The EU E-privacy Directive will be enforced from the end of next month, and businesses have some big decisions to make about how they will comply. 

Will businesses attempt to fully comply by using an opt-in consent box for users, will they attempt to do just enough to escape the attentions of the ICO, or simply do nothing? 

I asked some of the expert contributors to our EU Cookie Law: A guide to compliance report how they intend to comply with the cookie law. 

Will you be going for full compliance (whatever that is) or aiming to do 'just enough' to show some willingness to comply? 

Matthew Curry, Head of E-commerce at Lovehoney

We're taking the stance that this is first and foremost about privacy. Privacy and discretion is important to our customers, much more than other industries, so we should be leading the way here in any case.

I don't think anyone actually understands what full compliance is, but I'm taking it as the visitor being able to pick and choose what cookies and information are stored about them before they land on the site.

This is going to be A LOT of work, so we have to do it piecemeal. I think implementing something sooner rather than later, so you can test designs is sensible, as well as helping visitors get accustomed to seeing a privacy message.

Depesh Mandalia, Head of Conversion & Product at

I suspect the ICO is going to firmly focusing on the larger businesses initially so if I were a larger organisation I'd certainly aim to do my utmost to comply.

However, I don't think SMEs are going to be in a position to fully comply so we may approach this in a similar way to Econsultancy with a conscious effort to inform and educate.

Craig Sullivan, Group Customer Experience Manager, Belron International Ltd:

We first ran an audit of all the cookies we were using on our sites and deleted all unnecessary and unused cookies. We then added a separate link on each page of the website to our Cookie Use Policy, which sets out clear information about what cookies are, which ones we use (and don’t use) and information about how to refuse cookies.

In addition we also prepared a table of the cookies used on the website, setting out the name and the eventual purpose of the cookie.

We have tried to balance the requirements of the law with the needs of our business, and we think that we have reached the best solution in the circumstances, particularly as we do not use behavioural tracking cookies on our websites.

We believe that any explicit opt-in option would not only harm user experience, but would have an unfair negative impact on our business, and put us at a competitive disadvantage.

CEO, online retailer:

Our answer is pretty short and sweet. We're going to wait to see if anyone gets hit by it and go from there. I.e. do nothing and waste no cash as I think it could all fall down and I don't want to waste precious resources working on this if it's an empty threat.

We aren't first in line and I'm sure that any notification from on high would give you time to remedy the matter. There seems to be no benefit to investing resources and money until such time as someone rattles our cage.

Do you think that most businesses will comply, or simply seek to build a defensible position (carry out audit, add clearer cookie messaging etc)? 

Matthew Curry:

Obviously, businesses aren't going to rush into something that is likely to harm themselves. I would expect everyone does the minimum possible, and see what Amazon, ASOS, Tesco etc do - which I expect will be very little.

I'm astounded that there isn't financial help for small business that have to comply. All this development work isn't going to be cheap if you're not on a platform.

I'd frown very severely at platform providers that try to charge for implementation though - since it "should" be a common solution across all their clients.

Remember 3DSecure being mandatory on Maestro cards? When it was first implemented, it was sucky as all hell and no-one understood it.

It's still sucky but now it's become common enough to not be an obstacle. That's the trick. If someone (preferably ICO) come up with a single, common design pattern, that can just be plugged into your site, then it won't be so much of an issue. And yes, the browser sounds like the right place for this.

Head of E-commerce, online fashion retailer:

Most business are building a defensible position so far I have run an audit, and started to write a clearer cookie message, going forward we will allow customers to switch off cookies on the site, but it will require a positive action from them to do so (Very similar to

Depesh Mandalia:

From what I've seen and read I believe most companies are trying their best to comply however what that looks like is the root problem of all of this.

I don't believe businesses want to intentionally take a lighter approach to implementation but the guidance isn't the most helpful and so many aren't sure of exactly what they should be doing and the likely impact on their business.

Think of the digital switchover: users have been informed of this change over a period of years to help them adjust.

In a similar way the ICO or the digital arm of the Government could have ran an online campaign over the last year informing users of a change in how websites will service them from the 25th May 2012 easing them into this and potentially enabling businesses to interact with their customers during this phase to create a solution which works for both the end user and the business.

Manley, SEO Director at LBi:

I believe that a defensible position is going to be an approach used by many, but I also believe that still more businesses will implement a ‘cheat’ solution in the hope that they get away with it.  

I personally feel that overt sneakiness is not a good way to build relationships with users. Be honest, your users will respect you for it.

Image credit: anomalous4 via Flickr.

Graham Charlton

Published 19 April, 2012 by Graham Charlton

Graham Charlton is editor in chief at SaleCycle, and former editor at Econsultancy. Follow him on Twitter or connect via Linkedin.

2566 more posts from this author

You might be interested in

Comments (7)

Save or Cancel
Jeremy Spiller

Jeremy Spiller, MD at Econsultancy Guest Access TRAININGSmall Business Multi-user

The feedback I've been getting from people is that no-one really knows exactly what to do as the law is so vague and badly written that there are more holes in it than Swiss Cheese.

