Manley is SEO Director at LBi, and he has been working with clients recently, preparing for the full implementation of the EU cookie directive. 

This directive (here's the pdf if you have a few hours spare) was introduced in the name of privacy, but has serious implications for online businesses. 

I've been asking Manley about what the directive will mean in practice for online businesses, and what they should be doing to prepare themselves...

What was the thinking behind the EU cookie regulations?

The reason the EU has introduced this directive is due to concerns about privacy, especially from Scandinavia. The idea is to prevent organisations collecting information about web users without their permission. 

The problem is that the people who have introduced this have very little idea of what a cookie is and what they are used for. Considering the privacy of individuals is no bad thing, but the law is slightly misguided. 

It was announced at the beginning of the year, and the UK is the first country to have introduced it. 

The idea behind this early adoption was that we could manipulate the law, and the initial guidance was that browser settings would deal with the need for users’ consent. 

However, it soon became clear that that wouldn’t cut it.  Now we have a situation which is unclear for many businesses. 

What does the ICO’s decision to delay implementation mean in practice? 

The law is in force now, and has been since May 26. However, the ICO has said it will not prosecute anyone under this rule until May 2012. 

You can make complaints against websites though, and just because businesses may operate websites within the UK, it doesn’t mean they have nothing to worry about until next year. 

If your visitors are coming from other EU countries including Ireland, Sweden, Estonia, Finland and Malta, you may be liable. 

What do the cookie regulations mean for online business?

The ICO will not currently pursue companies for not gaining users’ consent for cookies, but this is no excuse not to be doing anything about it. 

As the ICO’s Christopher Graham has said, those who choose to do nothing will have their lack of action taken into account once the regulations are enforceable. 

The sort of organisation that will be likely to be complained about should have the resources to be able to make the necessary changes. 

They should be concerned, as the penalty for flagrant flouting of the rules is £500,000. Any organisation with several websites and brands, some financial services companies for example, will therefore be liable for each property, meaning fines could add up to millions of pounds. 

What should online businesses be doing in preparation? 

Although you can be fined, what constitutes a serious breach is flagrant disregard for the directive, and the ICO says that a phased approach is acceptable. 

Right now, you should be examining your existing current cookies, looking at:

  • How much information are you holding? 
  • How necessary is it? 
  • What measures can you put in place for gaining consent from visitors? 

Even the ICO's cookie consent message (below) isn’t enough to comply. Users have to be able to make an informed decision and give overt and informed consent.

If you have done an audit, have an acceptable and clear privacy policy, and a reasonable strategy on place for May 2012, ready to be implemented, then you will be prepared.  

What are the various options for websites to ensure that they comply with the cookie law? Is it possible to comply without affecting the user experience? 

Websites face a dilemma over how overtly they ask for user’s consent to store cookies. 

They could put a notice on the page when new visitors arrive, one which asks for users to consent, but which still allows them to use the site as normal if they choose to ignore it. 

This will mean a better user experience, but the flipside is that the amount of traffic picked by analytics packages will be a fraction of normal levels. 

The other option is to use a lightbox to ask for consent. The user only has to opt in once, and this would solve the problem of losing analytics data, but it does mean that some visitors will drop out. 

People don’t like being interfered with, and frequently ignore lighboxes when used to gather user feedback on sites. We find it offensive that something online is interacting with us, rather than us with it. 

When someone arrives at a site for the first time, there will be higher bounce rates as they see this interruption. 

Another approach is to have a tiered structure for visitors. For example, a ‘bronze’ level may mean no cookies are stored from that user, a sliver level with a minimal level of cookie data, and gold, where customers opt in, in return for the fullest possible experience on a site. 

This will be the first time that most web users will become aware of this legislation, and in many cases, what cookies are. The potential effect of this change on the internet could be massive. As well as online retailers, massive sites like YouTube and Facebook all rely on cookies. 

It also threatens many business models, retargeting, behavioural targeting, attribution CRM, display advertising, and of course, analytics. 

Analytics could be seriously affected by these changes. For example, on May 26, when the ICO began to ask for consent to store cookies the visits shown in analytics were down to 11% of normal traffic. 

Is there anything companies can do to educate web users in advance? 

Perhaps, but since all businesses are looking for is a quick yes from visitors, education may not serve businesses particularly well. 

Has there been much resistance to this law? Are companies lobbying against it? 

I’ve done some work on this with financial services and telecoms companies. There are some who say this is unworkable, but in all honesty, it’s not, it’s just a bit irritating.

