What the New EU Directive on Cookies Means for Webmasters

This article aims to give an overview of what is required by the new 2011 EU Directive on the use of internet cookies and how webmasters and businesses may look to satisfy the new rules.

The general remit of the original EU Directive, the Directive on Privacy and Electronic Communications which dates from 2003 is to tackle data protection in digital/electronic media. The 2011 update particularly concerns the appropriate use of cookies. In the UK the Directive is enforced by the Information Commissioners Office (ICO)

The broad requirements of the Directive for businesses and webmasters are to:

  • Provide clear and comprehensive information to users of their website(s) detailing what cookies will be used and how they will be used.
  • Obtain consent to the use of cookies from each user before deploying them, having provided the above information.

Scope of the Directive

The Directive applies to all cookies except:

  • Cookies that are absolutely essential to the working of a service which the user has explicitly requested.
    • e.g., a checkout process which requires the site to remember items in a shopping cart from one screen to another.
  • 3rd party cookies or cookies relating to 3rd party content which must be clearly identified and explained and will require a solution to be found between all parties involved to obtain consent from the user.

Who will have the ultimate responsibility for 3rd party cookies as a rule is a little bit ambiguous and each case will need to be assessed on its merits. That is not to say that it is an opportunity to avoid the requirements of the Directive. In fact the use of these cookies may require more communication from each party involved to explain and obtain consent from the end user.

The Rules

  • The information describing what cookies a site will use and how they will be used must be provided before the user is asked to consent to theme being deployed.
  • The amount and detail of the information that is provided by a website should reflect the degree to which personal information is gathered and the user’s privacy is affected.
  • Once the user has consented to cookies being used for a site, the information and consent request don’t need to be presented again unless new cookies are introduced.
  • An opt-out or similar ‘failure to object’ does not equate to consent. The only exception here is if consent is sought/included as part of a broader process which itself explicitly requests consent. For example, a user signs up to a service and it is explained to the user that by doing so they are consenting to the use of cookies

Potential Solutions

There are a number of possible ways in which the sites can satisfy the requirements of the new Directive:

  • Pop up windows which users see when landing on site (on each visit until they respond)
    • this may cause usability and accessibility issues
  • A Terms & Conditions checkbox which is included when a user agrees to the T&Cs whilst, for example, signing up for a new account.
  • An additional setting which needs to be turned on, for example, within account portals or against particular pieces of functionality.
  • A scrolling information banner which appears on landing pages to inform the user that cookies are not turned on and that they should visit another page (e.g., Privacy Policy) for more information and to turn them on.
  • A prompt that the user sees before using a particular feature or piece of functionality on a site.

In any case, webmasters should look to streamline and monitor the use of cookies on their site to the reduce the risk of a breach and/or the layers of consent and information that are required across the site.


The regulations are enforceable in the UK by the ICO who have the following powers (as per the 2003 Directive):

  • To perform an audit of action that a webmaster has taken to comply with the Directive
  • £1,000 fixed fine for not resolving any breaches that are identified
  • (In the worst case scenario) A fine of up to £500k.
    • These fines will only apply where serious breaches of data protection covered by the Directive result in extensive or serious damage or distress.
    • but relevant if we are dealing with personal data.
  • Request information regarding 3rd party breaches


The EU Directive and ICO regulation has been in place since 26 May 2011 however the ICO has allowed a lead time of 12 months for webmasters to work on and implement their solutions.

The key dates are as follows:

  • 26 May 2011 – 26 May 2012: Demonstrable planning and work should be ongoing to provide a solution.
  • 26 May 2012: Solutions must be in place