What to do about the new EU cookie law - Heart Internet Blog - Focusing on all aspects of the web

We’ve had a lot of enquiries from customers asking how the new EU cookie law affects their websites and what they have to do to comply. We’ve written a quick guide on what the EU cookie law is and what (if anything) you need to do.

What is this EU cookie law I keep hearing about?

Last May a law was passed stating that all websites dropping non-essential cookies on visitors’ devices have to declare it publicly and ensure visitors acknowledge and agree with them to continue browsing the website. If you/your business resides within the EU, you have until the 26th May 2012 to implement your solution on your website(s). The most important thing to know is that if your website doesn’t comply with the new law, you can potentially be fined up to £500,000.

Not sure what a cookie is? Take a look at this Wikipedia article to find out more.

Is the law associated with me or the location of my web host?

The law is linked to you/your business, so even if you have a .com website with an American audience, you still need to comply with regulations if you/your business is based within the EU. The law applies to all domain name extensions regardless of their association with a particular country or region.

My website is a personal site, do I still need to comply?

Even if your website is non-commercial, you should still comply with the EU cookie law if you drop non-essential cookies.

Where can I find out more about the law and how websites are implementing it?

ICC’s UK Cookie Guide

SilkTide’s great guide to the cookie law

• AboutCookies.org’s information on the new law

MyCustomer.com’s The final countdown: Four tips to comply with the EU cookie law in time

Econsultancy’s EU cookie law – three approaches to compliance

Econsultancy’s solution to EU e-privacy directive compliance

What are the exceptions to the new law?

Pretty much every site drops cookies of some description. If you have Google Analytics installed, your website drops cookies. If you have any affiliate links or use Google Adsense or any other advertising networks, your website drops cookies.

The law only applies to ‘non-essential’ cookies that aren’t required for your website to function. So, for example, if you run an online store and cookies are used so your customers can add products to their basket and checkout, you don’t need to conform to the new EU cookie law regulations. However, if you track visitors via a tool like Google Analytics as well, you will need to explicitly tell your visitors that cookies are in use on your site.

Some of the likely exceptions to cookie compliance are provided below:

Taken from ICO’s Guidance on the New Cookies Regulations PDF.

So, what steps do I need to take for my websites?

There’s no one solution to comply and the guidelines that are provided are quite vague, causing a lot of confusion and more difficulties for website owners who want to comply but are unsure what to do. Because there are so many types of websites using unlimited combinations of cookies, there’s no one size fits all solution. It all comes down to what kind of website you have and what cookies are in place.

It’s not enough to simply update your privacy policy or terms and conditions. A user must explicitly accept cookies in order for you to legally use non-essential cookies on your website.

1. Check the cookies in use on your website

If you aren’t sure about the cookies you use on your website, check out the detailed information provided in ICO’s PDF or use one of the many third party tools available, such as:

• Attacat’s Cookie Audit Tool

CookieLaw.org’s Cookie Audit

CookieCert

• EU Cookie Directive WordPress Plugin (shows the cookies in use within the admin panel).

Please be aware that you should check every page of your website and that not all third party tools are completely accurate.

2. Implement a solution

There are plenty of solutions on offer; we’ve done the work for you and found several easy to use free solutions:

Cookie Policy:

Cookie Control:

On visiting a website, the box appears in the bottom left or right of your website, asking you to accept the use of cookies.

Once you’ve accepted, the box disappears and the triangle turns green.

EU Cookie Directive WordPress Plugin:

Once you activate the plugin, this customisable message appears at the top of your website

In your dashboard, you can see and even add comments to your site’s cookies

CookieQ’s Cookie Consent Button:

Whether you implement one of these solutions or opt for another one entirely, the message should appear on every page of your website. If you have a static website that isn’t run on a template or CMS, you may want to look into adding it via a PHP include.

In addition to these methods, you may also want to update your privacy policy and/or terms and conditions. Tint Network has an easy to read privacy and cookies policy which they are happy for people to use as a template.

Cookie Monster image courtesy of Bacteriano on Flickr

 

Subscribe to our monthly Heart Internet newsletter, filled with the latest articles about web design, development, building your business, and exclusive offers.

Subscribe now!

Comments

Please remember that all comments are moderated and any links you paste in your comment will remain as plain text. If your comment looks like spam it will be deleted. We're looking forward to answering your questions and hearing your comments and opinions!

Leave a reply

  • Henry

    24/04/2012

    F***ing hell… really?! Urgh. My clients are gonna love this.

     
  • Philip Norton

    24/04/2012

    There is also a Drupal version of the Cookie Control widget:

    https://drupal.org/project/cookiecontrol

    I’m not looking forward to this being implemented, but I think the initial test cases will show how this law will be enforced.

     
  • Jeremy Webb

    24/04/2012

    What a royal pain in the arse. I’ve just skimmed the legislation here (https://j.mp/I6BK8O) and whilst there are lots of talk of “implied consent” and “settings consent” it certainly seems for now, that every site needs to increase the visibility of it’s cookie policy, and if storing cookie information about a specific user, warn them and get consent first. Phew. I think the EU has a cookie obsession – I’d have thought some focus on site hackers and propagators of commercial malware would be a better target for stringent legislation.

     
  • Lorraine Cheney

    24/04/2012

    Thanks for posting this.Another hoop to jump through!

     
  • Rich

    24/04/2012

    Seriously, this is not going to help with user interaction, and what’s likely to happen if a user doesn’t accept cookie usage, do we lose track of any data through using Google Analytics??

     
  • 24/04/2012

    Hi Rich,

    Unless you’re using some kind of advanced solution like BT’s (which lets you select exactly what cookies/level of cookies you’ll accept), I think it’s more a case of ‘if you don’t accept, please leave the website’. In which case your data wouldn’t be affected – other than your bounce rate of course.

     
  • Marc Rogerson

    24/04/2012

    I wonder if they will apply this to session data stored in temporary session files.I have avoided cookie usage since 2000 and there are other ways to store data related to a customer.For example you could keep a database entry of people who login to the site (obviously this forces a login requirement) or you could create persistant session data (security issue).You could also store it in something other than a cookie, like a flash file that resides in cache.

    Euro-muppets have an reasonable issue to contend with here but if they are really trying to save our privacy (which I do not believe entirely) then they should be fining google and facebook for the data farming they do without our consent.

     
  • Rich

    24/04/2012

    Hi Jenni

    But then what if a user does use the site, and doesn’t click accept cookies?

    I know I for one won’t be wanting to click an extra button for using a site, so why would my users?

     
  • 24/04/2012

    Hi Rich,

    That’s a very good question. The whole thing is so vague it’s hard, if not impossible, to fully implement in a practical way. I think as long as you show that you’ve made the effort, they will work with you and tell you if your solution isn’t acceptable.

     
  • Matt

    24/04/2012

    Yes, this is going to cause some short term pain for us all and it’s going to cause a huge mess for the ICO to police this. It’s also one of the worst thought out and ill advised pieces of legislation in years.

    We’ve always avoided using cookies – but we use Google Analytics. We’ve implemented the Cookie Control code on our site (https://www.womweb.net) as it’s the easiest route to take until the web community can assess what is going on and how best to implement (and wait to see what routes the big companies take and see what action the ICO takes against them). It took all of about 5 minutes to do as we use an include for our footer.

    We have also sent out a mailer to all our clients to let them know what’s going on – it’s going to annoy them that there’s another expense during a recession, but it’s better than the potential fine.

     
  • Rich

    24/04/2012

    Hi Matt,

    just had a look at your site and there doesn’t seem to be a way to deny access to the cookies – maybe this is something which has been overlooked in the plugin/code dev for the CCC, or maybe I’m missing a point here?

    Anyway, it would be really helpful if you could let us know how you are asking your customers to pay for the installation of the code, in other words do you get them to sign a disclaimer if they opt not to have it installed?

     
  • Matt

    25/04/2012

    Hi Rich,

    That is a valid point and one which does appear to be overlooked by the third party developers (and one I’ve raised with https://www.civicuk.com). The setting is actually stored in a cookie, so advice would almost certainly be to remove cookies for the site (the ones you’ve already okayed to be there) and then the setting would be forgotten. Either which way, it’s something that needs to be addressed.

    With regards to the customers and paying for the installation – it really depends on circumstances. Some have us working on retainers and it would be done as a matter of course during their pre-purchased time. Those which don’t then it would depend on how long it would take to do it on their site. Most of our sites use footer includes, so it would be a fairly quick job – so they would be charged for the time taken. To be honest, most clients are coming back to us and accepting that it’s something they need to do to keep on the right side of the law.

    As the company who runs the site (and not the developer) is responsible for legislation being adhered to, it is up to them if they want to follow our advice. We can only forewarn them about the 26th May and there is nothing we can do to force them to look into it. You could say that we are trying to look out for them, but everyone has stubborn clients who think they know better 😉

    Thanks for the response. It may be that we work with civic to get the deny cookies part sorted out, but until then, it would be a case of the user needing to remove the cookies themselves – after all – they did agree for them to be put there in the first place.

     
  • Matt

    25/04/2012

    Just to update you Rich,

    I’ve heard back from CivicUK and there is a bit of extra code which they are sending across/adding to the deployment page which would invalidate the Cookie Choice cookies. The consent cookie only lasts for 90 days anyway – then the user has to accept cookies again.

    It does mean that they user would need to remove the cookies they added themselves – if they have concerns about cookies then they would know enough about them to know how to remove them.

    We’ll see how the whole ICO policing of this goes – it might not be as much of an issue as some people think, as the guidelines are so vague that you can interpret it as once you’ve gained consent once then until the user removes the cookies then it’s OK for you to carry on using that consent.

     
  • Gary

    25/04/2012

    Good article, Jenni, about a horrible subject.

    Just a pedantic point; if you’re planning to use the Tint Network template you might want to check the spelling and grammar. I notice in the second sentence it says: “Now that you are here, we may of transferred a cookie to your computer” instead of “…we may have transferred…”

    Thanks.

     
  • 25/04/2012

    Thanks Gary!

    Ouch, good spot.

     
  • Phil

    26/04/2012

    Hi Mark – quick question.

    If a website has uses multiple cookies. Do we have to do anything other than just add your script to the website? Presumably by adding the script to the website it stops cookies being used UNTIL the user selects “We accept the use of cookies”?

    Thanks in advance

     
  • Oliver Emberton

    27/04/2012

    We have a solution. Protest:

    https://nocookielaw.com/

    (Of course, realistically, this is unlikely to do much. But we can try.)

     
  • Rob Barham

    27/04/2012

    Is this going to kill affiliate marketing?

    e.g is the Heart Internet affiliate scheme using cookies to track, and will you be making changes?

    Thanks,

    Rob

     
  • Paul Clarke

    27/04/2012

    Years and years of striving to block irritating pop-ups.. And now we have to implement one by law.Typical EU nonsense.

     
  • 27/04/2012

    It won’t kill it, but affiliates are potentially going to miss out on a lot of sales.

    Is there another way for us to track clicks and sales other than a cookie?

    Matt

     
  • Hudson Atwell

    27/04/2012

    How does the EU have authority to do this?

     
  • John L

    30/04/2012

    Until every government site, starting with the ICO’s spinoff sites comply fully, which they don’t, I’m not about to go changing 50-60 sites at mine or my clients’ expense, against their will. The ICO’s own compliance banner is ugly at best, and apparently only has a 10% compliance rate – thats basically cutting 90% of their visitors out with one stupid popup, which you HAVE to click? Get real. Odd simile I know, but Its kind of like the smoking in pubs ban. Kick 90% of the pub trade out in the rain, make the now empty place stink of farts and kill the industry off in the process. Mnnnghhhhh. And they wonder why we have an EU debt crisis.

    Besides, anyone could browse a compliant site after someone consents on the same computer, and technically they’ve muddied up the breaching of the law already – an infant could do it – all sorts. Its nonsense.

    I for one will wait and see whether any big business gets fined for using Google Analytics, seeing as they aren’t saying much on it themselves, before I go plastering an EU directive around. Bloody Europrats.

     
  • John Dickens

    01/05/2012

    My own point of view is that an enhanced terms and conditions page should be enough, all this pop-up stuff is just stupid, no one knows what a cookie is or even cares! And if they do they use Ad Aware or SpyBot.

    We have until the 26th May, my advice to my customers is to wait a week or two and see what everyone else does or see if we get some national guidance that makes sense, like enhancing a T&C page.

     
  • Mark Bridgeman

    02/05/2012

    My understanding of it is that it doesn’t just apply to cookies but to all tracking, so if you find a way of tracking visitors without using a cookie file (i.e flash etc) then the law still applies and visitors must be warned.

     
  • Matt

    03/05/2012

    Hi John,

    This is precisely the route that Santander are going down. I would expect a company that size to have talked to the ICO to get the green light – otherwise they would almost certainly get slapped with the full fine.

    Regards,

    Matt

     
  • Bruce Abbott

    04/05/2012

    HI Rich,

    Your quote: “In which case your data wouldn’t be affected – other than your bounce rate of course.”

    I have implemented exactly that.. users cannot enter my site unless they accept cookies. What is the point of allowing visitors to enter a site hinders their shopping experience?

    In actual fact, I noticed very little difference to bounce rates and good even argue that these were reduced and sales conversions are higher as we had a flurry of orders once I placed our own version of the cookie control online.

    I found that informing the consumer actually increased the trust value.

    Not sure if my solution may work for anyone else but it appears that it created little difference if not better results.

    website: https://www.hootsmart.co.uk

     
  • Elissa

    10/05/2012

    Did anyone here could help me please….

    I’m not familiar enough for this kind of thing….

    I’ve tried to follow the steps to comply for this new law….But i can’t do it….I know you guys here are experts about this stuff…

    So,i really need your help to make my website comply for the new law…

    I’m afraid of the fine ….

    So…somebody who are willing to help me sincerely….please email me on ElissaSne5@gmail.com

    Really need your help…

    And Of course to Jenny~may you help me please?

     
  • 10/05/2012

    Hi Elissa,

    We’ve created a cookie policy widget you can implement on your site: https://www.heartinternet.uk/eu-cookie-law.html

    Hope that helps! 🙂

    Jenni

     
  • Anthony

    15/05/2012

    I have google adsense on a website and and even when the javascript is installed when you visit the site the cookies are still set. The javascript is not stopping the cookies just warning about about them.

    You can still browse the site and are only redirected off if you select no.

    I assume that if you ignore the warning you are basicaly agreeing to accept cookies?

    But what about the cookies that are set as soon as you land on a page?

     
  • 16/05/2012

    Hi Anthony, you’re right, it’s not intended to stop cookies. Although that might be the ideal solution from ICO’s perspective, it would be extremely awkward for both visitors and website owners. It’s designed to be more of a visual warning that can’t be missed – it’s up to the user to decide what to do at that point. If we need to make the change and adjust the code to block cookies set directly when you land on a page to completely fulfil legal requirements, we will do as soon as we are informed. Until then it’s more of a solution to strike the balance.

     
  • Phil

    16/05/2012

    Does the law not state that Cookies must be an opt-in feature and that you cannot assume users permission based on the fact that they haven’t opted out?

     
  • John L

    17/05/2012

    It does indeed – but BT are not doing it this way either. I’ve seen two large businesses take it into their own hands as an opt-out now though and many choose the T&C option. As the ICO’s traffic was damaged to the point of 10% acceptance and 90% opt-out I for one will be choosing practicality over beuracracy. I think it’s going to be one of those things where doing something is enough, and adhering fully will kill your traffic – for the sake of pleasing some non tech savvy lobbyist. Besides I think the ICO site still drops some cookies even if you opt out!

     
  • Phil

    17/05/2012

    Hi John. Perhaps doing “something” for your own site is fair enough. But when you’re working on client sites caution needs to be taken.

    There are so many negatives though – no cookies means no tracking stats which means not knowing how many visitors which means looking bad to the clients.

    However much I appreciate Heart coming up with a “solution” it does seem to be one that merely covers up the crime rather than not doing it in the first place… wouldn’t you agree?

     
  • 17/05/2012

    Hi Phil,

    It’s designed to be more of a middle-weight solution that causes the least grief for visitors and site owners. If ICO isn’t happy about it then we will look into it further.

     
  • Anthony

    17/05/2012

    I am looking at another Javescript method which stops all cookiesuntil you opt in. It seems to work but it will kill my adsense code that I only started using last month!

    Phil as to stats if you have control panel there are some stats programs included in that which do not use cookies? I wonder if you did not want your customers going into control panel there could be something you could do about displaying them?

     
  • Hudson Atwell

    17/05/2012

    Why honor this law at all? I would ignore it until threatend.

     
  • Clive

    18/05/2012

    As presumably this applies to any instance where your website can be seen, what about in places where parts of your site are shown in iFrames? Would the whole site displaying your page have to include a cookie disclaimer/opt-out?

    For instance, if an American site showed one of your pages on its’ site (via an iFrame), would that website also have to include cookie opt-outs?

     
  • 18/05/2012

    Hi Clive, in your example the American site wouldn’t have to include a visible cookie solution because the business is based outside Europe.

     
  • Clive

    18/05/2012

    The problem I see with that Jenni is that the page the US site is displaying in an iFrame would have a cookie solution that user click to disable/enable cookies. However, if the user didn’t realise that the page was in an iFrame, then they would expect no cookies to be enabled at all, when in fact the original US page would still have their cookies enabled.

    A better way of explaining that would be Facebook. As a UK account holder, any application tabs I use which are HTML iFrames (thus showing pages from my website) would, if I’m reading the law correctly, have to have a cookie opt-out. But it could be argued that this opt-out would not achieve anything, as user data would still be collected by Facebook. And users might be mis-lead into thinking that clicking an opt-out would also affect Facebook cookies

     
  • Wolf Software

    20/05/2012

    We have created a complete suite of solutions both free and commercial for people who want to gain compliance via an active consent mechanism.

    https://demos.dev.wolf-software.com

     
  • 21/05/2012

    Very good point Clive.

     
  • Alan

    21/05/2012

    Whatever you did to seek approval doesn’t seem to be there any more. Visiting your site immediately lays down 7 cookies, one of which isn’t mentioned in your cookie policy.

    So a £500,000 fine heading your way in 6 days!

    Crazy law!

     
  • Alan

    21/05/2012

    IP matching

     
  • Rich

    22/05/2012

    If ICO are really that serious about this they should force the hand of the browser developers to include warnings when a site is visited, this is not the responsibility of the website owner in my eyes…

    Over the years we’ve seen inclusion of other privacy warnings, security warnings, pop-up warnings, add-on recommendations blah blah blah

    Most browsers have the ability to stop cookies right now, surely a tweak to warn the end user would suffice?

     
  • 22/05/2012

    Excellent point Rich, can’t help but feel that if this was USA-driven that would be the case. Browsers used to warn users about cookies but then stopped doing it, so it’s interesting we seem to have gone full circle.

     
  • Alan

    22/05/2012

    I am tracking what, if anything, the big UK companies are doing. Seems all the small website owners are s**t**g them selves whilst the big boys are still back.

    Not sure if this link to my blog worls, but i’ll have a go

    https://badlywired.com/project-management-blog/2012/05/22/eu-cookie-law-impending-compliance-deadline/

     
  • Alan

    22/05/2012

    Spot on. And it is. The American are going for DNT (Do Not Track) setting in browsers.

    https://www.ftc.gov/opa/2012/05/donottrack.shtm

    This would work.

    The EU should repeal the well intentioned but ridiculour Cookie Law and work with the USE on a proper gloabl solution.

     
  • 23/05/2012

    Just read an article which is quite interesting – it states that the legislation allows you to’…set a cookie and infer consent from the fact that the user has seen a clear notice and actively indicated that they are comfortable with cookies by clicking through and using the site. This is an option that relies on the user being aware that the consequence of using the site is the setting of cookies.’ https://www.econsultancy.com/uk/blog/9966-the-mirror-s-response-to-eu-cookie-law-compliance?utm_medium=feeds&utm_source=blog

     
  • Neil

    28/05/2012

    Hi

    Regarding the Heart Internet Cookie Control Widget, can I ask what it means in step 2. where it says “2. To enforce it for server scripts, add the following to an .htaccess file in your home directory:”…? Is this a compulsory step?

    Also when the user clicks NO to not accept they get directed to google dot com, is there a way to direct them to a page on my site to keep them there? and at least give them something to read with a view to explain the Cookie situation and persuade them to carry on using the site, basically so I don’t lose business as its a shopping site.

    Regards

    Neil

     
  • 28/05/2012

    Hi Neil,

    1. For better compliance, yes.

    2. Great suggestion, we’ve implemented it so now between the two [removed] tags, you can put:

    <script type=’text/javascript’>

    HI.optInCookies.disagreeURL = “/a-page-on-your-site”; </script>

    And this will change the URL of the ‘Do not accept’ option.

     
  • Rich

    29/05/2012

    Well, it’s now 29th May and interestingly there is nothing on these big players websites to notify users about cookie control…

    http://www.tesco.com

    http://www.marksandspencer.co.uk

    http://www.topshop.co.uk

    http://www.wilko.co.uk

    http://www.diy.com

    http://www.hmrc.gov.uk

    All of these sites seem to be dropping cookies, but not a single warning popping up anywhere? I did notice that most sites have a privacy and cookie link which is in a more obvious position, perhaps they are using this to comply?

    In either case, I would expect the big hitters to be on the case and have this nailed down, afterall it is likely that they will be easy targets for warnings and fines

    In the meantime we have notifed our customers regarding the law and have received very little response, I guess if they aren’t worried then why should I be?

     
  • Rich

    29/05/2012

    It looks like some things have been clarified, page 19 of this document demonstrates why Tesco et al have opted for a prominent link at the top of the page…

    https://www.ico.gov.uk/news/blog/2012/~/media/documents/library/Privacy_and_electronic/Practical_application/cookies_guidance_v3.ashx

    very easy fix, no CCC needed.

     
  • Mark Steven

    25/04/2012

    Hello from CIVIC!

    That extra snippet of code you were looking for will be up on our deployment page sometime tomorrow (Thurs 25 April). In our view it’s not a core part of the widget – users can invalidate any preferences stored in cookies at any time by clearing them. The key thing is to gain their consent in the first place, and to have a reasonable scope for that consent – in our case we default the consent period to 90 days.

    It’s easy to change this if you prefer a shorter or longer consent period.

    We’re happy to help so feel free to contact us directly or continue the conversation here.

     
  • Mercy

    14/05/2015

    This article is really concice and useful. It is a shame that the EU have nothing better to do than sit about coming up with useless laws all day. Many web site visitors won’t even know what a cookie is (usually only developers or IT professionals seem to?) and therefore these will simply annoy everyone with annoying pop ups. Those people who really care about their privacy could just get browser add-ons/extensions to do the job. And lastly, the real data scavengers that don’t care about selling your data on, won’t be legit companies anyway, and so will still do it regardless of this law. It just shows how much a bubble these eurocrats live in and why I’ll be voting Yes to leaving the EU in the UK referendum.

     

Comments are closed.

Drop us a line 0330 660 0255 or email sales@heartinternet.uk