO is reasonable, and will be looking to use persuasion rather than prosecution to enforce this, so in the unlikely event that you are picked up for a breach of the regulations, it is likely to be in the form of a nice letter suggesting that you look at and review your practices rather than a court summons!

This said, I will finish by repeating my caveat that this is not legal advice. So if you are concerned if the detailed legalities then I would recommend talking to your legal advisor.

Please note: this article refers to the impact of regulation 6 on websites and web marketing. Potential impact on email marketing will be considered in a future post.

Leave a Reply

Your email address will not be published. Required fields are marked *