Cookies and European Law 2012


In 2009 the European Commission issued an amendment to the 2003 E-Privacy Directive requiring consent for the storage of information on user devices. The British Government, and all other member states, passed this into law in 2011. Prior to the introduction of the new legislation the government made it clear that in the first year they would not be enforcing the new rules, allowing businesses time to prepare for the changes. This so called “amnesty period” comes to an end in May 2012.

In their latest guidance document, the British government’s information regulatory office, the Information Commissioner’s Office (ICO), offers detailed guidelines on how businesses might comply with the new regulation.

There follows a brief outline of the December 2011 guidelines.

Why now?

The legislation was prompted by concerns about online tracking and spyware i.e. information stored on users PC’s which is used to identify them without their knowledge.

What does it cover?

It covers cookies (both persistent and non-persistent), “Shared objects” (e.g. Flash Cookies and Silverlight Isolated Storage objects) and web bugs (e.g. information hidden in gif files).

Importantly it applies to any information about a user and not just Personally Identifiable Information (PII).


There are three classifications of consent. Understanding these is important in assessing any necessary compliance measures.

‘Assumed’ Prior

This describes the act of getting consent after a cookie has already been created. This is not how consent normally works and is likely to confuse users. In the case of older web sites the ICO suggests that this will be acceptable provided there is a prominently displayed “About Cookies” in the sites header area, and site owners show that they’ve made some effort to reduce the intrusiveness and life time of such cookies.1


Where it is assumed the user knows that cookies are being used. In the future when browsers allow users to configure their preferences this will constitute “implied consent”. However browser based opt-in strategies are not widely supported at present. In fact the success of these future opt-in strategies is, in part, dependent upon the current generation of web sites educating users about cookies.


This describes issues around services a user or subscriber3 has signed up for, and which require cookies to work correctly. Incidentally, no distinction is made between the user/subscriber parties as far as consent goes. It is an interesting distinction though, and is intended to distinguish a business user acting on behalf of a business, and home user acting on behalf of themselves.

The recommended approach for existing web sites is to make information about cookies clearly visible, along with options to disable them (along with a warning of the implications of doing so).4 For new build web sites, consent will need to be gained prior to setting any cookies. This might take the form of a check box clearly labelled on the T’s & C’s screen for example.

Cookie Types

There are a few different categories of cookie, each presenting its own particular challenges.

Session Cookies

These are used to overcome the stateless nature of the HTTP protocol in tracking a user’s interactions with a web site during each visit. They exist only as long as a user is viewing a web site and are removed when the browser hosting the session is closed. For this reason they are viewed as less intrusive and if used simply to support the sites functionality are deemed to be exempt from a requirement to gain consent.5

Making users aware, with very prominent links to information about such cookies, is the advised approach to maintaining compliance.2

Persistent Cookies

These are cookies persisted between sessions. They can be shared across several sites and can be used to target advertising, or to record visitors preferences, or for analytical purposes. These types of cookies do require consent.

First and Third Party Cookies

First party cookies are those placed by web site the user is visiting (i.e. the “originating domain”) while third party cookies are placed by the web site on behalf of a domain not being visited by the user. For example if I visit and it places a cookie to record my user preferences this is a first party cookie, and if eBay then places a cookie on behalf of an analytics service, say, this cookie is a “third party cookie”.

If a site is using third party cookies, the ICO recommend that the site owners have a contractual agreement with this third party governing their cookies behaviour.6

What Should You Do Now?

Doing nothing is not an option and is likely to bring the site owner into conflict with the law.7

The ICO recommends taking the following steps:

  • Perform an audit of cookies being used i.e. identify cookies and their purpose, the data they hold, any links to (PII) data, their life time, their originating domain, and check existing privacy policy
  • Assess how intrusive they are
  • Where consent is deemed necessary decide how it might be obtained

The ICO guidance document then goes on to advise on a number of practical ways to acquire consent. These are mostly common sense but the more interesting are:

  • In the case of Services being offered consent could be part of the T’s and C’s
  • If the site has a user setup it could be obtained as a step in the setup process
  • If the site offers features that require 3rd party cookies enabling such feature might require consenting to cookies

Further Reading

See the ICO guidelines here.

For information about cookies in general the “All About Cookies” web site is hard to beat. It is located here.


1 IOC Guidance on the rules on use of cookies and similar technologies [December 2011] p. 6

2 as above p. 6-7

3 A subscriber is in the party which pays for the line (important in the case of a business) and a user is, well, a user.

4 as above p. 7

5 as above p. 8-10

6 as above p. 10

7 A fine of up to £500 000 is the maximum penalty the ICO can impose.

Leave a Comment