Cookiepocalypse: Implementing New Law Drops Use by 90%

ICO website traffic impact of cookie opt in by Vicky Brock

Update: Cookiepocalypse is over (possibly). The ICO have updated their advice, suggesting implied consent is sufficient for users. Read more

This one is going to run and run. I'm predicting that anyone in digital is going to be an expert in cookies by the end of the Summer. And not the nice baked versions either, sadly.

Imagine a 90% drop in website visitors that are willing to accept a cookie from your website. be tracked through your analytics tool? Or your advertising targeting? Or your third party shopping basket? Ouch.

That's what happened with the Information Commissioner's Office (ICO) implemented the new law with existing technology, over 90% of site visitors declined to accept a Google Analytics cookie, thereby disappearing from their analytics.

Whilst the powers-that-be have allowed a year for industry to figure out a way to implement the new 'daft by European standards' cookie law, its impact is dramatic, as illustrated by the graphs obtained by leading web analytics expert, Vicky Brock (@brockyvick), under a Freedom of Information (FOI) request.

UPDATE: Vicky has kindly shared the raw data from the FOI request if anyone fancies a spot of number-crunching.

Perhaps this is a portent of doom for anyone that relies on multiple cookies for tracking, customer service, analytics, advertising. Oh, wait, that's everyone?

The effect is pretty chilling, especially for all those data-reliant real-time advertising and data exchanges who are reliant on free and easy access to this information. Click on the graphs below for the larger versions:

ICO website traffic impact of cookie opt in by Vicky Brock


ICO website traffic impact of cookie opt in by Vicky Brock

Pics (cc) Vicky Brock. Hat tip: @kevgibbo.


Could be a good thing...

It's kind of forcing us to consider new and inventive ways to target users online. Cookies give an indication of what a user was interested in yesterday, last week, last month but they don't tell us what the user is interested in right now. 

Ads should be relevant to the content being consumed in the moment - when that happens, CTR'S improve considerably. We've seen CTR's shoot up by 200% when you drop the cookie idea and focus on content relevancy.

Hope Ed Vaizey is reading this thread

I am enthralled and concerned at the degree of variation we see here in this thread concerning the application of the law and how will impact EU business.

I still see lots of reference to 'cookies', which as one respondent points out is not the point. The law says 'information' stored or accessed, and this clearly picks up all GET:RESPONSE traffic.

The trick will be to work out what constitutes 'strictly necessary' for a service REQUESTED by the user or subscriber.

How many of you use the document.referer property to identify key words used for search? Stricly necessary? I think not!

Compliance with the legal requirements may still prove unatainable, and I anticipate some some carefully worded climb-downs from EU Regulators and Governments.


We have already released a jQuery plugin to resolve this issue for Google Analytics

We have put together a small site for people to be able to see how long they have left before the new law will start to be enforced.

We are also working a new plugin which will handle cookies of any kind


Marvelous isn't it. More laws to control us!

Most large organisiations will be able to live with this and still make millions. More for them, less for us small businesses that struggle to buy the bloody loo rolls every week!

It's Like Tesco's screwing the corner shop, but the meddling pen pushers in government who constantly look to warrent their own existence.

To hell with them. Laws only work if enough people follow them.

STOP being wusses and stand up for yourselves!

Their, that's my frustration vented, just off to delete all my business and personal web-sites.  Anyone know where I can buy some good rope.


PS. sorry, I know my post isn't very helpful - but who cares any more. BTW - did you cookie me?



Country Acceptance of the Directive

I have tried to put together an upto date listing of the acceptance status for all EU countries here

Please let me know your comments and also if you have amendments / additions. Thanks!

New consent tool goes live

The Cookie Crunch website has published a beta of its own cookie consent tool now.

Let us know what you think:

Two things to think about

First, if an organization is reliant on the information content in cookies to effectively run their business they should not to do business with parties that do not allow cookies.  In simple terms no cookies no access to the site.

Second, are you paying me for the information?  If not why are you annoyed that I'm not providing it.  Pay me and I'll turn on the cookies.

