New privacy laws in effect.

As of the 26 May 2011, the new EU privacy laws are in effect  and all sites are required to consider how they comply with these news.

However the ICO has given a 1 year window for implementation and compliance to the new rules. Get it wrong and you could be fined up to £500,000!

The Information Commission Office has issued guidance around how these laws affect EU companies and what is and isn’t covered in the directive. While it’s aim is to provide a steer and not a strict set of rules, the practicalities of adhering to the laws are still very much unclear for most as is the eventual impact the changes will have.


In an effort to make some of this information a little more digestible, I’ve pulled together some of the basic points as well as some resources that might be useful. The impact of the new law will vary depending on the way your website uses cookies (and other storage technologies) so the impact will vary greatly.


ICO Guidance

The law relates to cookies and any other technologies which store information on a user’s device.

While there has always been a need to be explicit about how cookies work and alert users to the fact that these will be stored during their visit.


The specific shift is from the requirement for users to opt out to now having to opt in to allow cookies to be stored on their machine. A subtle but significant change.



Don’t get excited by the title, there is only one exception to the rule and that is those cookies which are “strictly necessary” to carry out a function the user has requested. The example given is around using cookies to remember items a user has selected to buy before they proceed to the checkout.


The ICO have been clear that this exception offers very little room for interpretation.



The government’s view is that the changes should be enforced in a phased approach given the lack of clarity and the significant work which may be required to bring some sites up to compliance level. While this means you won’t be hauled over the coals if you haven’t made the changes, you do need to be thinking about coming up with a plan of action.


If the ICO receive a complaint about your site and you can’t show you plan to rectify it, you could receive a fine so ignoring the problem isn’t an option.


What next

Assess your use of cookies and how you use them

Make a list of them with the most intrusive at the top and the least at the bottom

Start thinking about what solutions you could come up with that might address those at the top and work your way down.


The most intrusive cookies are the ones used to track and monitor user behavior and reveal personal information about the individual. These are the ones that need to be addressed as a matter of urgency.


How you decide to gain consent will depend very much on your unique situation and the judgment you make on what will suit your users. As time goes on, this will no doubt start inspiring many more help sites and ideas from other users.


Browser settings

Unfortunately opting in can’t currently be managed through browser settings as they aren’t able to request the level of detail needed.


Though according to the ICO the government is currently working with the major browser manufacturers to establish when browser level solutions might be available.



These could be considered as a solution. The upside is they are nice and obvious and allows you to be explicit about the use of cookies. The downside is the user may end up being bombarded by a series of pop-ups every time they move onto something new in your site. Not the most appealing idea I’ve ever heard.


Terms and conditions

Using your Ts & Cs to outline cookie usage may be a good option for any site where a user has to sign up for a service. However, this only works for new users and not for any current ones as the use of cookies counts as a significant change to the Ts & Cs and therefore would need direct promotion on all users.


Third party cookies

This is where it starts to get trickier. If your site contains content from a third party website such as embedded content, the collection of cookies from that content is still your responsibility. If it’s accessed from your site, it’s up to you to make sure the user is opting in.


There is more working being done around this area in particular and hopefully further guidance will be available soon.


Helpful stuff

Check out the full guidance on ICO site

For more information about cookies go to All About Cookies

The IAB are also reporting on this fairly regularly.


The ICO isn’t planning on issuing any further guidance around the topic though it has said it might publish some supplementary information. And if anyone has come across anything helpful, share it in the comments section below.