{{ searchResult.published_at | date:'d MMMM yyyy' }}

Loading ...
Loading ...

Enter a search term such as “mobile analytics” or browse our content using the filters above.


That’s not only a poor Scrabble score but we also couldn’t find any results matching “”.
Check your spelling or try broadening your search.


Sorry about this, there is a problem with our search at the moment.
Please try again later.

It's now more than two years since the cookie law began to be 'enforced' in the UK, but has it changed anything? 

In the run up to the May 2012 'deadline' there was plenty of confusion from online businesses over the steps required to comply with the directive, thanks to some unclear instructions. 

Now cookie notices are seen on most websites, though the ICO received just 38 'concerns' about cookies on sites between April and June 2014. 

So was it worth the effort? Are cookie notices just an irritant? Is it totally irrelevant given the activities of the NSA? Or has this law been useful in raising awareness of cookies? 

Implementations of the cookie law

Generally, sites have opted for implied consent solutions, which assume that, if customers see a notice and continue browsing, then they're OK with it. 

They are generally displayed at the top or the foot of the screen, and require no active interaction, as on the BBC site. 


Some use a little humour too, as on Hotel Chocolat: 

However, on a smaller mobile screen, these cookie notices are more intrusive.

Screen space in precious on a mobile site, and this notice prevents John Lewis and others from making the most of it: 

Other notices on mobile are more intrusive. Here, H&M adds to the irritation caused by its app download pleas, with a very interruptive cookie message: 


Has anyone complained about cookies? 

In short, not that many people. 

In the ICO's own terminology, it received just 38 'concerns' about cookies through the reporting tool on its website between April and June 2014.

By comparison, it had 47.465 complaints about unwanted marketing communications, which puts the cookie issue into perspective. 

Looking at the chart, the majority of complaints were received in the months before and after the ICO began to enforce the EU directive, most likely as a result of the publicity around the law. 

Since then, 'concerns' have tailed off, suggesting that cookies just aren't that big a deal for the UK public. 

How has the ICO enforced the cookie law? 

There was talk of big fines (£100,000 was mentioned) back in 2012, but so far no-one has received more than a letter. 

While I have been critical of the ICO's initial advice which left many sites unclear about what they had to do to comply with the cookie law, I'm glad that it hasn't insisted on strict compliance, which would have seriously impacted online sales. 

Indeed, the ICO seems to have viewed this as an inconvenience when it has bigger fish to fry. This explains the relatively laissez-faire approach to enforcement. 

The ICO explains its approach, which is...

... to focus on sites that are doing nothing to raise awareness of cookies, or get their users’ consent, particularly those visited most in the UK. However, we have maintained a consumer threat level of ‘low’ in this area due to the very low, and falling, levels of concerns reported by members of the public. 
When consumers raise their concerns with us, we either conduct our own compliance check or write to the organisation concerned asking for an explanation about their compliance.

We have written to 275 organisations since October 2012, specifically about compliance with the cookie rules. We focused our efforts on:
sites ranked in the 200 most visited in the UK, as these will have the greatest impact on consumers. 

Enforcement has varied across Europe, and different countries' approaches are summarised here. The Netherlands seems to have adopted the strictest approach, requiring explicit (opt-in) consent for the use of cookies. I wonder how that's affecting its ecommerce market. 

On balance, the enforcement of the directive by the ICO has been balanced, though some clearer information on what constitutes compliance would have saved businesses a lot of time and effort. 

So, was it worth it?  

I think, considering the (lack of) volume of complaints, it's easy to take the view that the money spent by websites on cookie notices has been a waste. The stats suggest that people simply don't seem to be that bothered about cookies. 

Also, when the NSA and other government agencies are monitoring your web traffic, which we know thanks to Snowden's NSA leaks, a few third party cookies doesn't seem to be such a big issue. 

It's hard to assess the cost to business. Had the ICO insisted on explicit consent for the placing of cookies, then it's reasonable to guess that interruptive messaging and pop-ups would have increased abandonment on ecommerce sites. 

However, most businesses have sensibly opted for implied consent in the form of banners that can be closed or ignored, or simple links to privacy and cookies policies, as you see on the top right of this page. 