Others are accepting it and trying to work within the guidelines. 

This isn’t going to go away, though whether the ICO actively seeks to prosecute businesses is debatable. 

The answer is to embrace the law, and to have everything ready for its full implementation, except the last consent step, a lightbox or notice for new visitors.  

When it’s clear that the law is in place and will be enforced, then this will need to be implemented. 

How exactly the law will be implemented is still not 100% clear. The ICO has asked the industry for feedback, and it’s not certain how they will adapt to this. Until we see the legislation in practice, it’s difficult to know, bit just hoping it’s going to go away is not going to help. 

Graham Charlton

Published 31 October, 2011 by Graham Charlton

Graham Charlton is editor in chief at SaleCycle, and former editor at Econsultancy. Follow him on Twitter or connect via Linkedin.

2566 more posts from this author

You might be interested in

Comments (23)

Save or Cancel
Sean Clark

Sean Clark, Head of Web Operations at Adnams Plc

Quite simply we can't allow this law to be enforced. In the current climate the cost of implementation alone could prove one step too far for many companies. Let alone the competitive advantage it gives to companies outside the EU.

Dont' get me wrong, privacy is important but cookie restrictions as presented in this directive are ill conceived.

Consumer expectation has grown online, they expect a lot of the decision making and presentation to be handled by the site; in simple terms they expect things to "just happen". We can only do this given the right data a lot of the time.

They will not "get it" when a box pops-up asking them to accept cookies or not.

The EU/ICO need to do consumer education awareness before they enforce a potentially crippling directive.

You only need to look at the introduction of Verified by Visa and Mastercard secure code by banks. When this was first introduced consumers didn't know what was going on. An extra step in checkout, for the right reasons admittedly, threw them. Customer service calls escalated and abandonment rates increased. The technology used was behind the times, browser pop-up blockers preventing verification. Amazon have still not implemented VbV much to the frustration of the banks.

There are far more important privacy issues to be dealt with. This just feels like an easy meal for the EU Administration.

almost 7 years ago

dan barker

dan barker, E-Business Consultant at Dan Barker

Thanks for this. It's great to see something a bit more balanced, and not (as some of the coverage seems to have been elsewhere) purely about trying to flog cookie audits to people!

I actually think the law isn't quite as bad as many are interpreting (including the interpretation in the interview here).

The ICO are due to put out 'practical' guidelines by the end of 2011, so I look forward to seeing those. In terms of the implementation on the ICO site - I believe they've done that to appear 'whiter than white'. As the body charged with enforcing this - they had to go further than they expect most people. Just a shame they didn't put out guidance back then, as many have (I think wrongly) interpreted their implementation as being 'the one'.

Here's the only mention of 'cookies' in the entire directive:

"Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or  viruses).

It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible.

Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user.

Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities."

(line breaks included for ease-of-reading).

You may wish to interpret that as meaning:

1. You must provide clear & comprehensive information. (tell them which cookies you're storing)
2. You should provide this information in a user-friendly manner.
3. There is a slight loophole: You don't have to do the above where it's "strictly necessary" for service provision.

Number 3 is the interesting one. For example, let's say you're Youtube, and your homepage is personalised depending on which videos users have watched in the past. Is that an essential part of your service provision? If so, you would probably argue that cookie storage is strictly necessary, and therefore you may display that page without a giant lightbox / opt in warning.

The 'browser' note in the paragraphs above is also worth re-reading a few times.


almost 7 years ago

Paul Gailey

Paul Gailey, Marketing Consultant at Independent

This directive completely snookers monetisation efforts across the internet economy.

That last sentence of the post hits the nail on the head as I think this theme is just not sinking in enough among web marketeers. During last weeks #searchlove SEO London event, that misguided sentiment of the hope that the cookie issue will just resolve itself was tangible among the audience. That is too say, there was not enough outrage at the serious implications this policy can have on the (internet) economy.

I have a forlorn hope that cookies will eventually be as accepted by the public as vaccinations are, and all scare stories are put to rest.

almost 7 years ago

Lord Manley

Lord Manley, Principle Strategist / Director at BloomReach

On the whole, reactions from the industry have been a little histrionic. The changes required are not really that big a deal and certainly less intrusive for users than, for example, chucking a questionnaire on your home page.

@Dan - one thing with regard to browser settings - if a browser decides to provide an opt-in 'always accept cookies' option then that may well be enough, but the existing settings are not sufficient to ensure compliance.

Don't take my word for it though:

“Settings currently available on the main browsers do not appear to be sufficient in themselves to meet the obligation.”
Office of the Data Protection Commissioner

almost 7 years ago



The reactions aren't histrionic, it is just that this is a ridiculous piece of legislation that harms every business working in the online sphere. And it serves no purpose for the genuine businesses out there.

There are many arguments against, one being that if I was to walk into a bricks and mortar store I wouldn't be expected to tick a box saying I knew there were video camera's that could be used for security, or could be used to see what I looked at in the store, what age/race/gender I was, how long I spent in there, how much I spent etc etc. Essentially the same data you capture online.

I hope this will disappear when the web browsers add in the full cookie blocking in their latest versions which I think will happen in time, then we can all go back to trying to increase our business and not worry about the EU and it's ridiculous directives.

almost 7 years ago

dan barker

dan barker, E-Business Consultant at Dan Barker

Tom: You don't actually have to have the tick box like the ICO site. That's just the 'ultimate' example, which (unhelpfully) the ICO implemented without providing decent guidelines for the rest of humanity (no doubt because they themselves wanted to avoid scaring people). And even in their case - as Manley points out - they place one 'rogue' cookie prior to you checking that box.

It is a ridiculous piece of legislation. But I think a lot of the 'sky is falling' stuff is driven by people who make money by exaggerating the ramifications.

I hope I'm right, and I hope the ICO do put out some sensible guidance prior to the end of the year as they've said they will.

almost 7 years ago

Lord Manley

Lord Manley, Principle Strategist / Director at BloomReach

<sensationalism>I actually think it is quite a good thing.</sensationalism>

Seriously though, most users are utterly unaware of how much data they share and, whilst I am not about to don a tin-foil hat, there is a valid argument for educating them. The requirement for informed consent forces that issue rather conveniently, if in a manner which is mildly annoying for brands. At the end of the day all the directive says is that you cannot take information from someone's computer without them saying so.

If your agency is telling you that this is unworkable, a disaster or the like then may I suggest that they have not looked hard enough at how simple this will be to implement.

This is a pain in the rump for businesses and it is a poorly developed directive (note that I place the onus on the EU here, not the ICO) but it is not for businesses and it really should not represent more than a mild irritation for most brands.

Oh, and @Tom, to use your own analogy, there is a requirement to inform customers if you use CCTV so that they can decide whether or not to enter your store. Yes, those signs are not very pretty, but most customers hardly notice them and just wander in anyway.

almost 7 years ago



First off, I should point out that I work for a web development company - and are developing what we believe is the best solution for mass market adoption by websites that want to get consent from visitors and comply with the new law.

It is true that this law represents a big shift in the way people will interact with websites - and as an industry we are going to have to respond to it. Like it or not, this law is here to stay and it will be enforced.

The ICO case of the loss of analytics data is not surprising - we have seen similar results on our own site. However I feel this is likely to be short lived.

As more and more websites implement consent mechanisms, consumers will get used to them, and this I believe will result in a greater proportion over time giving their consent than has so far been seen.

There are two real challenges here. The first is to retrofit existing sites with as little disruption as possible, and many sites will go for the lowest cost option in this case.

However, in the longer term, I think we will see new sites better adapted to the law, that aim at engaging visitors in new ways to encourage them to give their consent.

We are not going to see the end of 'free' content as many scaremongerers would have us believe. The model may suffer a short term hit, but the demand from consumers is too great. What we are going to see is more transparency and understanding from consumers that 'free' comes at a price - the price of data sharing. They will then make choices about who they trust, and whose free services they value the most.

Ultimately this could lead to better web services for everyone - as the companies that provide most user value are the ones that people will be prepared to trade their data with.

Its going to be an interesting ride to get there though.

almost 7 years ago


Baycloud Systems

The law is the inevitable result of a feeding frenzy by the behavioral advertising community, and has been working its way through legal channels since 2009. Maybe the DTI or whoever else in Government is responsible for looking after the interest of UK businesses could have prepared for it earlier and put some effort into giving reliable advice. Banging on about mythical 'browser settings',just confuses the situation. If they ever appear the new browsers will be slow to get market share and the legal responsibilty still lies with the website operators(to get consent).

almost 7 years ago


Mark Richardson

I recently did some work on this for a client, and the most interesting move in this space for a while has been Google's recent analytics change. Google seem to be taking the view that if a user has opted to use SSL for their Google apps/mail then some of their referral info is off-limits via Google Analytics. It's not hard to imagine an alteration to GA in a month or two to stop dropping cookies for these users as well.