User Trust Build

I think this drop in the use of cookies is temporary, or could be. Most internet users have no idea how cookies operate, and a lot of them have a 'tracking cookie, delete' state of mind, and have no idea that not all of them track.

If they took a little time and money to inform the masses of what a cookie is, then maybe they will be able to see use in them again.

Looking further at Vicky's data...

I played further with Vicky's data:

You can start to see how the age old 'number of visits by visitor' metric has become distorted post when the opt-in was added. You can only imagine how this would begin to affect conversion rates and other key performance indicators.


what a ridiculously misleading title....

I'm predicting a 90% drop of visitors after the second paragraph

Interpretation of these

Interpretation of these tracked visits seems misleading as it does not equate to a drop in traffic. If anything the ICO should have seen an increase in traffic with the industry, lobbyists, media, ... watching how they were going to implement the rules. So what does the report say? Say the ICO receives 12,000 visits on average. Of these, about 8% now have user consent. The remainder - will remain untracked, unless the visitors opt in. These will/have continued to visit the site but are now unreported (based on this MI). In other words, if we asked users if they wanted to consent to being tracked, less than 10% may say "yes, no problem"; the rest "no" or "don't care, I'll just carry on using your site"....


Blog title - fair cop

I agree with a couple of the comments about the title being slightly mis-leading, I was trying to summarise the impact succinctly, always a tricky business. By Use, I meant use of cookie-enabled web services, which is a massive proportion of what we're using online.

I disagree about interpretation of the data, the potential restriction on cookies presents a significant engineering challenge for most websites, web services and plenty of mobile platforms. Where there's a will, there's usually a technical way, but I doubt it can be achieve in the 12 months the ICO have allowed for implementation.

May be it actually means an

May be it actually means an opportunity for the server log analytic market (Analog etc.). 

This is a terrible article

This is a terrible article. It goes to prove that scaremongering spreads like wildfire. You won't lose visitors you just may not be able to track them!

And this is a terrible comment

Not being able to track your visitors is like never having them there. For a website that survives on ads, not being able to prove your traffic is certain death. And even for an online store, not knowing what pages your viewers visit, from where they are comming and so on, is not that good.


You can prove the traffic through the website logs. You can also see what pages your viewers visit from the website logs. You can also track journeys through the website logs by correlating the ip address, browser ident and visit time. For larger scale sites where this is not enough, you can use URL rewriting so that each visitor has their session encrypted in the URL rather than a cookie. Banks currently do this. 

Is anyone clear on whether the cookie law applies to all cookies or just client side ones?

Cookie Law

It applies to anything stored on the client's terminal equipment, so it includes URL rewriting too.

All cookies are client side.

All cookies are client side.

Meant to say client side

Meant to say client side (stored on a hard drive, persistent cookie) or memory, session based?


Oh my! Privacy is not dead after all! People actually want it? What fools. Don't they know that Google does no evil?

Raw Data Available

In case any spreadsheet wizards are interested, Vicky's kindly made the raw data available. Let us know if you come up with any tasty tidbits from your analysis.

Google spreadsheet with the FOI data, available here.

Boo hoo....

I can hear the sound of the marketing types crying into their frothy hot brevages, and Bill Hicks whoooping in the heaven.

One in the eye for those that want to barcode our neck and turn human beings into commodities/chattel. Well done on the EU for a bit of sense.


"One in the eye for those that want to barcode our neck"

Isn't the economy in enough trouble without the EU making thousands of people redundant by introducing one solitary law? You might want to think your comments through before getting all 'power to the people!'


The economy is in trouble mainly because various government bodies failed to carry out enough regulation in the past. This new law may be awkward, but it is also long overdue, and entirely due to current abuses.

3rd party only or all cookies?

A couple of questions.. does this only apply to 3rd party cookies or all site cookies? And is this currently mostly a non-U.S. legal issue or is the U.S. going to mandate a similar E.U. directive?

The law applies to all

The law applies to all cookies unless they are 'strictly necessary' for the functioning of the site.

