CIVIC has recently introduced a cookie law compliance solution, Cookie Control, enabling webmasters to avoid prosecution when the ICO starts enforcing the law in May 2012.

The law requiring websites to gain explicit consent before storing cookies on users computers was passed in May 2011 but the ICO granted firms a year to comply before prosecuting any cases.

Apart from one or two lonely voices, reactions from website owners have been entirely negative. Many saw the law as an ill-conceived nonsense that failed to appreciate the technical reasons for which cookies are used. Many are holding out for a u-turn on the legislation, perhaps in the hope that a Conservative, red-tape-busting government might be averse to interference with the World Wide Web. Some plan never to comply and others hope for some kind of meta-solution from browser vendors and the major players like Google and Facebook.
But the law isn't woolly, ill-intentioned or wrong-headed. In fact, while it poses one or two compliance headaches, we believe that it's Quite a Good Thing.

Big providers of Internet services, particularly Facebook and Google, liberally use cookies to make their services work, track user behaviour, sell us things and personalise our browsing experience. They keep telling us that data is anonymised, that they only have our best interests at heart, and that they exist to make the world a better place.
Even if we believe them, the fact is that data, once it is brought into existence, has a creepy way of getting about, being repurposed for commercial gain, or otherwise misused. Google, with its control over Adwords, Analytics, Gmail and a host of other services, has the means to track much of our activity online. Not that it chooses to exercise that power, and in theory laws exist to discourage it from doing so.
Digital agency CIVIC believes the new cookie law will produce a new kind of good practice for websites. Some rules that will help prevent such user-identifiable data getting into the hands of big corporates (and their governments). Ultimately, for the protection of individual freedoms online, this is a good thing.

What the law means for webmasters

There are a few steps to go through in order to achieve compliance with the law:

1) You must audit your cookies and present clear information about them on your privacy policy

2) You must include a mechanism for obtaining consent, before any cookies are stored (with one or two exceptions for things like load balancers and shopping carts)

3) You must make any technical changes to cookie-storing scripts in order to test for consent before a cookie is stored.

In practical terms it means you need to avoid using cookies or deployoing third party software that uses them; except where it is essential for the purpose making your website work. This is because, as soon as explicit consent is required, users start to refuse that consent. If you see a particular feature as important, you'll want to know that it will work all the time, whether or not users have consented to cookies.

Cookie Heaven

The day of judgement may be approaching fast, but salvation for tormented webmasters is at hand. CIVIC has developed 'Cookie Control', a natty little plugin which is designed to garner user consent where other solutions fail to get it. Cookie Control comes with an online configurator where you can set your styling options, choose the position of the Cookie Control icon, edit the supplied boiler-plate text and include a link to your privacy policy.

Examples are provided on how to adapt typical third party scripts to test for user consent before they run, and the team at CIVIC are ready to help with custom implementations and cookie audits.

The solution was originally rolled out in response to the needs of CIVIC's many government clients, including the Scottish Government, SQA, Skills Development Scotland and the NHS.

CIVIC will be launching the solution at a seminar on 18 January, details of which are available here:

Cookie Hell

While most websites will be able to comply with a few simple tweaks to their code and the application of Cookie Control, some third party apps will be badly affected.

Google Analytics is estimated to run on 90% of websites. As an entirely cookie-based analytics solution it is not compliant with the legislation without the provision of explicit consent by website users. When the ICO tested this on their own site, only 10% of users actually opted into the service.

Obviously, an analytics package that only tracks 10% of users is hardly of use at all. Google's silence on this problem has been deafening. We can speculate that they're hoping the ICO will approve a global opt-in that will be valid across all Google services, or that an exemption will be made in the case of analytics. But in the absence of any solution from Google, webmasters may have to find an alternative analytics solution that doesn't depend on cookies.

Websites dependent on sales from advertising will be harder hit. At the moment scripts from some ad networks deposit cookies in order to personalise ads on websites that users visit later. It's difficult to see how this functionality will survive when explicit consent is required in order to make it work



CIVIC is a full service digital agency serving clients across the UK. CIVIC is known for its user-centric design and leadership in the public sector.
Cookie Control has been made freely available under the CIVIC Pride programme.

CIVIC Pride has also seen the Open Source release of CIVIC's Java Content Management System,, pro-bono website for an Edinburgh Pimary School, and pro-bono website for Challenge Scotland,


12 South Charlotte Stree
0131 624 9830

Published on: 10:21AM on 12th January 2012