The Cookie Law: Online Privacy and Your Legal Requirements

cookies by daniel.he

If you operate a business that uses cookies - for example, to track and target online behaviour - and you’re located within the EU, now is the time to get educated on the ePrivacy Directive. It’s a law, and compliance with it will start being enforced soon. In the event this is all news to you, let me explain.

The ePrivacy Directive stipulates that businesses must gain consumer consent before collecting or using their data. It applies broadly to cookies used for third party behavioural advertising and virtually any other ad-related purpose including analytics, optimisation and attribution. The scope is wide enough to implicate every site and every ad delivered in the EU.

While that sounds straightforward, the ambiguous part is how different countries interpret the term ‘consent’. It is either ‘implied’ - satisfied by acceptance implied from a user’s actions or technology (like a default browser setting) – or it is ‘explicit’, which would force the user into proactively confirming their consent, like selecting an ‘OK to track me’ feature in a browser. Currently, more EU countries are going down the ‘implied consent’ route in their versions of the law.

While there is lack of clarity on a minimum standard for cookie use in the EU, there are important steps you can take today to be ready when enforcement measures are introduced in May 2012. The general consensus is that while we have some freedom to innovate, we need to move things forward ourselves as an industry, before the regulators define it for us. Nobody, least of all consumers, will benefit from interfaces designed by regulators.

So don’t make the mistake of thinking this loose language or long lead time means you have cause to ponder and see how things progress. The law enforcers are already watching us and will mark the cards of those who do nothing.

The message is for businesses to start communicating data transparency with their consumers ASAP and to own that messaging - before it is dictated to us, and our online activities and marketing advancements are curtailed.

Photo (cc) daniel.he.



Opt-in is the legal option.

In fact, most of the European member states  so far require specific opt-in, including the UK, France and Holland. The signs are also that Germany will require it. The EU directive is very clear about the need for prior informed consent.

There are only two categories of cookie data that matter, those that identify you and those that do not. If a cookie has a value that is unique to you, or your browser, and it remains the same over mulltiple requests then it can be used to identify you.

CookieQ ( is the first complete opt-in solution to the cookie consent issue. It lets website publishers paste in button and give their visitors the option of opting in to all cookies, just non-trackers, or remain opted-out. Our technology takes care of removing the cookies and independently remembering the visitor's choice between visits.

The CookieQ approach also lets website publishers retain 100% of their Google Analytics anonymous statistics without requiring their visitors to opt-in to cookies.

Consent Request

Most of the big economies are gong down a route that says, visitors need to make a positive action to indicate their consent, without which cookies should not be set.

This is not that difficult to do, although it takes some work to understand what cookies your site is using.

The Cookie Collective is one organisation leading the way with simple cookie law solutions: