How the cookie crumbles – the EU’s new ePrivacy Directive

Our guest blogger is Mike Teasdale from digital marketing agency Harvest Digital. Here he talks about the Cookie Law and what you need to know if your business has a website.

In May 2011, the European ePrivacy Directive was passed into UK law. And partly in response to the confusion it caused, UK companies were given a further 12 months to become compliant.

So as of the end of May 2012, the grace period is over but unfortunately the confusion has remained. So what does the law say – and what do you need to do about it?

What is the cookie law?

The law is sometimes called the ‘cookie law’, although it actually doesn’t mention cookies. It is interested in strengthening customer protection around information that is being stored on their computers.  Cookies – which are simple text files stored on your hard drive by your web browser – are the most popular way to store information, but not in fact the only way.

The law sets out some simple principles. Web site owners need to explain what cookies they are using, why they are using them and to gain consent from their users for those cookies.


Image by Neil Conway

The confusion comes because in the UK the government has steadfastly avoided defining exactly what constitutes consent. Consent could mean prior consent – the kind of ‘opt-in’ environment that we have in data protection. But many companies including the BBC and Google have settled on ‘implied consent’ as a practical route – so if you offer someone the chance to say no to cookies, but they ignore you, then you can take that as an ‘implied’ yes.

This grey area is entirely deliberate – it represents light-touch government where it is up to companies to decide to what extent they need to communicate with their own customers.

All well and good, but get this wrong – or ignore the law completely – and you could be hit with a maximum fine of £500,000.

In reality, there is little prospect of big fines being levied just yet. Where complaints are received, the Information Commissioners Office (ICO) is likely to investigate and then write stern letters before getting out a big stick. In consultation, it is clear that the ICO is not necessarily looking for full complaince but rather for evidence that a company is ‘on a journey’ towards compliance.

Our advice to clients is to at all costs avoid explicit prior consent. The example of the ICO’s website suggests that 90% of consumers will not opt in, which then plays havoc with services  like web analytics and shopping carts which rely on cookies.

Two steps towards compliance

There are two fairly simple steps which will show evidence that you are progressing towards compliance.

  1. Do a full audit of the cookies you are currently using – your IT department or web design agency should be able to help with this.
  2. Beef up the information you are giving to consumers via your privacy page (already by the way a legal requirement). This should include a lot more detail on what cookies you are setting, why you are using them and then links to third parties like Google Analytics that can be used to block cookies in the future.  It’s also helpful to flag that this enhanced information exists – the ICO suggests putting links to cookie and privacy policy in a different colour from other links and perhaps in bold.

One thing you definitely shouldn’t do is sit back and wait for clarity to emerge from the confusion. You’ll be waiting a long time – and risking a nasty fine from the regulator.

Mike Teasdale,  Harvest Digital