The EU Cookie Law – what to do now

Chris Scott

As the enforcement date of 26 May 2012 approaches, we provide an update on the situation.

As the enforcement date of 26 May 2012 approaches, we provide an update on the situation.

Much has been written, and is being written, about the new so-called Cookie Law that the UK Information Commissioner’s Office (ICO) is mandated to enforce with effect from 26 May 2012. In his January article, Paul Boag concluded that “this really isn’t turning into the doomsday scenario some have suggested”.

Paul was right. However, now is the time to take some simple steps to make sure that your site is in good shape.

If you have taken a look at the ICO’s website and run screaming from the extreme solution it has implemented don’t worry. Fortunately, the ICO’s will not be enforcing such an extreme position on others.

So, what should you do? While a definitive position simply doesn’t exist right now, the following seem like reasonable steps.

  1. Identify all the cookies associated with your site, where they are being served from and what they do.
  2. Make sure you have a reasonably prominent link to your privacy policy and rename it Privacy and cookies policy to be on the safe side.
  3. List the cookies on your Privacy and cookies policy page. For first party cookies (i.e. those served by your website) list their name and purpose. For third party cookies (such as Google Analytics cookies) list the source, name and purpose.
  4. If you use social buttons to enable sharing of pages you should note in your Privacy and cookies policy that you do so and that scripts from third party sites have been used and that those third parties might be gathering usage information.
  5. Similarly, if you use third party services such as YouTube or Vimeo you should note this too and state that they may gather usage information.

So how prominent is prominent? John Lewis, for example, previously had a footer link “Security & privacy”. It has lifted this to the header and renamed it “Privacy & cookies”. Do you need to do this? My view is that, like the Number 10 website, Marks and Spencer and many others, a link in the footer will be sufficient.


John Lewis website
John Lewis website


Should you list your cookies? John Lewis and Number 10, for example, contain lists but so far Marks and Spencer, for example, has not listed its cookies. My recommendation would be to include a list of cookies together with some instructions about disabling cookies in major browsers.


A list of number 10s cookies
A list of number 10’s cookies


So how do you audit the cookies on your site? Unfortunately, this isn’t completely straightforward. The easiest way of doing this that I know of is to use Firefox with the Firebug and Firecookie extensions installed. Firecookie lists cookies on a page-by-page basis, so you’ll need to visit all sections of the site to ensure that you find all cookies.

You may also need to do some detective work when you are auditing your cookies. First party cookies, i.e. those that are served by your site, are clear. For example, first party cookies served by the Boagworld site will be listed with a domain of Where things get more confusing is with some third party cookies, for example Google Analytics cookies (which are prefixed with __utm). On these show up with a domain of (notice the leading . ) even though they have originally come from Google.

You should also include a statement of what the implications of disabling cookies will be. John Lewis is clear: “If cookies aren’t enabled on your computer, it will mean that your shopping experience on our website will be limited to browsing and researching; you won’t be able to add products to your basket and buy them.”

The best guidance that I am aware of is a recently published Econsultancy report. Unfortunately this is not cheap at £250. Econsultancy has however published a detailed, free article on the approach it has taken.