If this becomes an acceptable model (to ICO), then it's a much simpler way of determining a visitor's privacy intent than any interruption mechanism, and could mean no code change for sites using GA.

almost 7 years ago


Mark Richardson

I recently did some work on this for a client, and the most interesting move in this space for a while has been Google's recent analytics change. Google seem to be taking the view that if a user has opted to use SSL for their Google apps/mail then some of their referral info is off-limits via Google Analytics. It's not hard to imagine an alteration to GA in a month or two to stop dropping cookies for these users as well.

If this becomes an acceptable model (to ICO), then it's a much simpler way of determining a visitor's privacy intent than any interruption mechanism, and could mean no code change for sites using GA.

almost 7 years ago


Peter Cunningham

I wonder how this will affect landing pages for campaigns. If you have to add an 'opt in' on the landing page then conversion rates will be killed or will it be enough to deal with this when the visitor clicks through to the main website?

Generally I would have thought that the sensible thing would be to flag a link to 'what information we collect about you' on the home page similar to a privacy policy and say: 'we use anonimized information to improve our site and understand how and why visitors come to our site. If you do not agree with our use of this anonymous information you can either leave the site now and delete your cookies or simply delete your cookies when you have finished using this site'. That ought to be enough for anyone.

Its bizarre that websites have been singled out here. As well as the CCTV example its a bit like being told that your phone call to customer support is being recorded for 'training purposes' when we all know that it is recorded and will be used for any allegations of fraud, abusive behaviour etc.

The particularly nasty bit is that you could be caught out by different interpretations and implementations of the regulations - you just need to look at your analytics to see that you get traffic from all sorts of different countries even when you set your campaigns to target the UK.

almost 7 years ago


Peter Ellen, Head of Product @ Maxymiser

It seems that deeper consideration of what consitutes consent is worthwhile. At one end of the spectrum my mum has no idea of what a cookie is, let alone the nonce to change browser settings or even comprehend what a light box might really mean. On the other hand I'm a relative geek and I do. I'm aware of a range of technical ways in which a website might store data on me. Between those extremes of comprehension you'll find the majority of end users and the concept of implicit consent. The greater your level of comprehension of what's really happening, the easier it is to grant consent.
Contact centres often note "your call may be recorded for training purposes" at the start of the call and it's assumed that the caller understands that they can end the call by hanging up. Most online shoppers know the trolley icon does not literally mean they are going to receive a shopping trolley, but instead it will take them to cart. At Maxymiser where helping clients develop strategies which measure the impacts of experiences that assume different levels of implied consent. This seems like a decent way of demonstrating the effort factor that the ICO seems to be seeking, and it puts some real numbers around the alternative approaches. If you'd like to get involved, get in touch.

almost 7 years ago


Christopher Rose

This article was fine in general terms but does anyone have any specific information?

I have lots of websites and am vaguely aware that they put a cookie on visiting computers. However, I have no idea how that happens; how to control or stop it; nor how to access the information that the cookies apparently collect.

As such, I have no idea how to comply with this ruling even though I want to.

almost 7 years ago

dan barker

dan barker, E-Business Consultant at Dan Barker

hi, Chris,

The ICO's plan is to put out 'practical' guidelines by the end of 2011.

There are various free 'cookie audit' tools around. Here's a chrome extension from a company called Attacat, for example:

Hope that helps!


almost 7 years ago


Simon Lande

In response to Christopher Rose “I have no idea how to comply with this ruling even though I want to.”

The first step to knowing how to comply is to find out what you actually have on your site.

And, whilst understanding the frustration expressed in Dan Barker’s comment above (“It's great to see something a bit more balanced, and not purely about trying to flog cookie audits to people!”) there is no getting around the fact that you do need an audit. If you do not know what cookies/privacy statements you have on your site, then you cannot decide what action to take.

