Posted 28th May 2012 | By ExtraMile

As of 26 May 2012, all websites that use cookies must alert visitors to that fact and offer them the option to stop them.

This is the legal requirement set out in the European Union e-privacy directive that was first introduced in 2003. The law was amended in May 2011 and now requires websites to get a user's consent before tracking...

This is the legal requirement set out in the European Union e-privacy directive that was first introduced in 2003. The law was amended in May 2011 and now requires websites to get a user's consent before tracking technologies such as cookies are used to monitor the visitor's use of the site.

The law relates to non-essential cookies: that's to say, ones that perform a task that is not central to the operation of the website. So, for example, if you own an e-commerce site, some of the cookies you use are functionally essential. However, you may also be using non-essential cookies to track visitors for example.

This move has been designed to protect users of the Internet from malicious and intrusive advertising that is targeted on them by unscrupulous companies. However, the net effect has been to put the world of web marketing into a spin. How does a company comply? Will it impact website traffic? Can Google Analytics (which sets its own cookies) no longer be used? Those companies that rely on online sales are particularly nervous as they consider whether such a move is going to inhibit customers from purchasing or even from using their site.

To date (28/5/12), few retailers, or indeed any other sites, have implemented more than an updated privacy policy on their website. This approach does not in any way address the law's requirements and in theory opens site owners to a 500,000 fine. In reality, such fines are reserved by the Information Commissioner's Office (ICO) for gross offenders at whom the law was originally targeted. Nonetheless, this in no way diminishes the responsibility that all website owners have under the law.

So what should companies be doing to fulfil the requirements? The ICO's own guidance was changed less than 48 hours before the new law became active - for reasons yet to be understood, but probably in a move to simplify and clarify what the law was already stating. In summary, here's the situation:

  • Your website can use "implied consent", meaning that, provided you are "satisfied that your users understand that their actions will result in cookies being set", you can assume they consent to their use
  • If you collect sensitive information (no clear definition of what may or may not be sensitive) then "you might feel that explicit consent is more appropriate"
  • In either case, you will still need to prove that people have been able to make that judgement call
  • The most appropriate way would appear to be (but yet to be confirmed by ICO) to review the cookies your site uses and kick out any that are redundant. Then highlight to customers that your site uses cookies and provide a means for them to read more about that and to consent to their use 
  • However, if users don't click the consent button but carry on using the site, that is "implied consent"
  • There can be no "Decline" button as having one would break the law - the system would need to install a non-essential cookie in order to remember the user's choice
  • In that circumstance, the site must continue to display the cookie message to that user until such time as they click a consent button, at which point the message will disappear, never to return (well, for as long as the life of the cookie that monitors their preference)
  • Bear in mind that users will need to make that choice on every browser on every device that they use

A year ago, Ean wrote a piece on this blog which said:

So what is the solution? Well there isn't one that is going to work, yet. The simplest thing to do is assess what cookies your site is using, remove any that are archaic remnants of previous gestations of your site and make sure that the cookies you are using are needed.
Once you've done that shore up your privacy policy. Detail every cookie you use, with further information on it if necessary and advise users on the cookie settings and preferences in their browsers (linking this is a good idea). Then add a section to your homepage highlighting that your privacy policy has changed and urging users to read it, whilst you wait for the browser solution to become a reality.

Looks like we had the answer all along! Like it or not, if you are a website owner, you must ensure you comply with this law. If you would like to discuss the best ways of doing so, please contact us today. You can see how ExtraMile Communications has decided to comply by visiting our website.


Nick and Ean from ExtraMile Communications Ltd in Eccleshall, Staffordshire.

Need content? You may use this article on your website, or in your newsletter. The only requirement is inclusion of the following sentence and link: Article by Nick Evans and Ean Faragher of ExtraMile Communications Ltd- Extreme eMarketing.


About ExtraMile

A digital marketing agency with international capabilities