Do you need to worry about the cookie crisis?

The European Union has introduced legislation over the use of cookies on website. Recent guidelines help clarify what this means for your site.

Back in March I wrote about the upcoming European Union legislation on the use of cookies. Since then there has been panic and scare mongering. There have been claims that we can no longer use analytic tools or cookies, without the use of intrusive popup permission boxes.

Even in my original post I pointed out that this was unlikely. However, we now have some clarification. The EU has released some guidelines on how the legislation will be implemented (PDF download).

As somebody recently pointed out on a mailing list I subscribe to, the guidelines aren’t going to win any ‘plain english’ awards. I therefore thought a summary of some key points might help.

First, lets look at what steps you need to take.

What you need to do

Fortunately there is little that you need to do. Begin by ascertaining what cookies (if any) you use on your website and what they do.

There are two things in particular to look out for. First, do you store information on individuals in cookies and if so what information. Second, is the cookie stored on your server or elsewhere. This second point is important because it is third party cookies which the legislation is designed to stop. Fortunately, unless you are using advertising on your site, you are probably safe.

Once you have done an audit of the cookies, inform the user about their use. How you should do this will vary depending on the type of cookies you use and information collected.

An example of how cookie notifications could be displayed

The guidelines suggest a number of ways consent can be given, none of which strike me as particularly onerous. In fact in many cases the guidelines seem to suggest that a simple link to a page containing cookie information would be enough.

What about analytics

For many the biggest concern this legislation brought was that it would prevent the use of analytics. This is not the case.

On the last page of the guidelines they directly address the question of analytics. They write:

Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.

In short as long as you tell the user that you are using analytics then you are in no serious danger.

How is the legislation going to be enforced

Like all guidelines these are open to interpretation and this creates fear of not complying correctly. However, failure to comply is not going to lead to automatic prosecution.

According to the guidelines, the initial step is to inform you that you are in breach of the regulations. This can lead on to an enforcement notice which compels you to make changes. Only if you ignore all of this do you face a possible monatary fine.

The disclaimer

Obviously, I am not an expert in EU law and like the rest of you, I am trying to navigate my way through all of this. However from what I have read so far, this really isn’t turning into the doomsday scenario some have suggested.

  • You link to ICO guidelines. Check page 12, “Practical advice for those wishing to comply” paragraph 2:

    “It is not enough simply to continue to comply with the 2003 requirement to tell users about cookies and allow them to opt out. The law has changed and whatever solution an organisation implements has to do more than comply with the previous requirements in this area.”

    This runs quite contrary to your advice: “Once you have done an audit of the cookies, inform the user about their use.”

    • silktide

      Agreed. It’s not as simple as Paul makes it sound, we still have to do a lot of work to be fully compliant with the law. What about social buttons like Facebook’s like button? It’s important functionality but totally breaks the law in its current form. To use this we’ll have to implement one of the horrible popup solutions I’ve seen advertised. 

      This video tells you a bit more about the law

      • I disagree. You don’t have to implement a horrible popup solution at all. Yes you have to inform the user that you use cookies to support the facebook like button but you don’t have to do this with an intrusive popup. In my opinion it is enough to have a “privacy & cookies” page linked to from the footer. If you read the guidelines for implementation they are not unreasonable.
        Also to be frank, the worse that will happen for a failure to comply is a warning. At this point you can get specific guidance about what needs to be done and comply with it. Once again this is one of those issues that has been blown entirely out of proportion. Unless you sell personalised advertising or have that kind of advertising on your site there is very little to worry about.

        • silktide

          What about all those people who do sell personalised advertising on their sites though? I admit  I hate seeing adverts, but at least with cookies they’ll show me something I’m actually more interested in. These cookies still have to be opt-in which will require an intrusive message whether it’s a popup or a message like they’ve used on

          So if you don’t think popups are needed what do you make of solutions like the top banner on and do you think these are needed or will die out quickly?

          • I think the top banner is more than is required to be honest. I suspect a highlighted footer would be enough.

          • silktide

            So setting cookies without consent is fine you think? 

            I suppose the next question has to be how highlighted is enough? It shouldn’t distract from actual site content in my opinion

          • As long as they user is aware that by using the site they are giving consent then yes that is fine. Of course, how clearly you have to make that is an unknown until we start to see some definition based on real case studies.
            BUT please bear in mind I am no legal expert. This is just my personal opinion.

  • I agree with Marek, the key to me for this legislation was the need to move from opt out to opt in. See the ico’s own website to see how they have attempted to do this. Based on the fact that few people have a real understanding of the benefits of opt in it is unlikely that many will bother. Then that analytics stuff you are doing is likely to be of little value.

  • Joaquin Garrido

    The one extremely helpful piece of information you neglected to include, especially for the benefit of those of us who live and operate on the other side of the pond, is exactly who this new legislature affects. Do developers in the U.S., Asia, etc. need to be at all concerned? What if we also have an office, or ‘presence’, in the EU somewhere?

  • Anonymous

    Hi there,

    The ICO guidelines use the image you posted above as an after opt-in choice.

    They say that the first visit should see something like the image attached: a clear notification where the visitor can choose whether to accept or opt out of cookies. If a visitor has seen the clear notification and still clicks on another link (a second page view), the ICO says this is enough for them to have given consent.

    The ICO then go on to say that, essentially, best practice would mean notifying visitors throughout their visit that they can still opt out of cookies.

  • “first party cookies used only for analytical purposes”

    I suspect a lot of websites use third party cookies – Google, for example. Where does that leave us?

    I know of one local authority that has “lost” 90% of hits becuase of it’s opt-in tick box as per the ICO.

    • Anonymous

      Google no longer use third party cookies so you are safe there.


      Paul Boag [ Web Guy, Writer and Polymath ]
      T: @boagworld
      M: 07760 123 120

  • It’s important to note that the guidelines document is not an EU document but relates to the UK implementation.

  • The BBC have just rolled out their Cookie Law solution… Interesting read here –  // seems more of an opt out than opt in to me?