The audit should reveal what type of cookies you have – usually categorised into:
• Session cookies: These are temporary and last only for the duration of the user’s active visit
• Persistent or tracker cookies: These are stored on the user’s computer and can be accessed again by the domain that set it whenever browser contact is made
• First party cookies: These are set by the website itself (the same domain as in the browser’s address bar)
• Third party cookies: These are set by different domains from the one shown on the browser address bar

• Find out what type of cookies and similar technologies are used by your sites and establish how they are being used
• Assess how intrusive your use of cookies is
• Establish which of your sites are using cookies which are affected by the Directive (remember that cookies “strictly necessary” to fulfil a core purpose of the site are exempt e.g. a shopping basket)
• Decide what methods of obtaining consent are most appropriate for your websites
• Document the process for future reference – you may need to demonstrate that you have been actively working towards compliance

If that all sound onerous, what we are seeing at the moment is essentially just the first step i.e. conducting the audit. Although the E-privacy Directive has already been implemented in a number of countries across Europe it is very unclear the extent to which any country will actually enforce the law.

Therefore most organisations are still taking a “wait and see” approach before actioning the results of the audit (except for ensuring that all pages on the websites include a privacy statement that covers your cookie usage – that should be implemented immediately)

But ultimately what action you take does depend on your appetite for risk…

Hope that helps.

almost 7 years ago



Just don't bother collecting analytics data anymore. Users may be content with less of their browsing data being sold ;)

almost 7 years ago


Mark Richardson

Christopher - install a plugin like Ghostery on firefox, and then browse your sites. This will tell you which cookies your sites drop. It's probably more than you think!

Once you know, it's useful to see which ones you can eliminate without problem and which ones are going to be tricky. Then work to see what the best you can do with those is.

Shopping carts or anything where the user explicitly chooses an action and the cookie drop is an absolute necessity to complete the action are exempt. So it's really analytics that will bear the brunt.

For sites behind registration you just need to update your T&C's and get the users to re-accept.

Hope this helps,

almost 7 years ago



Apparently the ICO are to release an update on the directive 6 months after the press release which falls on 26th November so save that into you diaries.

almost 7 years ago


Alex Loveless

OK, so this is not the best situation for most companies with a web prescence to find themselves in, but it's not the end of the world, and may be an opportunity.

Use this as an excuse to talk to your customers, explain why cookies are important, show them you are a trustworth company that cares.

If you want the big YES on consent then consider incentivising with vouchers, discounts, extra services, cash, whatever it's worth to you to track their usage. If you handle this correctly you could use this situation to turn a user into an advocate or premium user.

over 6 years ago

Kelly Jones

Kelly Jones, Head of Content & Marketing at CIVIC

A cookie law compliance solution is now available from CIVIC:

It's an interesting take on the requirement to get permission for dropping cookies, and has been designed in order to make that permission easy to grant as a user.

In cookie audits with our clients we have found that the most problematic cookies are those dropped by Analytics packages and things like Adsense. Often this functionality depends entirely on cookies. In the case of analytics, making it dependent on an explicit opt-in can render the data almost entirely meaningless.

Google are strangely silent and appear to hoping the that legislators will grant them an exemption or a global opt-in for Google services, but given the looming deadline, website owners can't really afford to wait for much longer.

At CIVIC we're implementing server-side analytics which will be unaffected by the requirement to opt in, and this will run in parallel with Google Analytics or Omniture on most client sites.

over 6 years ago



While we all should take privacy seriously, this directive is like taking a sledgehammer to kill a mosquito. As consumers we need to take a bit of responsibility for the information we share. I have no issues with anonymous tracking on how i interact with a website, but i would want to be clearly told if the information was for example used to identify me on other sites (such as many retargeting solutions). In fact, even that is much less intrusive then what is allowed in the offline world, including door-to-door selling. Personally i don't see the issue with general tracking of web analytics, as it is anonymous and only provides information about how i used the website, in most cases to support improving the overall usability and providing more relevant content.

But the biggest crime is the double standard. While companies have to comply with new strict privacy regulations, the government proposes regulations that forces ISP's and Telcoms to share all electronic communication, phone calls, tweets, chats etc. with government agencies.

When it comes to this whole think, a certain Rage Against the Machine lyric comes to mind...

over 6 years ago


California Inheritance Loan}

Do you mind if I quote a few of your posts as long as I provide credit and sources back to your
weblog? My blog is in the exact same area of interest as yours and my users would really benefit from a lot of the information you present here.
Please let me know if this ok with you. Thank you!

over 5 years ago

Save or Cancel

Enjoying this article?

Get more just like this, delivered to your inbox.

Keep up to date with the latest analysis, inspiration and learning from the Econsultancy blog with our free Digital Pulse newsletter. You will receive a hand-picked digest of the latest and greatest articles, as well as snippets of new market data, best practice guides and trends research.