Frequently Asked Questions
In this section of the site we aim to answer the most important questions that people ask about the cookie law.
If you have a question that is not on this list then please contact us and we can add it to this page.
What's the cookie law all about?
Is the cookie law dead?
What businesses have to comply?
What business don't have to comply?
What is wrong with the cookie law?
When did the cookie law start?
What's the definition of 'cookie consent'?
Who enforces cookie compliance?
Why comply with the EU Cookie Law?
What is a cookie?
What is Do Not Track?
Who are the ICO?
We're outside of the EU, are we affected?
Can we just host our website outside of the EU?
What does "strictly necessary" mean?
What about states in the EU other than the UK?
What if I just ignore it?
The intent behind the law is to increase the options available for consumers to protect their data privacy. Cookies enable websites to gather data about visitors and users. A lot of this data is gathered without any user awareness, and more and more companies are learning to exploit the value of that data.
The law hopes to enable consumers to strike a new bargain with these businesses - it requires businesses to inform consumers of what is being gathered, and enables them to choose to participate in this or not.
In a word - no. Some people have tried to declare it dead, at least in the UK, but this is mis-information. The cookie law exists and needs to be complied with.
The laws apply across the EU, although are implemented differently in each country. All businesses in the EU therefore need to comply with the regulations, and are be bound by those in their own country.
So all UK businesses have to ensure they at least meet the requirements of the UK legislation.
However, in theory at least any business anywhere that has a website serving customers within any EU country, is required to comply with the legislation with respect to those EU visitors, and that country.
So a US website with UK visitors ought to be asking for consent from those UK visitors according to the UK legislation.
Also, UK businesses that have a website aimed at a French audience, is required to make that site compliant with the French cookie law.
Any business whose website is exclusively targeted to non-EU audiences will not have to comply.
Many people have complained that cookie notices on websites are impacting the user experience without increasing privacy.
However, this is not so much a problem with the law itself but the way it has been implemented.
Using a tool like Optanon, it is possible to become compliant, and offer visitors real choice, without an overly intrusive user experience.
The cookie law actually came into effect in the UK on 26 May 2011. However a one year grace period granted by the ICO meant that most websites didn't make any changes until May 2012.
In other EU countries the process has been slower still. Many websites across the EU are still not compliant with the law.
Consent is defined in the cookie law as "any freely given specific and informed indication of his wishes".
The 'informed' part means that websites need to tell people what cookies they use, and what their purpose is.
However there is no prescribed method by which consent can be given by the user to the website, or indeed when that consent is given.
Such functionality is available in tools like Optanon.
Other EU member states is suposed to have a designated authority for enforcement of the cookie law. In most cases it is the local Data Protection Authoity, but in some it is the telecoms regulator, or a business regulation organisation.
In the UK the Information Commissioner's Office (ICO) is responsible for enforcement of the cookie law.
Put simply, it's the law. Any website not compliant is open to enforcement action from the regulators.
In the UK for example the ICO has powers to force websites to change or it can impose a fine of up to £500,000 in the most serious cases. However thre is no indication that this is going to happen any time soon.
Compliance is also increasingly a matter of meeting visitor expectations for respect for pricvay preferences. In fact it is likely that this will quickly become a key business driver for site owners, as they will otherwise risk losing visitors.
A cookie is a file placed on your computer by a website you visit, which it then also retrieves when you return to the site using the same browser.
It can contain any text based information, but it cannot be used to spread viruses or other malicious software. It can however be used for a wide variety of purposes.
To find all about cookies, have a look at Cookiepedia - a leading resource on the subject.
Do Not Track is a setting found in most web browsers that enables users to automatically ask websites no to track them, which in theory gives users greater control over their web privacy. However, few websites curretly honour that request.
The ICO are the Information Commissioners Office, a body funded by the UK government but operationally independent from it - a type of institution also known as a 'quango' (quasi-autonomous non-government agency)
They describe their mission as:
"to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. We rule on eligible complaints, give guidance to individuals and organisations, and take appropriate action when the law is broken."
The ICO are responsible for enforcing the cookie law in the UK. The investigate complaints, and take action against offending organisations. They have the power to impose fines of up to £500,000 for breaches in the law.
How does the law relate to Server side cookies?
All types of cookies, however they are generated, are subject to the law.
The law is designed to protect the privacy of individuals within the EU. In theory, this means that any website that serves EU citizens, has to comply with respect to those citizens, regardless of who owns the website.
In practice, as enforcement is on a country by country basis, any company which has no legal EU presence, is going to be very hard to pursue a case against.
This is one reason that a lot of commentators have suggested it hands advantages to non-EU businesses. A website owned by a US company can avoid the law and still serve content to the EU, whilst gathering better information about visitors and enabling them to avoid compliance notices.
Where your website is hosted doesn't make any difference. Enforcement agencies will pursue the owners of websites, so the location of the legal entity that is the registered owner, is what is important.
This has not been clearly defined in the legislation, however most guidance suggests that it should be interpreted in a very narrow sense.
The example most often given is that cookies used to enable someone to buy something from an online store are 'strictly necessary' and therefore don't require consent - it is implied by the request from the user to process their order.
However cookies that help to give a personalised experience, or enable you to gather visitor data about site visits, are not 'strictly necessary', even if they are very useful.
A very useful source of guidance on this topic is an opinion produced by the Article 29 Working Party - a leading EU body.
Each state within the EU has to bring its laws in line with the EU Directive, however how they choose to do this is their responsibility.
When the deadline for doing so passed in May 2011, only 4 or the 27 states had actually passed their laws, the UK being one of them.
The UK government has been at pains to point out that it does not wholly agree with the EU directive, but has passed the law and set up an enforcement regime anyway.
The EU itself has said it is not going to accept countries simply ignoring the rules. Some countries were threatened with fines when they didn't change their laws fast enough.
In the UK, the ICO has been trying to take a measured approach to enforcement, but it does have a mechanism for registering complaints and investigating them.
If you don't make your website cookie law compliant, chances are you will 'get away with it' for a little while at least. However, that can be a risky game to play, especially as more websites fall into line.
Your biggest risk may come from visitors, rather than the regulator. As they get used to seeing compliance notices, they will come to expect them, and over time may begin to think that websites that don't comply, have got something to hide.
The safest approach is to take action now to become compliant - which needn't be as difficult as many people think.