New EU Cookie Compliance Rules

New EU Cookie Compliance Rules

After 26 May 2012, websites based in the UK will be required to inform their users about how their site uses cookies and obtain consent for doing so. This enforcement comes at the end of a 12 month introduction period since the creation of the Privacy and Electronic Communications Regulations on 26 May 2011.

This ICT Knowledgebase article provides a good overview of the current situation and steps needed for compliance. This can be summarised as:

  • audit the use of cookies on your site
  • assess their intrusiveness
  • determine how to obtain user consent for intrusive cookies.

For determining your cookies' intrusiveness we propose a three-tier hierarchy of moderately intrusive, mildly intrusive and exempt. Examples of each could include:

Moderately intrusive

Embedded third-party content such as YouTube/Vimeo videos; social media plug-ins such as Facebook ‘Like’ buttons; campaign management including A/B split-testing of content. See note below about analytics.

Mildly intrusive

Personalisation of content/interface such as ‘remember my country’ preferences and the results of Javascript detection.


Cookies used to prevent multiple form submissions (including Drupal’s webform); session management cookies required to fulfil primary functionality such as shopping carts and donation forms.

What steps do you need to take?

From a user experience perspective (i.e. least disruptive) the preferred method of compliance would be simply ‘implied consent’. This may be acceptable for specific actions such as ‘remember my preference’ checkboxes but not in the general case because (as ICO's guidelines state) - “evidence demonstrates that general awareness of the functions and uses of cookies is simply not high enough for websites to look to rely entirely in the first instance on implied consent"

As a minimum, we recommend ensuring your site’s privacy policy clearly identifies the information stored about visitors and how this is used. A good example of this is the ICO’s privacy page that includes further links such as how to opt out of Google Analytics tracking.

To make this even more visible, a separate ‘cookie information’ page could be created specifically for this information. This could then be linked to as necessary from:

  • the footer (tertiary navigation)
  • your privacy policy
  • areas of your site where cookies are used
  • a news article/press release acknowledging the legislation with perhaps some background information on what cookies are.

In addition to a cookie information page, you should seek to inform the user at specific points when a cookie identified as ‘intrusive’ is being set. In many cases this could be achieved through suitable labels/copy stating that a cookie will be set when the action is performed (and linking to your cookie information page as noted above for more information).

For any cookies you categorise as ‘moderately intrusive’ we recommend you review the associated functionality to see if it’s really necessary. (Such consideration is intended to be the principle target of the legislation). If you do consider these cookies necessary you should ask users for opt-in consent before setting any associated cookies. We can discuss how this might be achieved on your particular website.

A note on analytics

All good websites track their users' behaviour and usage using some form of analytics that requires cookies. Though not actually necessary for the website to work, the worth of gathered analytics data would be compromised if the sample size was reduced by requiring user consent. Thankfully the ICO have stated that enforcement of analytics-based cookies is not a priority. We still recommend full transparency however, by explaining the use of analytics cookies in your privacy policy and/or cookie information page.

Should you require any assistance in implementing any changes please don’t hesitate to get in contact.

Topics: Compliance, Cookies

© Copyright 2018 Eyes-Down Limited