Website Legal Requirements – Cookies and Consent Policies

As a result of changes to the EU Privacy and Electronic Communications Directive, it is now unlawful to use cookies to collect user data without first obtaining explicit consent. Accordingly, the Information Commissioner’s Office (ICO), which is responsible for ensuring that websites comply with the new cookie law, has implemented a technical solution on its own website with the result that traffic to it plummeted.

UK  Cookie Acceptance Policy

In May the ICO placed a banner at the top of its website in order to obtain consent from users to the placing of cookies on its website. The banner stated how and why cookies would be stored and cross-referred to the ICO’s privacy statement. By clicking on the banner users consented to the use of cookies. If users did not consent, then parts of the website did not work and were not accessible.

In the following 35 days, traffic to the website fell by 90%.

Unlike the ICO’s website, many commercial websites rely upon multiple cookies for tracking, customer service, analytics and advertising revenues.

Prior Consent Required?

The current guidance from the ICO states that consent to cookies can be obtained after processing has begun. The UK authorities base their advice on the fact that the word ‘prior’ does not appear in the EU directive upon which the UK law is based. However, the Article 29 Working Party – which advises the EU on data protection issues – disagrees and claims that prior consent must be obtained to make cookie use legal.

It will now be necessary for the ICO to provide further guidance to businesses on this issue. This is however unlikely until the new proposed EU data protection law, which should better define consent and its practical meaning, is published by the European Commission later this year.

Dutch Cookie Acceptance Policy

In the Netherlands a new Dutch law requires prior “opt-in” consent before a cookie can be installed or stored on a user’s computer. The language of the proposed law is quite broad and could require website owners outside of the Netherlands to comply with the Dutch law when processing personal data of Dutch citizens. In addition the websites owners would also have to comply with their own local cookie rules, which may be different.

EU Implementation of Cookie Acceptance Policies

To date only the UK, Denmark, Estonia, Finland, Sweden and the Netherlands have introduced measures implementing the Privacy and Electronic Communications Directive.

The European Commission has set a deadline for European companies to create a uniform way for web users to opt out of being tracked by cookies within a year of the previous deadline. The Commission has said it will take action if industry does not standardise opt outs in that time.


Irene Bodle is an IT lawyer specialising in Internet Law and SaaS Agreements with over 10 years experience in the IT sector. If you require assistance with any Internet Law, SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles: