The Cookie Law is a piece of privacy legislation that requires websites to obtain consent from visitors to store or retrieve any information on a computer or any other web connected device, like a smartphone or tablet, and is designed to protect online privacy.  It aims to make users aware of how information about them is collected by websites and enables then to choose whether or not they want to allow it to take place.

A cookie is a small data file that stores information in user’s browsers.  They are a kind of short term memory for the web and enable a site to ‘remember’ little bits of information between pages or visits. Almost all websites use cookies, some sites use hundreds of them.

They are mostly used to make the web experience better, like automatically logging you in to a site on return visits, or remembering settings like text size. Most websites also use tools like Google Analytics to measure site performance and collect traffic stats, and this also uses cookies in most cases.

However some cookies are used to collect data across websites you have visited, creating a ‘behavioural profile’. This profile can then be used to decide what content or adverts to show you. This use of cookies for tracking in particular is what the EU wants to raise awareness of with the law. By requiring websites to inform and obtain consent for cookies it aims to give web users more control over their online privacy.

There are other technologies, like Flash and HTML5 Local Storage that do similar things, and these are also covered by the legislation, but as cookies are the most common technology in use, it has become known as the Cookie Law.

Non-compliance with the cookie law can lead to a fine being imposed by the Information Commissioner’s Office.  It can also result in users choosing not to engage with a site if they believe their privacy to be at risk.

Compliance with the cookie law comes down to three basic steps:

1)     Work out what cookies your site sets, and what they are used for, with a cookie audit. 

2)     Inform visitors how cookies on your site are used

3)     Given the user some control by obtaining their consent.  Implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies.  If you are relying on implied consent you need to be satisfied that your users understand that their actions will result in cookies being set. Without this understanding you do not have their informed consent. You should not rely on the fact that users might have read a privacy policy that is perhaps hard to find or difficult to understand. In some circumstances, for example where you are collecting sensitive personal data such as health information, you might feel that explicit consent is more appropriate

In June 2012, European data protection authorities adopted an opinion that “some cookies can be exempted from informed consent under certain conditions if they are not used for additional purposes. These cookies include cookies used to keep track of a user’s input when filling online forms or as a shopping cart, also known as session-id cookies, multimedia player session cookies and user interface customisation cookies, eg language preference cookies to remember the language selected by the user.”

Below is an example of an implied consent notice in the footer of a website:



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s