A Guide to the New Laws Regarding Cookies

When an individual accesses a website, the website may set small files called cookies onto that individual’s computer or phone. Cookies enable the website to send and receive information to and from the individual’s web browser. Cookies have a large number of functions and uses, such as enabling a website to record the contents of a shopping basket or a website user’s preferences for any customisable aspects of the website. Cookies also play an important role in website analytics, advertising and in calculating the commissions payable for advertisements published on websites.

Cookies are overwhelmingly used for legitimate purposes and make surfing the internet an easier and more enjoyable process. However, some cookies can also be used to track, albeit anonymously, an internet user’s browsing activity and may therefore be considered to intrude on a website user’s privacy. It is this capability that has prompted new EU-based regulation (the Regulations)1.

How has the law changed?

Previously, a website user’s acceptance of cookies could be inferred by the website user’s internet browser settings; if a website user did not want to accept cookies, he or she would have configured their internet browser to reject all cookies. Under the Regulations, the operators of websites setting cookies must now obtain website users’ “freely given specific and informed consent”. This means that website users must now take positive action to communicate acceptance of cookies.

The Regulations came into law on 25 May 2011. However, the Information Commissioner’s Office (ICO), the public body responsible for enforcing the Regulations, has stated that the Regulations will not be enforced for the first year. The ICO expect organisations which set cookies to use this time to take steps towards compliance with the Regulations. It was not until mid-December 2011 that the ICO published meaningful guidance on how the Regulations will be interpreted or any practical advice on how to comply.


Consent may no longer be implied and should be given before any cookies are set. Consent to cookies need only be given once and may be given in respect of multiple cookies. Although a number of individuals may use the same device to access the internet, it is only necessary to obtain the consent of one of those users. A user can also consent to cookies being set by more than one website.

Third Party Cookies

If a cookie is being set by a website on behalf of a third party, both the website operator and the third party are responsible for ensuring that consent is obtained. Consent may be obtained by either the operator of the website or the third party, although in almost all cases it will be far easier for the website operator to obtain consent.


It is not necessary to obtain consent for cookies which are strictly necessary for the provision of services requested by the website user. Therefore, consent is not required for cookies to record the contents of a shopping basket, whereas consent is required for cookies to customise a website.

Practical Steps

Cookie Audit

A good starting point is to consider what type of cookies your organisation’s website is setting and how those cookies are used. Your organisation’s website may be setting cookies which are nolonger necessary and now is a good time to streamline its use of cookies. Consider in particular which cookies may fall within the exemption and do not require consent.

Informing Website Users

Consent must be informed, so users of your organisation’s website should be provided with useful and intelligible information about what cookies are, what they may be used for and any likely consequences. Your organisation should already have a privacy policy in place in order to assist its compliance with existing data protection and website regulations, and this policy could be updated to cover cookies in more detail. This information provided should be easy to find so consider the size, format and position of any hyperlink to this information.

Obtaining Consent

Website operators must decide for themselves what is an appropriate method of obtaining consent, which will depend on how cookies are used.

Pop-ups requesting users to confirm whether or not they accept cookies are the most effective way of obtaining consent, but may spoil the experience of using the website. Alternatively, your organisation’s website may be able to use a banner to request consent. This banner need not prevent website users from accessing other areas of the website if he or she fails to provide a response. This banner should be repeated on other pages of the website, but perhaps in a smaller format, until the website user has indicated whether or not he or she is willing to accept cookies. If your organisation’s website already requires users to sign in and agree to terms and conditions of use, these terms and conditions could be amended to cover consent.

Third Party Consent

If websites set cookies on behalf of your organisation, your organisation should enter an agreement (or amend any existing agreement) which compels the operators of those websites to obtain the appropriate consents. If your organisation’s website sets cookies on behalf of a third party, that third party should be identified to users of your organisation’s website.


Cookies are very extensively used for a variety of purposes. However, what cookies are and what they do is not widely known by the general public. Some argue that what people do not know does not hurt them, and indeed there has been no significant public opposition to cookies as they are currently used. On the other hand, it is argued that a general lack of awareness is all the more reason to draw cookies to the public’s attention.

It is fair to say that, by requiring consent to cookies to be explicit rather than implicit, the Regulations will significantly limit the use of cookies. Some consider this to represent a victory over increasingly intrusive corporate advertising practices. Whether or not cookies should be subject to more stringent regulation, it is clear that cookies are necessary for the internet to operate as it currently does. Cookies enable advertising funded websites to exist. Without cookies, it is possible that websites such as Hotmail, Facebook, Youtube and Google (and millions of others) would seek to replace lost advertising revenues, possibly by introducing user subscription fees. Some website operators may refuse permit access to their websites unless cookies are accepted; they see little purpose in attracting web traffic that does not have the potential to generate revenue from advertising referral sales commissions. In any event, the Regulations will soon be enforced and will almost certainly require your organisation to take action.

A final thought: If a website user does not accept cookies, how will the websites he or she visits remember that preference without a cookie?


1 The Privacy and Electronic Communications (EC Directive) Regulations 2003 came into force in the UK in december 2003, implementing European Directive 2002/58/EC. The Privacy and Electronic Communications (EC Directive) Regulations 2003 have now been amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2003, implementing European Directive 2009/136/EC.

Marriott Harrison LLP, MH Media & Technology

Marriott Harrison LLP