An EU law that recently came into force requires a user’s informed consent before a cookie (or similar information) can be placed onto their device. Cookies are small text files saved onto a device allowing that user to be recognized on subsequent visits. This allows webpages to display custom features and preferences that often enhance user experience.

Cookies also allow Internet companies to compile information about their users (such as their interests and hobbies) for purposes such as targeted behavioral advertising. In order to further protect users from perceived data protection and privacy implications that can result from the use of cookies, the European Commission has amended the E-Privacy Directive (09/136/EC). This was required to be transposed into European Member States national law by 26 May 2011.

The previous, less rigorous, regime required that Internet users be given the right to opt out of saving cookies, meaning that the default position resulted in cookies being saved. Under the new regime, the only exceptions from the requirement to obtain informed consent are when the cookie is used solely for technical transmission purposes or is strictly necessary for the functioning of a service (e.g., a function of the website) that has been specifically requested by the user. A good example of strictly necessary cookies are those used by online stores that allow the website to “remember” items in users’ shopping baskets. This exception is limited to cookies that are “strictly necessary” and does not apply to those that merely make it more convenient for the user or the website operator.  

The Law

At the time of writing only the UK, Denmark, Estonia, Finland and Sweden had introduced measures to implement the Directive with the majority of Member States still kicking their heels over its interpretation. The controversy surrounds certain somewhat ambiguous provisions. For example, the main provision requires that users give their “informed consent” to the storage of cookies on their device, yet Recital 66 of the Directive suggests that consent can be given by browser settings (i.e., the user sets the browser to automatically accept or deny cookies).  

The use of browser settings as a viable solution is not currently endorsed by the European Commission, an opinion shared by the Article 29 Working Party (Art 29 WP), the EU data protection stakeholder group. This opinion is based on three factors: (i) as they currently operate, browser settings are not sophisticated enough to obtain informed consent (ii) certain cookies can be respawned on a device after being deleted; and (iii) bulk consent, such as is produced with most of the popular browsers currently on the market, without knowledge of the purpose of any future cookies cannot be deemed informed.  

Not surprisingly, this uncertainty means different Member States have unique approaches, making it more difficult for Internet companies to comply across the EU as a whole. In addition, a number of Member States have official and unofficial positions that seemingly contradict one another, e.g., national law stating a provision that, in practice, will be enforced in a specific way. In an attempt to demonstrate this, the UK regime, which has a peculiar dichotomy, is outlined below.  

The UK Approach

The UK is one of the few Member States to enact national law that gives effect to its EU counterpart, so in a strict sense UK companies must comply with the implemented requirements of the Directive as from 26 May 2011. However, the Information Commissioner’s Office (ICO), an independent authority that upholds data protection principles in the UK, has stated that UK businesses will have 12 months to “get their house in order.” During this period, companies will be given the opportunity to take steps to comply, as part of their conformity plans, without significant fear of enforcement action. If companies are not seen to be doing this, they could face a warning that, if not remedied, may be taken into account after May 2012.

The UK government has stated that it agrees with the Art 29 WP that browser settings are not currently sufficient to obtain user consent and has announced that it is working with Google, Microsoft, Mozilla and others to develop a technical solution to this problem.  

Types of Cookies

  • Behavioral advertising may record searches, pages and ads viewed to allow targeted marketing.
  • Third party are placed on a website by a third party (e.g., an adserver).
  • Analytical record the popularity of certain features (e.g., how often users visit) and are usually purely for the website operator’s benefit.
  • Cookies that save preferences allow users to tailor a webpage (e.g., Google homepage).
  • Shopping baskets remember users’ items allowing purchase at a later time.  

Practical Options for Internet Stakeholders

It is highly recommended that companies carry out a “cookie audit” and use the opportunity to remove old cookies that are now obsolete. Companies are also advised to perform a risk assessment of the cookies used on their website. For example, if the cookies merely make user experience easier by remembering saved preferences, then breaching the law by not obtaining informed consent from the user is less likely to impact users in a negative way. In contrast, if a website uses cookies for more “privacy intrusive” purposes and a breach occurs, the impact upon the user could be much greater, especially if their personal data has been collected and used for commercial purposes without their consent. Thus, the more intrusive the cookie, the more likely the ICO will be to take enforcement action for a breach of the new law.

Companies could also follow the approach of the ICO’s own website by using a header that pops up on a first visit that requests consent to the use of cookies. To ensure informed consent, a link should accompany such requests giving additional information. In particular, this additional information should include the different types of cookies used, the purpose of these cookies, how long they will be saved on a device and how they can be disabled.  


The ICO now has the power to impose civil monetary penalties of up to £500,000 (US$800,000). This power will be used only if a serious breach of the law causes or is likely to cause substantial damage or distress and the contravention is deliberate or the company knew or should have known a contravention would occur and failed to take reasonable steps to prevent it. For example, if a company knew an individual had not consented to cookies or did not take steps to check whether consent had been obtained and still collected and used sensitive information on an individual in a way that caused the user substantial damage or distress, then a serious breach may have occurred and the ICO could impose a financial penalty.  

European Commission

Similar to the UK, the European Commission has suggested that companies implement protective measures and develop a legal standard for gaining consent by June 2012. Recently, Neelie Kroes, the Digital Agenda Commissioner, stated that the European Commission would take action to protect users if businesses do not comply.  

Other Member States

France has, by contrast, taken an approach that favors Internet companies. A draft Bill, which was in its first reading in Parliament at the time of writing, states that browser settings are sufficient to count as valid consent under the Directive. Germany, on the other hand, has not yet interpreted the Directive, choosing to wait for industry-wide discussion on the issue. The Netherlands goes further than the Directive requires with an extremely restrictive interpretation. A late amendment of their draft Bill requires companies to prove that users have consented to the use of their data.


As a result of this uncertainty, companies should be wary about how to approach the issue of cookies. It is currently difficult for companies to be certain that their cookie use complies with the law in each of the different jurisdictions in the EU. A cautious approach would be for companies to implement changes now to prevent breaches of the Directive.

However, whilst taking the recommended steps to examine cookie use and consider internal strategy on compliance, some businesses will prefer to wait until the regulatory landscape becomes clearer. In the UK, for example, those using potentially more privacy intrusive cookies, such as behavioral advertising, should make every effort to demonstrate a move towards compliance by becoming involved in industry-wide discussions on a viable solution (e.g., the Interactive Advertising Bureau is leading discussions in relation to online behavioral advertising with its new self-regulatory framework and “privacy icon”).

Companies can, therefore, show their dedication in making steps towards developing a feasible solution that will protect users’ interests without unduly restricting the online industry in the EU.