Long story short

The legislation forces websites to request permission from their visitors before cookies can be used. In the past, website visitors had to ‘opt out’ to cookies, now users have to ‘opt in’.


Almost every website uses cookies in some shape or form. Your website will be affected if you use any of the following services:


  • Google Analytics or similar analytics, tracking or website optimisation tools
  • Any form of "remember my settings" style functionality on your website
  • A content management system (CMS)
  • Third-party plugins - such as Facebook Like buttons or Twitter feeds
  • YouTube Videos (even with privacy-enhanced mode)


What are ‘cookies’?

Cookies are text files that websites place on visitors' computers to store a range of information, usually specific to that visitor. This may be information such as personalisation options (such as language or font size preference settings), search, browsing or purchase history and log-in information.


If you’re using website analytics software like Google Analytics, advertising networks, or eCommerce software then the majority of these will be using cookies to store user information. Cookies are used by almost all websites (92% of UK websites currently use cookies in some capacity) for a variety of purposes to:


  • Monitor how you use a website (known as 'analytics')
  • Personalise pages and remember visitor preferences (language/font size)
  • Remember what you’ve added to your shopping basket in online stores
  • Remember who is logged into the website
  • Track people across websites and deliver targeted advertising


Cookies are not viruses. Cookies are created when a user's web browser loads a particular website. Cookies are used for enhancing and enabling web usability or website processes. Disabling cookies may prevent users from using certain websites or website functionality.


Types of cookies


There are a number of cookies such as:


1. First Party Cookies

If the host name is the same as the domain in the browser address bar when it is set or retrieved, then it is a First Party Cookie.


2. Third Party Cookies

Third party services that create cookies, such as Google AdSense, AdWords and Analytics. While you may not be responsible for creating these cookies, they are delivered via your website. Third party cookies are set by a domain other than the one being visited by the user.


3. Session Cookies

These are stored on the user’s computer until a user leaves the website, at which point they are deleted. Example: If you have to login to a website every time you open your browser and visit it, then it is using a Session Cookie to store your login credentials. Session cookies are considered less privacy intrusive than persistent cookies.


4. Stored or Persistent Cookies

A cookie is downloaded onto the hard-drive and used to identify a visitor whenever they return. All persistent cookies do have an expiry date (usually with a set lifetime of 30, 60 or 90 days), if that expiry date is reached, the cookie will be destroyed. 


5. Secure Cookies

Secure cookies are only transmitted via HTTPS - which you will typically find in the checkout pages of eCommerce sites. This ensures that any data in the cookie will be encrypted as it passes between the website and the browser.


Are all cookies affected?


All cookies that are not “strictly necessary for a service requested by a user” are affected. Here are some examples: A website visitor adds an item to their online shopping cart on your eCommerce website, that would be considered "necessary" – a cookie is technically required to remember that user and retain their shopping basket contents.


A cookie which is set to welcome a visitor back to your website; or to record which pages they view would not be "strictly necessary". Session cookies to ensure the website works (such as log-in cookies) may not need compliance.


How does this affect the use of web analytics?


For most website owners, the biggest impact is going to be on websites using analytics packages such as Google Analytics. Google Analytics is used on around 60% of the top 10,000 websites on the internet. Google Analytics currently sets 4 automatic cookies (1st party cookies) to anonymously report on site visits.


Unfortunately, at the time of writing this, there is no official word from Google regarding the compatibility of Google Analytics cookies with the new regulations. So, keep an eye on the Google Analytics blog and group.


The UK Cookie Legislation was enforced on 26th May 2012. This European directive is being driven in the UK by The Information Commissioner’s Office (ICO). The EU Directive requires that a website shall not install or use cookies on a user's machine unless that user has given his or her consent.


Relates to: cookie law, online privacy, EU internet legislation

Never miss an edition...

Get updates via email:

News and views.

Get the latest editions delivered straight into your mailbox.

Informative, creative, straight-talking. No spamming. Drop-out any time.

Does the Cookie Law affect me?

If you’re based in the EU, this law affects you. Websites outside the EU are required to comply with the law if they are targeting EU Member States (Example: Your website sells to the UK market or your website has a language version aimed at users in the EU). The law affects any website which uses ‘non essential’ cookies, such as visitor tracking code or advertising.


All websites across the EU are required to ask your permission to place cookies on your machine (opt in). Even if you have a simple brochure-style website but you use Google Analytics, this law affects you.


Cookies which are deemed not “strictly necessary for a service requested by a user” (visitor tracking codes, advertising and most Google Analytics tools) are illegal under the EU Cookie Law. Cookies that are “strictly necessary” (cookies used to remember which items you have placed in your online eCommerce shopping cart, or whether you’re logged in to a website or not) are allowed.


You, the website owner, will need to comply with the law. You must now get explicit consent from the user before you may use cookies – simply having a privacy policy is no longer good enough.

What do you need to do to comply with the Cookie Law?

To comply with the new legislation, it is necessary to make changes to your website to make information about the use of cookies on your website transparent and to allow visitors to your website to give consent to the use of cookies (opt-in).


The ICO has laid out clear steps it expects you to go through:

Conduct an audit to check what cookies your website uses

Find out what these cookies are used for and what data they hold

Establish whether the cookies can be linked with personal data

Find out whether they apply to the session or if they’re persistent

Implement technical changes to get user consent to use cookies

State in your privacy policy information on each cookie being used


You’ll need to make clear to your website visitors what cookies are being used, what the purpose is, and ask for consent. The Information Commissioner’s Office (ICO) suggest using pop-ups, message or header bars to ask a user for permission.


It is recommend to have a Privacy and Cookie policy as part of the site which reinforces what cookies are used, their purpose and how to opt out.


The updated guidance provides additional information around the issue of implied consent. Implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies.


We would also recommend keeping up to date with the ICO and any announcements it makes which may offer more official guidance on the subject.

How may compliance affect my website?

Unfortunately, it is very likely that the user experience will suffer for those who say no to cookies...


  • You may see increased bounce rates from adding warning messages;
  • You may lose valuable web analytics data;
  • Website personalisation will be affected;
  • Other marketing areas such as email marketing and use of advertising networks will be altered.


Pop-ups and getting users to accept your terms and conditions are a major distraction from the website’s content. Pop-ups do not lead to a great user experience and may in fact deter some website visitors from using your website.


Our thoughts on this matter...

Whilst like any technology, cookies can be used for good as well as bad, the directive could make the web less accessible for all, unless the ICO introduce more flexibility. In our opinion, this is a perfect example of a government trying to control the web.


Cookies are everywhere and can't really be avoided if you wish to enjoy the biggest and best websites out there. We can only hope that the Cookie Law will crumble eventually...

If you find this useful, share it.

About the author:

Elke Bretz is the founder and creative director at Creative Gloo. She strongly believes in simplifying complex matters and is passionate about creative design, website usability, user experience and user interface design. In her spare time, Elke loves all things creative, photography and interior design. She's a self-confessed Mac head and a Starbucks addict.