This seemed the best option at the time, and so it has turned out. The message is there for those that want it, while others can just carry on doing what they were planning to do anyway. 

What do you think? Was the cookie law a useful exercise in educating web users? A complete waste of time and effort? Or somewhere in between? Let us know in the comments...

Graham Charlton

Published 27 August, 2014 by Graham Charlton

Graham Charlton is the former Editor-in-Chief at Econsultancy. Follow him on Twitter or connect via Linkedin or Google+

2565 more posts from this author

Comments (24)

Save or Cancel

Ivo Spigel

There is a real need to continuously inform and educate consumers about privacy issues and concerns. The European Comission and national governments were right in recognizing this need.

The way they went about it, at least in this case, however, was pretty much useless. Cookie notices are a nuisance and this data obviously confirms that no one gives a crap about the "education" and "information" provided via this regulatory requirement.

On the other hand, some media screamed about how European web and ecommerce operations would suddenly become "less competitive" when compared to US and Asian sites which obviously hasn't happened for the same reason - no one cares, we just click on the notice and continue to the web site.

over 2 years ago


Richard Beaumont

You are right that consumers find pop-ups annoying, in much the same way they find ad or survey pop-ups that interrupt them as soon as they land annoying.

However, has anyone really considered that one of the reasons people find them annoying is that most of the interrupt the user experience, with information that they can't do anything about?

The main difference between the BBC website and the others listed, is the BBC actually offer a user control to opt-out of selected cookies on the site.

Reading the ICO's own guidelines about what implied consent actually requires - this is a compliant model, not one that simply says, we used cookies, tough luck if you don't like it - which is what most banners boil down to.

As a leading provider of cookie law compliance solutions - we moved away from pop-ups early on., advocating lower interruption, but greater control. Its a better user experience, more trusting of visitors, and more compliant than an information only banner.

So maybe people don't really care? If that is the case - why are cookie and ad blockers the most popular browser extensions? Why do close to 20% of Firefox users in the UK switch on Do Not Track (in the vain hope it might mean the don't get tracked). Why are sites about cookies, like Cookiepedia, so popular.

Any why don't people complain to the ICO - surely that means they don't care?

The other reasons that people don't complain about things is that they aren't aware of their rights, or they recognise that complaints don't result in action. Has anyone looked at these as explanations recently?

What has the cookie law done so far? I would say it has raised awareness of cookie and cookie tracking. What it hasn't done in large volume is given people reasonably exercisable choice.

This is not a failure of the law, but a failure of implementation.

over 2 years ago

Pete Austin

Pete Austin, CINO at Fresh Relevance

Not only a waste of time, but a security hazard.

This law has trained users to click on random pieces of text to dismiss what a site claims is a cookie notice. Who knows what that link actually does?

Really, really stupid.

over 2 years ago

Pete Austin

Pete Austin, CINO at Fresh Relevance

@Richard: The evidence suggests that people are worried about adverts and tracking, not cookies.

Re: "So maybe people don't really care? If that is the case - why are cookie and ad blockers the most popular browser extensions? Why do close to 20% of Firefox users in the UK switch on Do Not Track "

Ad blockers are popular, but I can't see any cookie blocker on this list of the most popular browser extensions.

And "Do Not Track" is about tracking, not cookies:
"Today, online tracking companies use supercookies and fingerprints to follow people who try to delete their cookies, and the leakage of user IDs from social networks and similar sites has often given them an easy way to identify the people they were tracking."

over 2 years ago


Richard Beaumont

@Pete - The cookie law is also about fundamentally tracking, not just cookies, it has just become labelled in a way that people are interpreting it narrowly.

It even had some wording in it to allow for the possibility of Do Not Track style functionality to be used as a vehicle for compliance - but this didn't happen, because of failure to get the DNT standard agreed.

My point was that there is plenty of evidence that users want to be given privacy options, which is what this law was supposed to be all about.

The fact that they are not being given these options, is not a failure of the law itself.

I do agree with you that people being trained to click on banners without reading them is a potential security risk and ripe for malware exploitation. But that is true of many other types of banners and pop ups - which this site also uses to grab and divert attention.

over 2 years ago

Graham Charlton

Graham Charlton, Editor in Chief at ClickZ Global

@Richard - I'm not convinced that many people in general want the choice. For those that are knowledgeable about cookies and want to protect their privacy, then there are ways to do this without the controls the BBC has provided.