Strcitly speaking any website with EU based visitors should comply with the law - inc. US companies, the reality is that they are outside the jursidiction of any enforcement agencies.  Howevere - there have been rumblings of similar legislation in the US.


@Craig Cockburn

In a store the idea is that you buy something, that is how the store earns money on you. On the internet the information you view/services you use are free. And since we all know that is not possible.... these companies earn there money with advertising. They need these cookies, not just to make the site more user friendly but also in advertising. Your comparison really does not make any sense.

makes sense to me

The overheads of building a website are significantly less than building and staffing a store.


Building a website may seem like not a lot of work, but it is still a business.  Creating and editing content, maintaining advertiser relationships and readership are no more and no less a responsibility than those of a print newspaper or magazine.  It may not be brick and mortar tangible, but it is work.  The physical challenges of print and distribution challenges are replaced with content differentiation, accessibility, reader acquisition and technology/user enhancements.


I have a nectar card, but I have the choice to use it and if I don't I am not banned from buying anything in the store. The new cookie law is consistent with this.


Do anyone have any knowledge about what the rest of EU has done regarding this.  If I am not mistaken this law changes stemed from an EU directive so how have the other nations responded?

Rest of the EU

Yes, this does come from an EU directive, and so far few other nations have published their new laws, but a few have.

The Netherlands have actually gone much stricter than the UK however - and want website owners to prove they have permission.

There is lots about this and what can be done here:

seems fair enough

Do I have to hand over a tracking code which tracks my every movement in a physical store, where I was previously, what products I look at, register with the store before I can buy anything (and hand overa bucket load of details including age, home address etc) and have every action tracked in every high street store of the same name for years afterwards? Of course not, the very idea would be ludicrous. So why is it acceptable online then?

The physical stores can see

The physical stores can see most of the things that are tracked just by looking to see which aisles are busy, which displays are attracting interest and so on. The tracking data isn't personalised, or linked to any of those scary details like delivery address (which you'll also need to give in-store, if you want something delivered to your home...). Unless you insist that nobody looks at you while you're in a shop, of course, or that the staff shouldn't be allowed to go into any area past the checkouts.

... And you can clear your cookies

Also, if the history is kept in a cookie on your own machine, you can clear it, and so the past records will go away. Ironically, if it's not in a cookie, then some of it might be kept on remote servers and stored by IP address, which would give you much less control over it. Arguably that would also be covered under the law as a "similar technology", though. "Cookie" seems to have become a scare-word for all kinds of things that aren't really related to this, or addressed by the legislation.

Many of us do...

not that ludicrous - do you have a Nectar card?

already happening?

Isn't this already happening offline (admittedly, not to quite the same degree, yet) with loyalty cards and laterly RFID and NFC tracking?

I'm not necessarily arguing for or against the law, just not sure we're afforded much more privacy offline.

Not the same

In most stores I shop at, the loyalty card is not scanned/swiped until checkout. Not when I enter the store, not when I place items in my cart. The store has no idea when I entered, how long I spent there, or what items I picked up and placed back on the shelf. In fact, at one store, the POS places a code next to each item that has a loyalty discount, so I watch the screen and will only use the card if I see the code appear.

Imagine, though, a world where the advertising supported model fails, and only companies with a compelling product or service succeed...

oh yes they do....

Supermarkets have made a big play to move towards self scan over the past few years (don't know, don't care). With this little electronic marvel that saves you time at the till you scan your loyalty card when you enter the store. Your transactions are recorded as you buy them. Your purchases are registered at the till at the end. So we have an entry time, a user path through the store, an indication of related items, cost per visit and finally the exit time from the store. 

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <p> <br>
  • Web page addresses and e-mail addresses turn into links automatically.
  • HTML tags will be transformed to conform to HTML standards.
  • Each email address will be obfuscated in a human readable fashion or (if JavaScript is enabled) replaced with a spamproof clickable link.

More information about formatting options

Refresh Type the characters you see in this picture. Type the characters you see in the picture; if you can't read them, submit the form and a new image will be generated. Not case sensitive.  Switch to audio verification.