The latest on the EU Cookie law

  • cookie
  • cookie

Anyone working in the digital sector would have to have been hiding under a rock for the past 18 months to have not heard about the new EU directive, on the way websites can use cookies to gather information about their visitors. Initially due to come into force in May 2011, the new regulations were effectively put on hold for a year to give companies more time to work towards becoming compliant, with a revised launch date of the 27th of May 2012 .

As well as being used to remember important data such as password and login details to enable sites to provide users with a better online experience, cookies are used by marketers to gather browsing history and link click data which can then be used to tailor search remarketing campaigns (PPC).

Potential lost traffic and revenue, the shear amount of work involved in becoming compliant and the fear of fines for non-compliance have been hot topics of conversation in the digital world for some time now. A lack of clear advice or guidelines from the Information Commissioner's Office (ICO) on what constitutes compliance has also meant that many businesses have struggled to get to grips with exactly what is required of them.

To add to the confusion, the ICO then changed its position 48 hours before the launch. Having previously advised sites owners that they needed to gain informed and prior consent from visitors to be able to use cookies, it is now understood that continued use of a website will be considered as a user's implied consent that their information will be recorded.

This 11th hour amendment marks a frustrating end to a stressful year for webmasters, particularly those who have acted, in good faith, to implement somewhat risky solutions such as pop-up windows to gather explicit consent, which many understandably fear will lead to a decrease in site traffic and therefore revenue. A recent survey by E-Consultancy reported that 82% of businesses thought that compliance with the directive would have a negative impact on business.

Does this last minute change of heart mean that the ICO is throwing in the towel in the face of what appears to be inevitable defeat, 3 days after the deadline for compliance only one of the UK's top 10 ecommerce sites (according to IMRG Experian Hitwise Hot Shops Feb 2012), John Lewis, has any kind of clear, visible message on their homepage regarding cookies and privacy, and this itself is only a more prominent link to a page explaining their privacy and cookies policies.

The BBC clearly thought about their compliance and implemented a header which asks you to change your settings if you are not happy with the use of cookies. They go a long way to explaining the different types of cookies and allow you to opt in/out of varying levels of consent which seems very transparent:

Seeking to explain their position and stress the importance of compliance in an interview with the BBC, Dave Evans, group manager for the ICO, argued that businesses had been given sufficient opportunity to become compliant:

"Up until now, if we received a complaint about your website we would point you in the direction of our guidance. Given that everyone has had a year [to comply], we're going to shift from that kind of approach to one which will be very much more focused on those people who don't appear to have done anything and asking them 'why not?''

So what actually is the current situation? Well without some more clear instructions from the powers that be it's difficult to say. If a site makes no steps towards compliance they risk a penalty from the ICO, however if they do implement a radical change in order to comply then they risk losing intelligence, visitors and even revenue. Despite the new 2012 deadline having come and gone, the changes you need to make on your website are very much dependant on the type of cookies installed. The level of invasiveness of the cookies in use is likely to affect the type of solution you implement. At least for now, webmasters are able to use the new 'implied consent' approach which previously was a particularly grey area in the legislation.

It should be noted that Search Laboratory is not in a position to provide legal advice and this blog should not be taken as guidance on how to comply with the legislation. It is your responsiblity to read and understand the guidance.

For more information please visit:

or you can watch the latest video with answers to some of the key questions about cookies release by the ICO (May 2012):