The deadline for the e-Privacy Directive is fast approaching. While the subject has generated significant attention across Europe, the word 'cookie' continues to dominate the headlines.

In fact, the part of the Directive that applies to cookies is written more broadly and requires consent for non-essential tracking, regardless of whether a cookie is involved.

In this article, I'll review the facts behind the 'cookie law' and lift the lid on what consent really means for UK businesses.

The cookie misnomer

Everyone is talking about the run-up to May 26, when the ePrivacy Directive will begin being enforced by the Information Commissioner in the UK. The attention paid has been impressive, and we know that significant companies are taking critical steps behind the scenes. But we need to flag a problem.  

Somehow, the term ‘cookie’ has crept into the conversation like an insidious little worm, eating its way into headlines, distracting the market and potentially sending well-intended companies sprinting in the wrong direction during this critical last stretch. 

To be clear, we’re talking about compliance with the amended e-Privacy Directive. The portion of the Directive that applies to cookies is in fact written much more broadly and requires consent for non-essential tracking, regardless of whether or not a cookie is involved.

Yet we hear the Directive referred to as the ‘Cookie Directive,’ and the ‘Cookie Law.’ Companies have sprung up selling ‘Cookie Solutions,’ and providing ‘Cookie Audits.’ We have fantastic new ‘Cookie Policies’ and detailed breakdowns of the functions of each cookie.  

All of this is helpful in as much as it moves the ball incrementally forward. The danger is that our choice of words can end up putting horse blinders on our approach to compliance. 

Cookies, tags and trackers

As a lens through which to view tracking activity on your own site, a focus on cookies, to the exclusion of other technologies, is both incomplete and exhausting.  

Tags are the central tracking element, not cookies. Many companies track the consumer using an alternative technology, like a flash object. In addition, an emerging class of trackers are beginning to use technologies like device fingerprinting.  

These companies use tags, but do not leave behind any tracking object on the computer and as a result are typically invisible to web scanning technologies. Because of these gaps, a ‘Cookie Audit’ will frequently miss as much as 40% of tracking activity, a clearly unsustainable result for companies that wish to comply with the law.

A complete dump of all cookies set on a site can also quickly become overwhelming. One company can set one cookie or 12, there is no pattern. And a large organisation with a portfolio of domains, or any company with an ad supported site, can easily have 100 or more trackers, each setting one to 12 cookies.  

500 or more cookies are not at all uncommon. Further, it is often impossible to distinguish the specific purpose of individual cookies, with their cryptic names and randomised values. We’re talking about a massive undertaking, and for what benefit?

You need to understand who is on your site, and what they are doing with data. Not the particular differences between these two cookies (and yes, they are real):

a)name: __utmc, value: 46026228

b)name: __utmb, value: 46026228.1.10.1330142291

It can be very helpful to know which cookies are being set, but the cookies should not be the focal point of your analysis, or you will spend hundreds of hours diving down rat holes with questionable returns.  

Instead, you need to up level your assessment to the companies that are tracking the user. Each company has distinct attributes relevant to your assessment, including:

  • The categories of information they collect.
  • Their business model.
  • Data retention policy.
  • Whether or not they have a properly functioning opt-out.
  • Whether or not they engage in online behavioural advertising.
  • The types of tracking technologies they are using, including tags, cookies, and flash objects.
  • Whether or not ALL of their tracking activities can be considered ‘strictly necessary’ under the Directive.

All of this information should be rolled together into a clear position on whether or not each company requires consent. You can do this yourself, or you can work with a company like Evidon, but whoever you use, be sure you don’t find yourself lost in a maze of cookies. 

Tracking activity and the consumer

When it comes to the consumer, again, cookies should not be the focus.  It makes no sense to inform them of just the tracking activity that uses cookies.  

Disclosures that leap directly into a breakdown of each cookie are replacing a problem created by legal geeks (privacy policies) with a problem created by real geeks (technical explanations of hundreds of cookies).  

The inability of most people to comprehend the dense legal language in a privacy policy is one of top reasons we’re in this mess today, but at least privacy policies are written in English.

You must engage the consumer in a dialogue about tracking that is happening on your site to comply with the law and that dialogue must be specific, but there is no reason to leap directly to the logical extreme.

Again, they need to know who is tracking them on your site and what they are doing with data. Your priority should be experimenting with interfaces that simplify the presentation of this information as much as possible, rather than running a microscope over the particulars of each cookie.  

When discussing cookies, be sure to provide context. Include the company behind each cookie, with links to more information about that company’s practices.

In the EU, our clients will be deploying consent solutions that make it clear to the consumer that tracking is taking place, using visual tools like the orange bar and Cookie Consent button on the bottom of the page below.

Step 1:

Consumer visits site and reads about the tracking taking place as well as their options.

Step 2:

If the consumer clicks on the Cookie Consent button, they will have access to a breakdown of the categories of tracking activity, including Essential, Analytics and Customisation, and Advertising.  

They can withdraw consent for the latter two categories of tracking, as they are subject to the Directive, or they can click an arrow to read more about the tracking in each category.

Step 3:

If they click an arrow, they will see a list of the companies tracking them in each category along with the purpose of their tracking and can withdraw consent from individual companies.

When taken together, these tools allow a company to have comfort that they have acquired the implied consent of the consumer.

With all of this said, I want to be clear about the importance that cookies play as a part of your compliance game plan for the ePrivacy Directive. But do yourself a favour and strike any reference to the ‘Cookie Law.’  I still haven’t seen a copy of that law.

Victoria Usher

Published 16 May, 2012 by Victoria Usher

Colin O'Malley is Chief Strategy Officer at Evidon and a contributor to Econsultancy.

1 more post from this author

You might be interested in

Comments (14)

Save or Cancel

Jonathan Davies

I think you'll find reference to the 'Cookie Law' here.

over 6 years ago

Graham Charlton

Graham Charlton, Editor in Chief at SaleCycle

@Jonathan This is a guest post but, you're right, we're as guilty as anyone for referring to cookie law. There are probably at least 20 posts here with the term in the headline:

While, as Colin points out (and we do in the guide you refer to) the term cookie law doesn't cover everything required for compliance, it is how it has become known, and is at least less of a mouthful than the 'Privacy and Electronic Communications (EC Directive) Regulations'.

Moreover, it is what people are more likely to search for on Google when looking for information and we want to make sure people can find our content on this subject.

over 6 years ago

Alex Sandrey

Alex Sandrey, Head of Digital Solutions at HeathWallace

It's also difficult not to call it the cookie law when both the ICO and the Government are talking about enforcing 'cookie rules'.

The main issue seems to be around tracking and if it is considered strictly necessary (I think everyone is in agreement that by the letter of the law, it isn't).

There is an interesting article here:

over 6 years ago

Andrew Slack

Andrew Slack, Managing Director at Twist Digital LLP

Looking forward to watching the internet become a barrage of pop-ups on May 26th, as every single website I visit asks for some kind of permission, to do something I really don't care about.

Well done EU law makers and the ICO, another well thought-out policy to make the world a more complicated place.

over 6 years ago


Matt Smith

I too am looking forward to the carnage.

The cookie consent form on the site described above, whereas offers lots of options, is just going to be set to all off by the majority of users.

A more realisitic outcome is as follows:

Consumer visits site and annoying message is displayed. User doesn't care/want to understand so returns to Google and clicks on the next result.

Personally I think most people will just ignore this and perhaps copy what Google and Amazon does.

over 6 years ago


Phil Rendell

Fully agree with your assertion that it's not about cookies, it is not there’s plenty more gotchas with this law as well such as you shouldn’t rely on javascript technologies to provide a solution as the visitor may have it turned off.

Nor should you link to sites purporting to provide further information as they can implement their own regime of consent which bars your user from finding the further information without accepting Fully agree with

over 6 years ago


Loren Nally, Owner/Online marketing manager at

I can't help feeling that this is 'red tape' gone mad. Its going to take ages to get past all these popups and extra tick boxes etc. before you actually get to the site! I wonder how many people will do what I'll do and just close the window or click away.

We want to do things quickly online, not spend ages reading the small print before we know if we even want whats on the site. Is there a better way to delete info collected during your visit? If the site is one you want and you continue to visit additional pages, even put items in a basket, perhaps then is the time to say something like, 'We collected information during your visit' and then provide details on what it is and options on what to delete or keep ?

Just a thought....

over 6 years ago



After I originally commented I seem to have clicked
on the -Notify me when new comments are added- checkbox and from now on
every time a comment is added I get four emails with the same comment.
Perhaps there is a means you can remove me from that service?
Thank you!

over 6 years ago



Even the ICO talks about a cookie law:

Strictly, as that link shows, the legislation is about storing or accessing information on a user's computer, of which cookies are the most obvious example. You mention fingerprinting, but it doesn't obviously do that, so would not fall within the strict interpretation of the law as far as I can see.

Therefore I agree that it is not just about cookies, but it seems to me that the legislation does not cover all tracking, and in that respect is arguably already being rendered out of date.

I am not advancing an argument for replacing cookies with fingerprinting, however!

about 6 years ago



This cookie law seems like a charter to close the Internet down!

It is a particular problem for blogs because, by definition, they plug in lots of other websites and technologies in the form of widgets & plugins. That's what makes them work.

A blog author might have to vet every widget and keep abreast of every supplier's cookie statements. So instead of writing the blog the author could find themselves a full-time job just tracking any cookies.

And how much time do readers have to devote to this? They might end up with 100's of cookie authorisaton popups before they read a single word of a blog.

This cookie law seems to me bureaucratic unworkable nonsense & gibberish.

I have just accepted cookies from a couple of high-profile websites. What does me clicking YES actually mean? Does it mean I am safe? No, it does nothing for my privacy. What it means is I cannot sue when things go wrong.

What is needed is a web of trust, not a web of distrust,

about 6 years ago


Cookies for Dogs?

Excellent site, glad I found it. I am in the UK and run a popular dog training website which gets a lot of visitors especially from troubled dog owners who come to chat and ask advice etcetera. I have been scratching my head for weeks now because it seems all the sites I visit have the most infuriating popups asking me about cookies.
I was doing a bit of background reading to find out what on earth is going on, I don't follow the news much (other than where it relates to dogs obviously) and so I had little knowledge of all this hoohaa.

I am beginning to get pretty worried about it, I do not have sufficient knowledge to deal with the technical side of this so will ask my old webmaster to consult me on it, but from what I can gather, this is absolutely, totally and utterly ludicrous!

And before anyone says it only applies in the US, the sites I am seeing the cookie popups on are all UK based websites from various topics.

Gone are the days when you could just sit on google and visit some websites and not worry about anything else! Privacy Schmivacy, why can't the world just grow up?!

almost 6 years ago


Mark Lindsey

This is the first I've heard of all these new regulations on cookies. I run a royalty-free music licensing site in the US, and I've only ever just had a copyright/terms/privacy page that mentions that by using the site, the users accept that cookies may be collected by my shopping cart (I don't otherwise track anything). I haven't really seen many US sites, let alone stock music services bothering with any special cookie pop-ups. Ugh! Don't want them and visitors shouldn't have to worry about them just to satisfy some lawyers.

almost 6 years ago



Ditto Mark. I deal with a lot of marketing and research firms, which nowadays rely on mostly online platforms for harvesting knowledge about their customer-base, consumer traits and spending habits etcetera. Some are involved in paid surveys too, and even those ones don't take this legislation into account in their best practices. I have mentioned it someone today, who works for a large research company in Europe, and his response was "what legislation?"
Scary if you ask me, yet another law for unsuspecting decent people to 'trip over' closely followed by the retort from the authorities of "ignorance is no excuse". Not a progressive move in my opinion, far from it.

almost 6 years ago


Jene Then

I'm glad I found this post since this enlightened me with the Cookie Law. It worries me that the Internet nowadays do not have protection against intrusion of privacy. This cookie law seems to be senseless and illogical and it does not help about my security.

almost 6 years ago

Save or Cancel

Enjoying this article?

Get more just like this, delivered to your inbox.

Keep up to date with the latest analysis, inspiration and learning from the Econsultancy blog with our free Digital Pulse newsletter. You will receive a hand-picked digest of the latest and greatest articles, as well as snippets of new market data, best practice guides and trends research.