It would be interesting to see how many visitors have actually changed their cookie settings on the BBC site - something I'll try to find out.

I think the BBC added this option as it needed to be seen as whiter than white on this issue, and it doesn't have to make a profit online. You wouldn't see ecommerce sites providing such options.

I also agree with Pete that the browser extensions are more to do with blocking ads than anything else, though they do provide those with cookie concerns with options that render the various cookie messages on sites redundant.

over 2 years ago


Richard Beaumont

@Graham - there have been plenty of surveys done in the last couple of years that provide evidence that large numbers of consumers would like businesses to collect less information, and be more transparent about what they collect and how they use it, as well as giving them greater control and choice. The Royal Statistical Society conducted one with IPSOS Mori earlier this year. They called it the 'Data Trust Deficit' - you can look it up on that.

What you seem to be saying is only tech savvy consumers have a right to online privacy - something I have a hard time swallowing. Not least because the constantly evolving nature of tracking technology means it is almost impossible for even experts to keep up - and the lack of options to limit the use of things like browser or canvas fingerprinting or any other new tech, make it harder still.

As for browser extensions - what about Ghostery - this sells itself primarily on blocking tracking and cookies rather than ads.

There are also increasing voices suggesting that the advertising model supporting 'free' services - which is what the majority of tracking is all about - is looking less and less a viable long term proposition.

over 2 years ago


Mike O'Neill

The point of the e-privacy directive is to give people control over tracking, i.e. their permission is needed before collecting their web history. The fact is that persistent UID cookies is the technique most often used for tracking, but the language in Article 5 of the Directive is not specific to cookies and includes use of other browser storage such as that used for fingerprinting.
The "implied consent" alleviation and the Do Not Track process are both in essence about helping sites manage the transition to prior consent. Sites could imply consent had been given if a person continued to navigate their site. Outside the EU sites could continue to track unless the DNT header was present.
But already a significant number of browsers have DNT enabled (over all browsers more than 17%) and the ICO, CNIL and other DPAs who allow for implied consent always said that consent should be permanently revocable. If a user revokes their consent then tracking measures such as placing UID cookies or fingerprinting must be stopped, so the ability to do that must be implemented by the site
This is why we at Baycloud Systems (http://baycloud.com) concentrated from the start on the technology needed to manage 1st party and third-party storage. Even if consent has been assumed it can be later removed, and tracking behaviour will have to be stopped both by the site and by its partner 3rd parties.
Cookies and other storage used for tracking will have to be deleted even if initially only in the minority of cases.
There are many ways that information can be given and consent obtained, and it should be entirely up to the site how to do that, though we offer model implementations of these different techniques to our customers.
We realised early on that implementing tag management was not that easy for many sites, though we worked to make it as simple as possible. We saw that the DNT process could help with this and decided to get involved with the Tracking Protection Working Group over 2 years ago. http://lists.w3.org/Archives/Public/public-tracking/2014Aug/
The DNT signal is now supported by all major browsers and the standard is close to finalisation. The DNT consent API has been implemented by Microsoft's Internet Explorer and will soon be followed by others. Until the signal is widely respected by 3rd parties, sites in Europe will need to use tag management conditioned by user consent, and we have always supported this. But ultimately sites will be able to rely on agreements with 3rd parties that they honour DNT and they will only need tag management for the few companies that continue not to.
The availability of DNT support and its consent API in browsers will complement Europe's data protection and privacy law, and make it far easier for sites anywhere in the world to give people control over tracking.

over 2 years ago

Graham Charlton

Graham Charlton, Editor in Chief at ClickZ Global

@Richard I'm not saying consumers don't have a right to know about the information about them which is used by sites, or that they shouldn't have a choice. I also don't think that only the tech savvy should have a right to online privacy.

I just don't believe that cookie messaging, which is likely to be ignored by most people, is the way to go about it.

