You Are Here: Home » Consumer Marketing » How the Cookie Crumbles

How the Cookie Crumbles

The European Parliament has cracked down on a number of traditional elements of the marketing mix in recent years, taking a look at advertising on social networks, pricing display on websites, and email marketing for instance.  In 2011, it turned its eye to website cookies, and issued a new directive – with a deadline for compliance of May 2012.  With just a few months to go, Dean Parker – client partner at our London-based agency SAS – helps clarify some of the confusion and ambiguity around the law and suggests how best to deal with it.

I’ve had lots of clients recently ask about the new cookie legislation, so thought it would be useful to put some thoughts down on paper. A word of warning though – I’m not a lawyer so the text below is only my interpretation of what I have read from both official and unofficial sources. Any decisions you take in dealing with this law on your website should be made after seeking proper legal advice.

From May 2011, a new privacy law came into effect across the EU which requires that websites ask visitors for consent to use cookies. Until now sites have been able to use cookies as long as they tell people about them (which is usually done in the privacy policy).

The new law is intended to help protect people’s privacy, prompted in part by concerns about online tracking of individuals and the use of spyware.

Governments in Europe had until 25 May 2011 to implement these changes into their own law. The UK has revised its Privacy and Electronic Communications Regulations and provided a ‘lead-in’ period up until 26 May 2012 in which website owners must comply.

What is a cookie anyway?

A cookie is a technology for remembering information between web pages. Because of cookies, your web browser can remember you are logged in, whether you’ve visited a site before or what your personal preferences are.

In reality, a cookie is a small text file which is stored by the user’s browser and it only contains data, not code, so it can’t contain a virus or spyware. There are lots of different types of cookies but I won’t bore you with the details now.

Even though most corporate or B2B websites don’t use cookies to target you with ads, most do use them to track visitors to their site and for social media plugins like Facebook or Twitter.

Does the new law only apply to cookies?

No, despite often being labeled ‘Cookie legislation’, the law covers all technologies which store information on the device of a user. This is an important point as you, or more probably your web designers/developers, also need to think about newer technologies such as HTML5.

What does the law say?

In short, the law says that those setting cookies must tell people that the cookies are there, explain what the cookies are doing and obtain their consent to store a cookie on their device.

The important bit is that the law says that you have to gain consent before the activity has occurred (although it does accept that many sites set cookies as soon as someone enters them).

There’s some ambiguity around the issue of ‘implied consent’ but to be safe you should assume that you must rely on people making a positive choice to accept cookies rather than assuming they have done so by reading a notice about them (which you can’t be sure they’ve read in the first place).

After you’ve gained consent things get a little bit easier. If you’ve got several connected websites you can look at just obtaining consent in one place. You don’t have to ask for it again once it has been granted, unless the cookies or the way you use them changes significantly (which ironically needs a cookie to work!). You do however need to provide a way for people to withdraw consent at any time after they have given it.

Are there any exceptions to this rule?

In reality, only if you have a function on your website which only works if you use cookies – those that can be defined as being ‘strictly necessary’. So, if you’ve got a shopping basket or log-in on your site then you probably don’t need to gain consent for these. It is also highly likely that some cookies that help modern sites serve content will also be included in this definition.

But if you use them for Google Analytics (or any other analytics package that uses cookies), first or third party advertising or personalisation (e.g. recognising a user when they return to a website), you will in theory need to gain consent before you are able to use them.

How will the law be enforced?

That’s the million dollar question! There’s still a lot of ambiguity over how best to interpret the law and guidance notes but some things are for certain…

If you’ve not done anything yet, you’re already lagging behind. The  UK’s Information Commissioner’s Office (ICO) expects organisations to already be taking steps to comply with the rules and if they were to receive a complaint about a website during the 12 month lead-in period, it would expect a realistic plan to achieve compliance going forward.

And you certainly can’t ignore it. The ICOr has powers to force organisations to comply with the law and even impose fines in the most serious of cases – although formal action would only be considered when organisations refuse to take steps to comply or have been involved in a particularly intrusive use of cookies without telling individuals or obtaining consent.

“As the lead in period comes to an end organisations will need to be able to demonstrate they have taken sensible, measured action to move to compliance. If a website has not achieved full compliance at the end of the period the Information Commissioner will expect a specific and clear explanation of why it was not possible to comply in time, a clear timescale for when compliance will be achieved and details of specifically what work is being done to make that happen.”

ICO Guidance on the rules on use of cookies and similar technologies,
13 December 2011

However, there are some areas where we expect a bit more leniency.

In some cases, the current technology you are using to run your site (e.g. a content management system) will use cookies. As you can’t do anything to change this, we expect some leeway in such cases. After all, the quote below shows how the ICO have the same problem!

“We have recently become aware of this cookie. We are working with the supplier of our content management system to remove it or, if it can’t be removed, to find another solution.”

Also, although we know that cookies used by tracking tools such as Google Analytics are covered by the law, there appears to be a relaxed attitude to this at the moment as you will see from the quote below. One might say they’ve got bigger fish to fry! This is important because if people are given the option of not accepting these types of cookies, your analytics could become obliterated and therefore of little use going forward.

“Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals. Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.”

ICO Guidance on the rules on use of cookies and similar technologies,
13 December 2011

What is everyone else doing?

Very little to be honest. There’s been a big backlash on blogging platforms from industry professionals and there is still a huge amount of ambiguity over the ICO guidelines. There’s obviously a lot of ‘wait and see’ at the moment.

What about other countries in the EU?

At the moment only the UK has published any guidance at all, and it is possible that the other EU member states will set different laws. If that’s the case, website owners may need different solutions for different parts of the EU. Great!

What do I need to do?

There are three very simple steps to follow before you go rushing head first into changing your websites:

  • Check the type of cookies you use and how
  • Assess how ‘intrusive’ they are
  • Decide what solution is most appropriate

Only by understanding what cookies your site uses and how they work will you be able to determine the most appropriate solution for your organisation. This is a relatively simple task that can be done by your website design or development team.

What options do I have?

There are probably three different approaches for owners of corporate and B2B websites to consider.

In short, at one end you can do everything in your power to gain consent for cookies by interrupting (and potentially harming) the user experience on your sites. While at the other end of the scale, given that most corporate or B2B websites do not use cookies in an ‘intrusive’ way, you may wish to take a more pragmatic approach and decide on a strategy based around providing more and better information. In the middle is another option that blurs the boundaries slightly.

As I said earlier, whichever approach you decide to take, it needs to be informed by a better understanding of your individual circumstances and advice from your legal team or SAS can help you out with this if needed.

Dean has over 15 years’ communications industry experience across digital strategy, interaction design and user experience. He has advised on and led projects for clients across a wide range of platforms and technologies – websites, online reporting, intranets, interactive television services, DVDs and interactive kiosks.  At SAS his clients have included GlaxoSmithKline, 3i, BP, BBA Aviation, Aviva, Diageo, KPMG Sainsbury’s, Ernst & Young, Slaughter and May World Economic Forum, Strutt & Parker, Standard Chartered Bank and Land Securities.  He can be reached at



Leave a Comment

Leave a Reply

Your email address will not be published. Required fields are marked *