Finding a solution to cookie consent and the e-privacy directive


Finding a solution to cookie consent and the e-privacy directive ...

UPDATE (24TH FEBRUARY): I attended an IPA “update” seminar on this, on Wednesday 22nd February. It largely confirmed our understanding.

The ICO certainly do NOT expect to see websites using pop-ups or other forms of “opting in” as a general rule. They will be cracking down on websites that are “wilfully flouting the law” and whom have made “no attempt whatsoever towards compliance”. Focus on providing as comprehensive a privacy policy you can – with a separate cookie policy if possible. Furthermore, make this much more prominent than just sitting it alongside other footer links on the site.

If you are actively using very intrusive cookies, then you will need to make more effort to allow people to gain consent. If you are using behavioural targeting as part of your online marketing, then you will need to make this absolutely clear in the cookie policy and you also need to ensure that your providers comply with the OBA framework (although this OBA framework has not been formally agreed as compliant yet - the ICO have stated that it is the right direction for the industry to be moving). 


[NB. I am not a legal expert and the opinions in this post are mine alone. Each website owner will need to make their own decisions on what is required in order for them to be compliant….but hopefully this summary is valuable in helping you make that decision].

The Information Commissioner’s Office (ICO) published its “half term report” on enforcing the new e-privacy regulation back on the 13th December. It makes slightly better reading for online advertisers than previous releases and - provided you are taking action in a number of areas - means that it is becoming a little clearer on how to ensure you are compliant by the 26th May.

We’ve been working closely with Clients to provide guidance on the steps to take throughout this process; below we revisit some of these and go into a little more detail on what the latest ICO statement tells us.  

[The ICO quotes included below are all taken from the ICO’s updated “guidance for UK website owners” – a PDF of which can be downloaded here.]

Do you have to do anything?

If you are responsible for a website that uses cookies in any way, then you must make a genuine attempt to be compliant with this legislation. 

“Where a person operates an online service and any use of cookies will be for their purposes, it is clear that that person will be responsible for complying with this Regulation.”

The ICO has stated that it fully appreciates that this is a complicated area (both technically and legally) but failure to show any action has been taken at all will be looked at negatively by them if a complaint is brought against your company. If you are finding it difficult to fully comply by the 26th May, then you will need to be ready to explain why this is and how you plan to address it if a complaint is raised. 

You don’t however need to panic: 

“…on 26 May next year, when our 12 month grace period ends, there will not be a wave of knee-jerk formal enforcement actions taken against those who are not yet compliant but are trying to get there.”

Can we rely on cookie settings in web browsers?


“At present, most browser settings are not sophisticated enough for websites to assume that consent has been given to allow the site to set a cookie… Government is working with the major browser manufacturers to establish which browser level solutions will be available and when. In future many websites may well be able to rely on the user’s browser settings as part, or all, of the mechanism for satisfying themselves of consent to set cookies. For now relying solely on browser settings will not be sufficient”.

What are the things you can do now?

Although there is still room for interpretation and debate over some areas of the regulation, there are certain actions that you clearly have to take:

1. Cookie Audit: By now you should have conducted a cookie audit of your website. You should have collated information on each cookie that is dropped and what the cookie is used for. It would seem clear that failure to have conducted this housekeeping exercise will be viewed negatively by the ICO, should they receive a complaint about your site.

A previous blog post here explains more on how to conduct a cookie audit. 

2. Remove unused cookies: If you can demonstrate that during your audit, you found and removed some cookies that were no longer useful, this will show progress being made.

3. Providing Cookie Information: It is absolutely essential to be transparent and open about your use of cookies. The ICO make reference to the current limited level of “consumer understanding of cookies” and it seems clear that if you make an effort to help educate the average user about cookies, then you are helping to work towards a better longer term solution.

“If websites are open and honest about how they work, if the mechanisms for exercising user choices are integrated into the presentation and user experience of the site, the users will be more confident about using the site and more comfortable with how websites collect and use information derived from their online behaviour”.

The latest document also states that you should:

“….check that your privacy policy provides accurate and clear information about each cookie”.

I also suggest linking to the mechanisms for opting out of Adserver technologies (such as Doubleclick tracking) and Web Analytics packages (such as Google Analytics). 

4. Assess how intrusive your cookies are: The purpose of the regulation and the intention of the ICO is to protect users’ privacy. Although not explicitly guaranteed, it would appear that the use of cookies for unobtrusive activity, which is neither “risky nor harmful”, is far less likely to meet with full, formal sanctions than cookies used for more intrusive purposes or which wilfully flout the law. 

“Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals, if an organisation can demonstrate they have done everything they can clearly to inform users about the cookies in question and to provide them clear details of how to make choices.”

Therefore, if you can be confident that your use of cookies is towards the “unobtrusive” end of the spectrum, it is unlikely that the ICO would use its full enforcement powers against you if it did receive a complaint. 

Make your cookie information incredibly visible.

Although previous ICO documentation has paid significant attention to updating policies and ensuring transparency, the latest guidelines go into great depth about making sure the link to the cookie information is visible. On pages 14 and 15 it even gives suggestions of ways to make the information stand out on the page. Although this will not make you compliant, a website that makes an effort to the draw attention to how it uses cookies will certainly be closer to achieving compliance.