From a privacy perspective, I'm far more concerned about MI5 and NSA snooping, and things like proposals to sell off HMRC data.

over 2 years ago


Simon Bone

I think a more important metric is how many people have actually been prosecuted for not displaying cookie notices?

over 2 years ago


Tony Edey, .

The basic idea behind the cookie law is fair enough, but as has been said the implimentation was poor and for 99.9% of sites the possibility of action being taken against you makes the requirement almost totally meaningless.

Not sure what better alternatives are though (if you're one of the few people in a position of power to enforce a change)... user friendly browser side controls?

over 2 years ago

Graham Charlton

Graham Charlton, Editor in Chief at ClickZ Global

@Simon None. A stern letter is the worst thing that will happen. Then sites can always add a notice to avoid further action.

over 2 years ago

Pete Austin

Pete Austin, CINO at Fresh Relevance

The ICO Website says the following, on just the first page view, so clearly this is the most you need to do. Note that they don't know for sure whether any particular *person* gets to see their statement about cookies, because quite a lot of devices are shared.

"We have placed cookies on your computer to help make this website better. You can change your cookie settings at any time. Otherwise, we'll assume you're OK to continue. "

Amusing rant on this issue, with infographics...

over 2 years ago


Matt Lovell, Head of Customer Insight at Jack Wills

There are definitely some interesting opinions here.

@ Richard, I think my concern with a lot of those studies is that they don't actually tell you that much in that as with most things, if you ask a blanket question (let's try one here - would you like to earn more money) then the answer is invariably going to be distorted versus actually weighing up the cost / benefit of the offering.

For me the fundamental problem is that at no point has this been turned on it's head with the question of how do we educate people to understand a little bit more about how and why their internet behaviour is tracked.

Instead companies are encouraged to jump through hoops while at the same time, as Graham highlights, the largest and most powerful companies do what they like.

Ultimately most people like their live to be made easier. If this is done by cookies enabling forms to be pre-populated, recommendations to be provided and those pesky adverts to actually have some vague relevance then the majority would be only too happy to oblige to giving away some non-personalised data along the way. The problem is, no ones's really asking them...

over 2 years ago



For apps, there seems to be a very unclear divide between those cookies 'strictly necessary for the service' and other cookies the app may deploy which are not 'strictly necessary'. Or is the act of installing an app taken as an implicit agreement on the part of the user to all the cookies the app might use?

over 2 years ago

Richard Beaumont

Richard Beaumont, Privacy Services Manager at Governor Technology

@Matt, I agree that surveys can be manipulated, which is true both ways. However I will say is that if you can't trust the Royal Statistical Society not be be biased, who can you trust? There are also many, many more surveys on this topic, which reliably point to high levels of consumer concern about privacy and data collection.

@Pete - if you follow through the ICOs messaging - it takes you to a page with an opt-out button, which stops the cookies being set on the site. I agree with you that this is an exemplar of what should be done, but most sites don't take that second step.

There is a huge lack of consumer education on this issue. I am certainly all for more of it - which is why our company built the Cookiepedia website (I won't try to link as this seems to delete the post) - but search and you will find it.

However, all companies need to take responsibility for being more transparent with their visitors, and explaining the value of the exchange.

I believe that one of the intentions of this law was to push towards that very thing, by requiring websites to be open about how they track. But the failure was largely in the implementation, not the law, IMHO

over 2 years ago


Nick Donnelly, CEO at City King

This pointless notice is just something else people close without reading.

It actively damages the UX of websites. I have not, and probably will not pollute any websites I create with this message unless I receive a letter or the climate changes.

We put huge effort into shaping UX - there is no evidence this does anything other than irritate.

As usual this is government not understanding technology and playing to equally clueless news programs there to scare and badly inform the public.

about 2 years ago

Pete Austin

Pete Austin, CINO at Fresh Relevance

@Nick Donnelly Of course, but we've got off lightly.

Here's a game you can play. Walk around a typical town, looking at the road signs. How many are actually necessary to direct traffic and signpost the way? When I tried, it was about 10% of the total - the other 90% were for things like residents' parking.

Imagine what it would be like if there wasn't just one stupid unnecessary cookie notice, but 90% of the whole UI had by law to be stupid unnecessary notices, and think how lucky we are compared to road users.

about 2 years ago


Phil Hood, Publisher at Enter Music Publishing, Inc.

I would use a real world analogy. If someone were to install cameras in my house and observe my movements, that would be a property violation. On the other hand, if a department store wants to track my movements in their store, that is their right. In the US at least, you can't just "give up" your rights in exchange for the convenience of Facebook or Chrome, any more than you can give up your right to free speech or public assembly in return for money.

almost 2 years ago

Richard Beaumont

Richard Beaumont, Privacy Services Manager at Governor Technology

@Phil - Your analogy breaks down if you dig a little deeper. The store tracking me to help improve its service, and for no other reason, is not so serious - that's analytcs.

What about the store selling that data to any other company it wants, or allowing other companies to install their own cameras inside the store, without telling anyone? And what if that information is then used so that every time I walk into the store again, or even another store, they have bought space in, and start showing me adverts for stuff that I might not even be able to buy at the store I am in but have to go somewhere else for.

How does that sound? Thats third party ad tracking - and that still only scratches the surface of what it going on.

almost 2 years ago


Chris Baldock, UX Architect at ASOS.com

I keep seeing these statements "people care about privacy". It's an incredibly vague statement that intelligent people should really stop using.

In my experience, where I speak to real people, and do quant/quality surveys regularly, the only people who get really pissy about cookies, etc, are programmers/developers.

The phrase "people holding my data" comes up a lot from certain members of that community. The fact is that everyone else doesn't care. But paranoia is a pervasive disease.

If it's unlikely that you can have complete control, why bother? If you trust all the companies you interact with online, why bother?

And if my shopping experience was likely to be pretty old fashioned and unintelligent if I switched cookies off, why the hell would I switch them off?

The implementation of this law was paranoia and bureaucracy prevailing over common sense and actual facts. It ruins web experiences. We try hard to make a customers first experience a good one, yet EVERY TIME they see a stupid message that they NEVER READ.

If you're a developer, think about how your peers talk about this stuff. Then think about how others talk about it. It's very different.

almost 2 years ago


Guster Flannegan, Web Developer at Mo Media

@Pete Austin, whilst I would agree the cookie notices are stupid, I don't agree that they pose any real security risk. I see what you're saying, a website could link from the message to a malicious web page or some dodgy javascript so when the user clicks on the message, then bang!

But frankly, if the website is that way inclined it could make any link do this. All webpages contain a multitude of links and buttons for navigating around their site. An additional "ok" button isn't really adding any extra risk. We have to rely on the fact that modern browsers offer some protection with built-in warnings, but more so, we rely on our anti virus software.

But let's be realistic. What kind of website is going to put up a cookie warning with a malicious payload attached to it? A porn site or an illegal downloads site perhaps? Neither of those types of sites need to provide anything like a cookie link to encourage their users to click something; they already have plenty of booby trap opportunities as it is.

Another point is, a webpage doesn't require a user to click anything for it to execute some javascript or redirect the browser to another page. It can just do it automatically on page load.

over 1 year ago


John Dev, Web Developer at http://johncampbell.ninja

Here's something you may want to consider... cookie pose ZERO threat to anyone online. None. I could do far far worse things with Javascript than store cookies on your machine. This directive by the UK is easily one of the least informed, most paranoid moves in the history of the Internet.

about 1 year ago


Len Pritchard, Boss at Kikk

a few years on and it most definitely was an example of EU uselessness. The cost to individual businesses has not been great - although to the small / start up sector it was an unnecessary worry and burden. In particular, start-ups using template-style websites would have found this a headache since they wouldn't easily know what to do. At the end of the day however, the biggest irritant is for users who have to constantly click an 'x' to get rid of an annoying box. Clearly the jobsworths in Brussels didn't consider this to be important - despite the many warnings - and it joins a multitude of top-down inflictions on ordinary people and small businesses from the EU.

about 1 month ago

Save or Cancel

Enjoying this article?

Get more just like this, delivered to your inbox.

Keep up to date with the latest analysis, inspiration and learning from the Econsultancy blog with our free Daily Pulse newsletter. Each weekday, you ll receive a hand-picked digest of the latest and greatest articles, as well as snippets of new market data, best practice guides and trends research.