Implementations of the cookie law

Generally, sites have opted for implied consent solutions, which assume that, if customers see a notice and continue browsing, then they’re OK with it. 

They are generally displayed at the top or the foot of the screen, and require no active interaction, as on the BBC site. 


Some use a little humour too, as on Hotel Chocolat: 

However, on a smaller mobile screen, these cookie notices are more intrusive.

Screen space in precious on a mobile site, and this notice prevents John Lewis and others from making the most of it: 

Other notices on mobile are more intrusive. Here, H&M adds to the irritation caused by its app download pleas, with a very interruptive cookie message: 


Has anyone complained about cookies? 

In short, not that many people. 

In the ICO’s own terminology, it received just 38 ‘concerns’ about cookies through the reporting tool on its website between April and June 2014.

By comparison, it had 47.465 complaints about unwanted marketing communications, which puts the cookie issue into perspective. 

Looking at the chart, the majority of complaints were received in the months before and after the ICO began to enforce the EU directive, most likely as a result of the publicity around the law. 

Since then, ‘concerns’ have tailed off, suggesting that cookies just aren’t that big a deal for the UK public. 

How has the ICO enforced the cookie law? 

There was talk of big fines (£100,000 was mentioned) back in 2012, but so far no-one has received more than a letter. 

While I have been critical of the ICO’s initial advice which left many sites unclear about what they had to do to comply with the cookie law, I’m glad that it hasn’t insisted on strict compliance, which would have seriously impacted online sales. 

Indeed, the ICO seems to have viewed this as an inconvenience when it has bigger fish to fry. This explains the relatively laissez-faire approach to enforcement. 

The ICO explains its approach, which is…

… to focus on sites that are doing nothing to raise awareness of cookies, or get their users’ consent, particularly those visited most in the UK. However, we have maintained a consumer threat level of ‘low’ in this area due to the very low, and falling, levels of concerns reported by members of the public. 
When consumers raise their concerns with us, we either conduct our own compliance check or write to the organisation concerned asking for an explanation about their compliance.

We have written to 275 organisations since October 2012, specifically about compliance with the cookie rules. We focused our efforts on:
sites ranked in the 200 most visited in the UK, as these will have the greatest impact on consumers. 

Enforcement has varied across Europe, and different countries’ approaches are summarised here. The Netherlands seems to have adopted the strictest approach, requiring explicit (opt-in) consent for the use of cookies. I wonder how that’s affecting its ecommerce market. 

On balance, the enforcement of the directive by the ICO has been balanced, though some clearer information on what constitutes compliance would have saved businesses a lot of time and effort. 

So, was it worth it?  

I think, considering the (lack of) volume of complaints, it’s easy to take the view that the money spent by websites on cookie notices has been a waste. The stats suggest that people simply don’t seem to be that bothered about cookies. 

Also, when the NSA and other government agencies are monitoring your web traffic, which we know thanks to Snowden’s NSA leaks, a few third party cookies doesn’t seem to be such a big issue. 

It’s hard to assess the cost to business. Had the ICO insisted on explicit consent for the placing of cookies, then it’s reasonable to guess that interruptive messaging and pop-ups would have increased abandonment on ecommerce sites. 

However, most businesses have sensibly opted for implied consent in the form of banners that can be closed or ignored, or simple links to privacy and cookies policies, as you see on the top right of this page. 

This seemed the best option at the time, and so it has turned out. The message is there for those that want it, while others can just carry on doing what they were planning to do anyway. 

What do you think? Was the cookie law a useful exercise in educating web users? A complete waste of time and effort? Or somewhere in between? Let us know in the comments…