The Cookie Law

The Cookie Law


As of last month an important change to the Data Protection Act will come into force that affects the use of cookies used by web sites to track users.

As always with new laws and directives it is somewhat confusing and unclear as to exactly what is required. Even the Information Commissioner admits there are many aspects that are unclear in “The Directive on Privacy and Electronic Communications (2002/58/EC) DTI Consultation – The Information Commissioner’s Response” which can be found on the dataprotection website at

When asked “What information should operators provide about cookies and similar devices, and how should internet users be given the opportunity to refuse them?” the Information Commissioner responds “It is difficult to answer such a broad question in other than general terms. Any information provided should be as simple to understand as possible and give individuals a clear appreciation of the potential consequences to them. Exactly how, in practical terms, internet users should be given the opportunity to refuse cookies is less important than that the mechanism is simple and easily understood. It is not clear whether it would be practical to specify in regulations how users should be given this opportunity though we acknowledge that a standard approach would be helpful to users.” Even this statement is open to personal interpretation but what I feel he is saying here is that it is more important to tell users

1) that you are using cookies

2) what you are using them for and

3) what options they have if they don’t want to accept theses cookies.

1 and 2 are simple enough but 3 can become the problem here due to the number of web browsers that different users use to access your site and the different ways they can disable cookies makes it far from “simple and easily understood”. Just saying please go to your browser settings to turn off cookies may no longer be acceptable.

On the website regarding cookie law it states “The Directive also suggests that the methods for giving information and either offering a right to refuse a cookie or requesting consent should be made as user friendly as possible but that this can be done once for use during a particular connection but also covering any further use that may be made of such devices during subsequent connections.” This would imply that once a user has given permission to accept cookies that they are given permission not only for this session but any future ones.

However there is a catch to this if more than one person uses the same machine the Directive suggests that users should have the opportunity to refuse to have a cookie stored. This is said to be particularly important where users other than the original user have access to the same computer, because they could have access to data containing privacy-sensitive information.

What this entails is that you will need to seek permission every time a user visits your site in case they are not the original user of that computer. Also the use of the “remember me” facility found on many sites will have to be very carefully used and ensure that the user is aware of the consequences should other people have access to their computer.

Exactly what is going to be acceptable under the law is still a little woolly but if an attempt as been made to comply with the new law and if any instructions from the Data Protection Registrar to correct anything you have got wrong are done quickly it is unlikely that you will find yourself in court, but until a case is taken through the courts this is the best we can hope for.

The steps that can be taken to try and comply with the law in my opinion are:

1) Ensure that before any cookies are dropped that the user is very clear that you are going to do so with their permission and also provide a clear explanation of what a cookie is and how you will be using it.

2)If the user does not want to accept this cookie either provide simple clear instructions on how to disable cookies, something that is very difficult to do, or don’t allow them access into those areas of the web site that require their use.

3)Make sure that if they have accepted cookies in the past they wish to accept them this time in case it is a different user except in

4)If using a ‘remember me’ cookie ensure the user accepting it is very clear as to the potential consequences if others have access to their computer.

Having said all that the safest way of ensuring compliance with the law is not to use cookies at all, possible an expensive solution to existing web sites who are heavily cookie dependant as many are now.



This entry was posted in Technology News, Techtorial and tagged . Bookmark the permalink.

Leave a Reply