Cookies: Do New Privacy Laws Take The Biscuit? The Lawyer's View

Pac Man Cookies

Last week, the Information Commissioner's Office (ICO) published guidance on changes to the laws on using cookies that will affect tens of thousands of business owners.

The new law applies to all EU websites and requires website owners to get a user's consent before cookies are saved onto a device. First,  bit of background...

What are cookies?

Cookies are small files of letters that hold data. They're stored on a user's computer and allow websites to 'remember' information about a user.

What's changed with the new rules?

Previously, website owners were required to provide users with information about how the cookies were used and explain how to 'opt-out' if they objected.

With the new rules, cookies can only be stored on devices where the user has given their consent.

There's one exception to the rule - where the cookie is 'strictly necessary' for a task the user has requested. The ICO suggests this may occur in online shops, where a cookie may be required to enable a site to 'remember' what was chosen on a previous page (i.e. between browsing and 'add to basket').

The Lawyer's View

Danvers Baillieu
Bootlaw Logo

We still had some questions and turned to the fantastically helpful Danvers Baillieu from Bootlaw for the answers:

What's changed with the new cookie law?

Under the old law you had to tell users if cookies were being used on your site, give them the chance to refuse cookies (e.g. explain how to block them). Certain cookies (e.g. for shopping baskets) were exempt, but crucially, you did not need prior consent.

Now, website operators must obtain “informed consent” to the use of cookies and this consent should be obtained (although there are conflicting views about this) BEFORE the cookie is placed on the users’ machine.

The law provides that browser settings can be used to indicate consent, but unhelpfully, the view of the ICO is that current browser settings are inadequate for the task. The hope is that browser software will provide the solution, but this relies on 100% uptake of any new releases.

How will this affect digital businesses using cookies?

Every single website using cookies needs to review its own position on how it obtains consent. Currently the guidelines are unhelpful and confusing so it is effectively up to each website to decide how it will obtain consent.

Is there anything that needs to be done now?

There is a 12 month delay in any enforcement action, but the ICO wants website owners to start reviewing their use of cookies in preparation for enforcement next year. What this amounts to, nobody is quite sure, but it would be a good idea to find out what cookies are currently used on your site.

...Or in a year when they start enforcing the rules?

Or you could keep your fingers crossed and hope browser settings provide the answer before then.

Is the law actually practical, or is it technologically unfeasible?

Even by European standards this is a completely daft law. I am yet to meet anyone who is in favour of it. The law was brought in to address concerns about behavioural advertising but manages to go completely overboard. I am optimistic that technology will provide the answer.

What 'gotchas' should companies look out for?

3rd party cookies placed by advertisers which collect user information are going to be the trickiest thing to deal with as it will be harder to inform users precisely what they are doing, and if you cannot do that, it will be hard to get consent.

Does this signal greater scrutiny on privacy and what does this mean for the future?

There are certainly more things in the privacy pipeline, such as the proposed “right to be forgotten” which could be very hard for many websites to deal with. However, there seems to be a major disconnect between the policy makers who are clamping down on privacy on the one hand and consumers, who are flocking to use many of these services, on the other.

Any further thoughts? 

It is not too late to change how the law works or is implemented by the ICO. It has not been given any prominence whatsoever on the political agenda so it is up to all businesses to complain to their MPs and MEPs about this. It would also help if industry bodies started to form some coherent views on this as it would be much harder for the ICO to take action if businesses are united. That said, it appears that the ICO is the only government site which has thought fit to make any changes so far.

Photo (cc) Dave Carter.


It is great that steps are

It is great that steps are taken to protect users as the Internet is a vast place where some companies use misinformation to hoodwink users and obtain information that they shouldn’t have access to legally and make use of it to profit.

User makes a decision...

So.... Consider the following situation...

A large site sits behind a proxy cache box, in order for content to be pushed to users via cached view or CDN'd content. The site requires this level of protection so as not to overrun the processor with multiple requests for content that could be better served from cache.

In this instance it'd be difficult to provide any kind of user preferencing via their session, since requests aren't necessarily going to served up from a dynamic script, so instead a cookie may be used client side, in order forsite to give the user a dialogue explaining that they need to "accept" cookies on the site...If this is the case, and the user says "NO" or simply doesn't agree to the choice, then where would that choice be stored so that it can follow them around the site or show their preference next time they return...?

the ICO implementation ( seems far too obtrusive to work well for every site, although I can see that they are using the absence of a stored preference as a setting essentially.


This legislation seems far too ambiguous, and far reaching to have been created by anyone who actually had any kind of real world knowledge about how this would work.