EU cookie law: make sure your website complies

'Cookies' written in grey on a key on a white keyboard

Since 2011, all websites have been required by law to get permission from visitors when using cookies.

The cookie law requires you to get consent from a website visitor when you store cookies on their computer. The Information Commissioner's Office (ICO) has useful guidance to help websites comply.

Richard Beaumont of The Cookie Collective

"The aim is to protect consumers," says Richard Beaumont from The Cookie Collective (now OneTrust). "Cookies are used to gather an awful lot of data from people online without them realising it."

Indeed, many websites rely on cookies to keep visitors logged in or to remember what's in their shopping basket as they move between pages.

Most web analytics services use cookies to generate website usage statistics. And advertisers rely on cookies to build profiles of individual users so they can display targeted adverts as they move between websites.

"The only cookies excluded from the law are any that are necessary to provide a service people are asking for," continues Richard. "That mostly covers things like shopping basket cookies and a few types of cookie used to store information temporarily.

"If you've got a website carrying advertising, or you're using social media add-ons, or rely on Google Analytics to measure site performance, all those types of technologies make use of cookies, so you'll need to gain consent."

What are cookies?

Cookies are small files that websites place on visitors' computers.

They're used to give website users a better experience - for instance, by keeping them logged in or remembering what items they've placed in their shopping basket.

More controversial uses for cookies include tracking visitors as they move between websites in order to provide targeted adverts. If you've ever visited a website, then seen adverts for that company's products on other websites, that's cookies at work.

Perform a cookie law audit

To understand your obligations under the cookie law, you need to establish what cookies your website uses. There are several tools available to help you perform a cookie audit. Richard's company offers Optanon, but you can also try the tools from Attacat or Bitstorm. Each lists the cookies used as you browse a website.

If your site only uses cookies from common services like Google Analytics, interpreting the list should be relatively easy. However, it can be harder to determine the function of custom cookies. If in doubt, seek expert advice from your IT supplier or web designer.

Audits can easily go out of date as cookies and websites change quickly. Richard advises clients to think about auditing at least once a year.

Getting consent

Once you know what cookies your website uses, you can determine whether or not you need to get consent from visitors to use them. Most websites need to get consent.

Since the law came into force, the most common way of doing this has been to be to display a message when a visitor first arrives at the website. The message is usually shown alongside a button labelled "continue" (or similar), allowing the user to close the message and continue their visit.

It's also a good idea to provide a link to more information about the cookies you use. After all, the law requires users to give their informed consent. Other methods include showing the message in a fixed bar at the top of the screen or displaying an overlay on top of the page.

How to show your cookie message

How you display a message to your users will depend on how you built your website:

  • If you created your website using a website builder tool or software, there may be an option to add a message about cookies.
  • If you built your site from scratch or worked with a web designer then you may have to edit your website's code.

Off-the-shelf solutions are also available, and these may be the most convenient option. As well as The Cookie Collective's service, Sitebeam provides a free solution.

Is this enough for the cookie law?

Although most websites that have implemented a cookie message take the route described above, this may not be strictly compliant with the law.

Further guidance issued by the EU suggests that you must give visitors the choice of accepting or refusing cookies, and that you should keep this choice available during each visit.

Having said that, pragmatically it seems unlikely that any business which has taken steps to make users aware of its cookies will attract attention.

What does the * mean?

If a link has a * this means it is an affiliate link. To find out more, see our FAQs.