(I recommend keeping a close eye on websites such as and to see what their privacy / cookie pages contain and how prominent  they are). 

Furthermore, as a website owner you will probably already have mechanisms in place where some website visitors are required to read and accept certain “T’s and C’s” before proceeding. It would seem wise to update these T’s and C’s to include reference to cookies, so that for any visitors passing this point, they are required to provide consent for the use of cookies. If at any stage the ICO were to ask for evidence of responding to the regulations and implementing changes to your site, this would certainly demonstrate this, even with only a specific percentage of website visitors who pass through this stage.

Are some cookies more acceptable than others?

As stated above, it would appear that there is a spectrum here, largely defined by “intrusiveness”. The ICO has given some more specific direction on which cookies could be made an exception to the requirement for informed consent from users. 

Clearly, from this table, Web Analytics and Advertising cookies aren’t identified as exceptions to the consent requirement. However, for Web Analytics, the latest document also states:

“Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.”

So it would appear that provided you take the steps above, you can fairly confidently continue to use a Web Analytics package such as Google Analytics without necessarily facing a penalty. However, what else do you need to do if you use 3rd party advertising cookies? 

Do we need to gain prior consent?

This appears to be the most challenging area of the regulation. There are various ways in which this is being interpreted, plus the technical practicalities of implementing a solution are difficult. Let’s take the interpretation first….

Consent? It is absolutely clear that the regulation requires that users consent. 

Prior? The ICO guidance certainly states that this is the ICO’s preference, but “prior” is not expressed in the regulations and the ICO also makes reference to the difficulty of achieving this. A key point is:

“…websites should be able to demonstrate that they are doing as much as possible to reduce the amount of time before the user receives information about cookies and is provided with options. A key point here is ensuring that the information you provide is not just clear and comprehensive but also readily available.”

Implied consent? It seems likely that once again the spectrum of “intrusiveness” will become relevant here. If you can be confident that your use of cookies is unlikely to have a complaint made against it for “risk or harm” to a user and you also implement all other possible actions, then you may consider that you have made significant effort to educate and inform your website visitors. Therefore, you may deem that you can consider this “implied consent”.

There is a very interesting blog post here from Eduardo Ustaran, a partner at Field Fisher Waterhouse (a “market leading Privacy and Information Law Group”). In it he states: 

“At the very least, it has to be reasonable to assume that someone can easily find out and exercise effective control over the cookies being served on their terminal equipment.  A prominent notice, a simple explanation and an opportunity to take a view on whether to accept or reject cookies will go a long way….”

The ICO document also mentions...

“…if websites make a real effort to ensure information about cookies is made clearly available to their users, for example, displaying a prominent link to ‘More information about how our website works and cookies’ at the top of the page rather than through a privacy policy in the small print.”

Therefore, although the ICO explicitly state that you cannot rely on “implied consent” alone, by clearly demonstrating efforts in other areas, you will be making tangible progress towards compliance.

IAB Behavioural Self-Regulation Framework: I would suggest that the core "consent" area where the ICO will be focusing will be on the use of cookies for behavioural advertising. The Internet Advertising Bureau (IAB) are very aware of this and have for a long time now been engaging with stakeholders to deliver the Online Behavioural Advertising framework. This is where some of possibilities for technical implementation become relevant…..

One of the key parts of the OBA framework is that advertisers need to include an icon on all behaviourally targeted advertising which explains why the banner is displayed and how they can manage their targeting. The ICO has given positive feedback to this framework, but suggests that it does not achieve compliance on its own.

Furthermore, this is for banners, what about websites? Well, if we still assume that the focus of the ICO is on behavioural advertising, then there are already solutions available for delivering the management of behavioural cookies using an “opt out” mechanism. For example, see the Ad Choices link towards the bottom of the I think it is very likely that this sort of mechanism will become more commonplace and these technology providers will have a part to play in this area in the future. However, is it necessary now?

I am currently talking to several providers of this technology to evaluate the cost and resource requirements for implementation. If there is a cost effective solution, then the more appropriate and feasible it will be to consider implementation. Until then however, I suggest you focus on the other actions mentioned. 


In summary therefore, I suggest you do the following (as a minimum):

  • Conduct a comprehensive cookie audit
  • Understand the use of all these cookies on your website
  • Remove any cookies that are outdated or unnecessary
  • Assess the intrusiveness of the remaining cookies
  • Update your privacy policy – looking at other well-known websites it would seem to be a trend to include a prominent, separate “cookie” related page or section that is rich with information on cookies and also provides links to even more information
  • Seek opportunities for including mechanisms for cookie consent – for example wherever you already have a “T’s and C’s” consent requirement, update the T’s and C’s to include reference to your website cookie use

I plan to update the Equi=Media website so that our privacy policy contain even more information on cookies. Furthermore, I plan to rename it so that the page name references “cookies” and we are also considering positioning it more prominently, rather than its current position within the website footer. We think this will demonstrate to the ICO - and more importantly to website visitors - that we take this issue seriously.

I suggest you do the same.

(Any thoughts or comments on this, please find me on Twitter - @ryanwebb).


Contact Us

Do you have a challenge for us to solve?

get in touch