One of the biggest concerns for online businesses this year has been the EU cookie law.

Six months after the enforcement 'deadline', it seems that the cookie apocalypse hasn't transpired, but the ICO has felt the need to write to 174 companies about their cookie policies. 

According to a recent activity update, it has received 550 reports from web users about sites' cookie policies. 

Here's a summary of the issue as the ICO currently sees it... 

Cookies are a 'low consumer threat'

To put this into context, the ICO received more than 53,000 complaints about unwanted marketing communications, so concerns about cookie policies aren't that high on the agenda. 

ICO summarises the complaints as: 

  • Customers who are unhappy with implied consent mechanisms, especially where cookies are placed immediately on entry to the site. 
  • Customers have not been given enough information generally, and specifically not enough information about how to decline cookies or manage them later. 
  • It also says that a 'significant number' expressed concerns around how cookie consent affects website usability. 

The ICO asked people who reported concerns about the websites: 

I'm not sure how, if 462 of the complainents were asked for permission to place cookies, 301 said they hadn't provided information. Perhaps they felt that not enough information was supplied at the point of asking consent. 

Moreover, it's puzzling that, despite sites asking permission to place cookies, people still felt it was necessary to complain. 

Concerns raised about websites

Between May 26 and September 6, the ICO received 388 'concerns' about 207 websites. 

The ICO then looked at these sites before writing to 100 sites asking what steps they were taking to comply. 

You can see the list of sites written to here. These include the 68 popular sites written to in May, around the time of the May 26 'deadline'.

Since sites like the BBC and Channel 4 have prominent cookie messages, implemented back in May, I think we can assume that they were among the initial 68. 

The ICO seems to be satisfied with the actions taken by most popular sites, though some are facing 'further investigation':

We are considering 14 websites for further investigation. In these cases we will contact them to discuss their compliance, and require them to take steps as necessary. We have passed details of five websites to our International team, who have told the relevant European authorities about the concerns we received. We will continue to contact every site we receive a concern about to ensure they know what steps they need to take. 

For those popular sites which have done nothing, the ICO will set a deadline for compliance, but fines seem to be a long way off. 

Relax, there's nothing to worry about...

The key takeaways as I see them are: 

  • The level of complaints is very low, and the fact that the ICO hasn't even written to 107 of the websites which were reported suggests that not all complaints were valid. 
  • Even when sites are 'non-compliant', there is no immediate threat of fines. Companies can effectively 'kick the can down the road' and take action as and when the ICO gets in touch. 
  • The ICO sees this as a low priority. I spoke to the ICO's Dave Evans a few times earlier this year, and the impression I got was that they had bigger fish to fry. 
  • Strict consent mechanisms were unnecessary. It seems that implied consent solutions which didn't impact the user experience were the best approach. Sites like Games Workshop, which won't let you into the site without clicking the cookie box have gone too far: 

Back in the months before the May 26 deadline, there was much concern about the impact of the cookie law. In a survey we ran in March, marketers expressed concerns, with many unprepared and unsure of the steps they need to take. 

At our Digital Cream event last March, the roundtable on cookie law compliance was possibly the most popular, and from the session I sat in on, there was much concern about the impact on business. 

Thankfully, though its guidance could have been clearer at times, the ICO has taken a sensible approach to implementation, placing the issue in proper context.

For an organisation which has to deal with serious abuses of the Data Protection Act and unwanted marketing, the setting of a few cookies on websites is low on its list of priorities. 

Graham Charlton

Published 19 December, 2012 by Graham Charlton

Graham Charlton is editor in chief at SaleCycle, and former editor at Econsultancy. Follow him on Twitter or connect via Linkedin.

2566 more posts from this author

You might be interested in

Comments (8)

Save or Cancel
Steve Morgan

Steve Morgan, Freelance SEO Consultant at Morgan Online Marketing

I wonder how many of those "users" were competitors (with too much time on their hands) trying to get their non-compliant competition into trouble?

That 50k vs. 500 stat is staggering though: so for every 100 people who care about unwanted emails, only 1 of them cares about cookies?

I can see why unwanted emails are a problem. I've been a victim first-hand of someone who added me to a mailing list without my permission, who then got hacked and now I'm sent nothing but dodgy spam from their email address. But it's hardly like cookies are likely to do anything near as bad as that?

What a lot of fuss over (virtually) nothing... no pun intended.

over 5 years ago

Graham Charlton

Graham Charlton, Editor in Chief at SaleCycle

@Steve either competitors or people with too much time on their hands.

It seems that many of the sites complained about actually had some sort of cookie consent tool, so its hard to understand. the motivation.

At least the ICO has had the sense to take a low-key approach, and has limited the damage the EU may have caused.

over 5 years ago


Steven Garrett

The number of complaints to the ICO is not relevant. Consumers more and more are aware and concerned that they are being tracked, or followed around the internet and targeted with behaviourally related advertising.
They want to control this but dont know how and dont realise that the cookie notices might be a way of managing their data.
I am not saying that the current approach is ideal but this is not going to go away no matter how much businesses want it to, and whether it is the AdChoices programme and/or the ePrivacy Directive there is a responsibility to be open and transparent to users of websites. That rather than the EU insist on an explicit consent approach.

over 5 years ago


Depesh Mandalia, CEO & Founder at SM Commerce

In the list of government priorities, behind an unstable economy, terrorist attacks, international trade disputes, rising costs of living etc I'm glad to see the cookie law is a 'low consumer threat'


over 5 years ago

Emma North

Emma North, Digital Marketing Executive at Koozai

The many issues with the new cookie law were always going to be policing site owners and educating users. Firstly, it would be almost impossible (and certainly take a lot longer than six months) for all websites under the legislation to be checked for compliance.

In addition, many casual users of the internet still don't understand what cookies even are, let alone implied consent or cookie legislation. Websites which are in breach of the rules are highly unlikely to be reported, or discovered, for a long time, until it becomes only few who don't comply. Until then, how can millions of sites be policed when even users don't understand what reference to cookies they should see on a site?

over 5 years ago


Neale Gilhooley

With so many dodgy websites aimed at conning, phishing, credit card and data theft as well as selling fake merchandise I think that the priorities are wrong.

Surely credit card fraud is way more harmful to individuals than someone identifying that they fancy a holiday or a dishwasher through search.

over 5 years ago


Gary Catchpole

Neale - You summarised perfectly. Honestly - what a huge waste of money and time cookie law is. Im perfectly okay with cookies, they do nothing but improve my shopping by showing me relevant suggestions or welcomes.

Perhaps E-commerce sites will start stating

"Welcome Back Mystery Shopper" instead? lol

over 5 years ago


Dave Wonnacott, Senior programmer/ Data Protection Officer at The Real Adventure

We took the view that as it was the law, we had to comply. We took this to the client as a way of establishing a greater trust with their customer base and from that, built a great declaration and control mechanism that the client loved and that was recently (externally) audited to great acclaim. Best of all, the more sites out there that refuse to comply, the more potential customers see our sites in a positive light, driving up engagement!

over 5 years ago

Save or Cancel

Enjoying this article?

Get more just like this, delivered to your inbox.

Keep up to date with the latest analysis, inspiration and learning from the Econsultancy blog with our free Digital Pulse newsletter. You will receive a hand-picked digest of the latest and greatest articles, as well as snippets of new market data, best practice guides and trends research.