TT176: How the EU Cookie Directive affects your website

May 14, 2012

What is a cookie, in the context of the internet? A cookie is a small file stored by your internet browser software that records details of your use of a particular website.
It can record all sorts of information such as your login details, personalisation options, purchase history, or browsing habits (how you arrived at the site, how long you stayed and so on).

If your business has a website, it probably uses cookies even if you do not realise it. Over 90% of UK websites use cookies, if not for login information then at the very least for gathering statistics on website visitors (eg via “Google Analytics”).
What are the new laws?
In a nutshell, you must obtain consent from your website visitors to use cookies, whatever purpose they are for.

There are certain exceptions for cookies vital to the operation of the website. The Information Commissioner’s Office (ICO) says “The guidance explains that cookies used for online shopping baskets and ones that help keep user data safe are likely to be exempt from complying with the rules.” However, the majority of cookies do not fall under the exceptions.
How should you obtain consent?
You must give the visitors a clear notice that you are using cookies, and what they are used for. Unless the user then gives their consent, cookies must not be used.

There is debate over to what extent this consent can be assumed. Some large UK companies are simply updating their terms and conditions/privacy policy to cover the information required and ensuring each visitor is directed to these on their first visit via a banner or pop up or other link that is suitably ‘distinguishable’ and ‘prominent’. Consent is then assumed if the visitor continues to use the website (or explicitly gives consent by clicking a button).
Will companies really be chased for using analytical tools?
Almost all websites collect visitor statistics and it would be an enormous task for the government to find and prosecute all such websites. The UK government has indicated that it would be less focused on analytics cookies than cookies collecting more intrusive data. However, unless consent is appropriately obtained and requisite information given, the use of any cookies is strictly speaking not legal.

Aiming for compliance
The ICO website has full guidance on cookies and personal data [1] (and an example of a consent request banner)

One resource to help you find out whether your website is compliant is this “Cookie Audit Tool” [2] for the Chrome browser.
The ICO’s latest “Guidance on the new cookies regulations” [PDF] [3] contains useful details on your first steps to compliance:

  • Check what type of cookies and similar technologies you use and how you use them.
  • Assess how intrusive your use of cookies is.
  • Where you need consent – decide what solution to obtain consent will be best in your circumstances.


Should your website be investigated for non-compliance, there are various measures that the ICO can take:

  • Information notice: the organisation must provide specified information within a certain time period.
  • Undertaking: requires an organisation to take a particular course of action in order to improve its compliance.
  • Enforcement notice: compels an organisation to take specified actions in order to comply with the regulations. Failure to comply can be a criminal offence.
  • Monetary penalty notice: in serious contraventions where no action has been taken to comply with the regulations, the ICO can impose a fine up to a maximum of £500,000.





Talk to Barnes Roffe today
Share this page:
Contact Us
ICAEW The Chartered Institute of Taxation ACCA IPG IR