Nonetheless there has been a sterling effort by many to run cookie audits and consult with lawyers to try and protect themselves and the feeling at the coalface is that if you're trying to do something about it, then that's enough.

This strikes me as a little bizarre as legislation goes because trying to do something isn't actually doing something. But of course as mentioned the law is so badly construed that no other significant action is possible.

Between you and me, I have a sneaky suspicion that whoever wrote this legislation has little or no understanding of what cookies actually are and how they're used.

So while I still receive 17,000 pieces of spam every month (fortunately filtered out my our Sysadmin) we all now have to check that a perfectly innocent cookie that stops me having to carry out a full login every time I want to visit a website from a major bank or travel company isn't going to be abused. That's just daft.

over 6 years ago


Ryan Carson

I had no knowledge about this law until about 15 minutes ago when I received an email about it from the nice folks at 123-reg and I run a website design firm in the UK.

If this law is going to be respected more by people then it should really have been better advertised. I now have the painstaking task of creating a opt-in solution which I have been informed has to cover all but essential cookie information.

This isn't just google analytics services but google maps, facebook like, tweet buttons and in-general any plug-ins on websites, including of course advertisements.

Enjoy your contact pages whilst you can because without cookies, they're going to be ugly.

To me this seems like it's trying to garner more cash for someone somewhere and I very much doubt that any of my 200 odd customers have heard about this law, or it's enforcement date as I'm sure they would have contacted me by now regarding it.

And a simple one-off auditing procedure isn't going to cut it in my opinion.

Wordpress and other CMS users out there can happily add plug-ins at their leisure, although as soon as one appears on a site which isn't say... auto-audited to invent a word it then becomes illegal.

The funny things about this law is that it seems it's only enforced if someone complains to the powers that be about it. So it only takes one person in a competitive industry to g across a world of sites, report them and I'm guessing a world of fines ensue.

Heaven forbid you should run a forum site in the UK where people can paste HTML in the comments...

over 6 years ago


Lawrence Shaw

I think the retail CEO comment is very short sighted.

The majority of the key brands are taking visitors privacy seriously, its not really just about 'ticking a legal box' its about building the value of your brand and ensuring you have the very valuable commodity, that of trust.

It doesn't have to be expensive to sort out, or in fact (with recent updates from the ICO) impact visitor journey - being open, transparent and not 'hoping you will not be noticed' should not be anyone's direction.

Jeremy's comments are valid to a point, the first stages of what every website has to do are clear. The confusion is really about what could be / is considered 'consent' - it is very confused but anyone who has listed to or been involved at Dave Evans presentations will also understand that the ICO aren't over the moon about the matter.

We have a detailed paper covering the key areas of "IMPLIED CONSENT" and how this can be implemented across your site / sites. Its not the only answer, it keeps well away from 'tick boxes' (they really aren't suitable for 70% of sites at the moment).

Happy for anyone to email me who wants a copy of the paper, its a no charge. lshaw(a)

over 6 years ago


Ed Percival

Thanks for creating this report, a really timely document.

I'd be keen for Google to publish some generic cookie descriptions relating to their products, particularly analytics and AdWords, so that we can deliver a consistent message.

If anyone would like to help The Prince's Trust with a cookie audit, we'd welcome the assistance.

over 6 years ago


Mark Steven

At CIVIC we've been working very hard to make compliance easier with our Cookie Control widget ( And the community have got behind the initiative, creating plugins for both WordPress and Drupal.

Compliance is a headache, but it's dwarfed by bigger issues like, say, making your website truly device aware & responsive.

For the majority of firms there are one or two scripts that may be problematic but not many more.

As full compliance isn't really that tough, the "defensible position" approach isn't all that tenable.

over 6 years ago


Gary Lake

I'm not sure BT are complying here. What appears to be a very elegant solution is actually misleading users. Lots of cookies being set regardless of the settings you use from what I can tell. Ironically, they're storing a cookie on your system to remember that you don't want cookies as well!

This is one of the most ill thought out and naive pieces of legislation to hit the internet.

over 6 years ago


John Griffith

It's interesting to see the spread of opinion and intention in the responses above based largely on their respective levels of knowledge/understanding of the law. Many are leaping to conclusions about what to do and forming opinions about the law itself without realising it is still being drafted. The guidelines are just that - guidelines and the law will not become law until the detail is worked out and agreed - a process that will take place over the months to come. In the short term my advise to those it affects would be to take note of the law as it progresses through to ratification and take advantage of the trend towards visitor empowerment by carrying out a thorough evaluation of your brand's position and offering opt-out as a gesture at this early stage whilst planning for when it's a legal obligation.

over 6 years ago

Save or Cancel

Enjoying this article?

Get more just like this, delivered to your inbox.

Keep up to date with the latest analysis, inspiration and learning from the Econsultancy blog with our free Digital Pulse newsletter. You will receive a hand-picked digest of the latest and greatest articles, as well as snippets of new market data, best practice guides and trends research.