Cookie Rules For Websites 

All Business Websites Need to Comply With EEC Cookie Regulations

1. The Background - websites and email marketing are regulated in part by the Privacy and Electronic Communications Regulations.  These were amended in 2009 with significant changes coming into effect in May 2011 but with a year’s delay on any sanctions being enforced for non-compliance.

The changes affect the way your business can use cookies and other tracking technology in both emails and on websites to collect user data. Web owners will be liable to enforcement notices and a fine of up to £500,000 for non compliance from May 2012.

2. What Are Cookies ? - there are different types but basically a cookie is a small file, typically of letters and numbers, downloaded on to a device when the user accesses certain websites. Cookies may then be sent back to the originating website on each subsequent visit. Cookies are useful because they allow a website to recognise a user’s device and track what the user does, although the legislation also covers the use of other technical means of doing the same job.

3. Does Your Business Use Them? - probably ‘Yes’ – especially if, for example:

  • your site uses tracking systems like Google Analytics, or
  • you use a bulk email management service that monitors ‘opens’ via a cookie or similar
  • your site recognises past visitors
  • you use a third party company’s service who may track users themselves (for example advertising)
  • you have an ecommerce site, you may use ‘session’ cookies to track purchases.

4. What Is New? - If you use cookies, you must now tell people that the cookies are there; explain what the cookies are doing, and (in most cases) obtain their valid and well informed consent to store a cookie on their device.

There are exceptions where cookies are ‘essential’ to your site operation, for example cookies used:

(a) to remember the goods a user wishes to buy when they proceed to the checkout or add goods to their shopping basket 

(b) for security purposes, or

(c) to help pages to load quickly or to load balance across multiple servers.

But cookies used for tracking, counting email opens, recognising past visitors and advertising are ‘caught’.

5. What Do You Need to Consider? – you need to

(a) check what type of cookies / user tagging you use and how you use them

(b) decide if you are informing users adequately and if you need consent, and

(c) where you need consent, decide how to best obtain consent.

6. OK, What Actions Do we Need to take? – the key actions are to make sure your cookie information is clearly and prominently available on your site and not ‘buried’ in a Privacy Page. You may want to add a new header link mentioning cookie use and a footer message giving more detail.

You should add cookie use consent to any directly relevant existing sign up, for example:

(a) for a newsletter where you will use it to monitor opens (e.g. Check this box to sign up to our weekly newsletter. By signing up you allow us to use Open Tracking to monitor and improve your email experience.)

(b) to open (or login to) an account where you use a cookie for easy recognition of returning visitors, or

(c) when the visitor is to click on a button requesting a third party service.

Where you need explicit prior consent, ideally set up pop up boxes, message bars or ‘splash’ pages to gain the consent prior to further use - at least on the first visit. (You don’t have to repeat this every time, but you may need a new cookie to recognise visitors who have given consent - and an 'in-session' cookie perversely to ensure that people who have said no to cookies are not asked again on every page!).

This last step is arguably intrusive and many sites have been slow to implement it, waiting to see what others are doing or relying on the assumption of 'implied consent' (see more on this below).

7. What if consent is not given? - if consent is not given, you can :

(a) decline to proceed with the service (e.g. a newsletter)

(b) change your site code to drop the use of a cookie for this user, or

(c) infer 'implied consent' (if not actually declined!) from the fact that the user has seen a clear notice and actively indicated that they are comfortable with cookies by clicking through and using the site.

The latter option is particularly relevant to Tracking Cookies, for example for Google Analytics, and relies on the user being aware that the consequence of using the site is the setting of cookies. If you choose this option, you should ideally have notices appearing elsewhere on the site (e.g. page footers) which remind users that you are setting cookies. 

8. What about withdrawing consent? – you need to allow visitors to withdraw cookie consent later. Once consent has been obtained, users or subscribers may choose to withdraw that consent at any time. You should ensure you provide information about how consent can be withdrawn, and cookies that have already been set removed, in your privacy policy. You may wish to explain any consequences of withdrawing that consent, for example, impacts on the functionality of the website.

You will need a mechanism to implement this. We suggest cancellation of the cookies set via an adjacent button on your website   

9. What about existing users? – you need to inform and seek consent from your existing user database e.g. bulk email list subscribers -  we suggest :

(a) ask for consent where users e.g. log in to their account

(b) add a comment to your regular email Opt Out message about use of cookies (as a minimum), or

(c) add a primary call to action in your next bulk email about cookies and request for consent.  (You may wish to use the Implied Consent option along with better Opt Out message text.)


Disclaimer  – This briefing describes our best understanding and interpretation of UK Cookie law and recommended best practice.  Please consult a specialist solicitor if you have any concerns on this topic.

Dave Abernethy
Net Commerce Solutions
Specialist Web Promotion Consultants

Note for Webmasters: All our articles are copyright to NCS but may be copied and published in part or in whole on your websites on a non-profit basis as long as they are credited to NCS and have an appropriate link to our website. e.g. 'Visit for more articles by NCS – UK specialist web designers, search engine and internet marketing company'

This work is licensed under a Creative Commons Attribution 2.5 License.