The Cookie Crumbles: cooking up a storm online

Illustration of inside of counting machine
Update! ICO change law last minute, view added notes

“Have you got a Nectar card?”An innocuous question that is probably being uttered by someone this very moment.

How about: “Will you give me your personal information and allow me to track your shopping habits at Sainsbury’s?”

Or even: “May we collate information about your behaviour as a consumer generally, over a long period of time, and use it to build a profile about you which we’ll use for commercial gain?”

Still want those points?

Exchanging our most personal of information—our name, address, date of birth, the things we buy, the places we go—for free products and services has become commonplace. We mindlessly sign forms, well aware that there’s a catch laid out in legalese in the small print. We duly ignore it. We want the Avios points and the Amazon vouchers, dammit.

“If you are not paying for it, you’re not the customer; you’re the product being sold.” [1]

This sort of thing takes place online, too. It’s manifested very clearly in the way, for example, Google assesses the kind of content we’re looking at, and uses that data to show us relevant advertising. In fact, it’s at the very core of Google’s business model.

But this has also been going on at an altogether more subtle level across the internet, largely without the knowledge of the public-at-large. Consequently, European Union (EU) legislators now want website owners to put their small print under the microscope; empowering website users to decide whether ‘cookies’ (electronic files which share some of a loyalty card’s functions, and many more) can be used.

What are website cookies?

The Information Commissioner’s Office (ICO), which is charged with issuing advice about the new EU legislation and enforcing it from 26 May 2012 onwards, says: “A cookie is a small file, typically of letters and numbers, downloaded onto a device when the user accesses certain websites.”

The trouble is that almost every website uses cookies, usually in good faith. Analytical cookies, which tell a website owner how users interact with a website, are exceptionally useful but will not fall within the “strictly necessary” exception criteria.

What do cookies do?

These little files do a number of nifty things, including enabling website-users to log in (and stay logged in), shop online and otherwise personalise their online experience whilst browsing on a computer or another device like a tablet or smartphone. These cookies usually expire after a fixed amount of time – a ‘session’ of browsing, which could be one or multiple visits to a website. Cookies can also be used to watch online behaviour, enabling website owners to judge the quality or popularity of their website pages or services.

Can cookies be bad?

Well, they can also be used to track movement around the internet. These ‘tracking’ cookies remain on a user’s computer for longer than session cookies. In the same way that a supermarket loyalty card can exploit the shopping habits of its owner, cookies originating from one website can track a user’s behaviour across many websites. Some people say that‘s an invasion of privacy. The same people probably don’t have a wallet stuffed with loyalty cards.

“Comprehensive information” and “consent”

The new legislation recognises that some cookies, such as the ones which hold an item in our metaphorical basket when shopping online, are essential to the functioning of modern websites. But, where cookies that are not “strictly necessary” are used, it states that website owners must seek the “consent” of their users.

The inverted commas don’t end there. The ICO says: “Consent must involve some form of communication where the individual knowingly indicates their acceptance. This may involve clicking an icon, sending an email or subscribing to a service.”

In addition, the user must be “provided with clear and comprehensive information about the purposes of the storage of, or access to, that information.”

Who needs to comply with the legislation?

All member states of the EU are required to comply with this law, the e-Privacy Directive. Websites outside of the EU which target users in EU member states must also bow to it. A website based in Japan which sells products to customers in the UK, for example, will have to comply fully.

What happens to website owners who don’t comply?

Like it or not, non-compliance breaks the law. Speculation on how it will be enforced aside, the penalties for being caught in violation of the new directive range from a slap on the wrist (a preliminary “information notice”) to a hefty £500,000 penalty where deliberate or repeated contravention of the legislation leads to substantial damage or distress. The ICO’s guidance [2] suggests that a “practical and proportionate approach” will be adopted, reserving serious, formal action for those whose cookies are particularly intrusive to privacy.

The web community doth protest

The reaction of website developers and owners to this change in the law has been overwhelmingly negative. Many believe that the law fails to appreciate that cookies are essential to the contemporary online experience. Some plan not to meet the compliance deadline, optimistically hoping for a last minute U-turn on the legislation. Others want the browsers themselves, or the industry overlords like Google and Facebook, to step up and find a solution.

Cogs of fears of counting machine illustration

Why the furore?

The trouble is that almost every website uses cookies, usually in good faith. Analytical cookies, which tell a website owner how users interact with a website, are exceptionally useful but will not fall within the “strictly necessary” exception criteria. In other words, most websites must explicitly ask their users to choose whether those cookies should be set.

When the ICO rushed to implement its own guidance, 90% of its website users declined to accept an analytical cookie. [3] Granted, a number of disgruntled website owners seeking guidance on the legislation might have done so out of spite but, nonetheless, it’s clear that the impact will be dramatic. Without knowing how users behave, it will be difficult to improve their experience of a website.

Businesses whose sales are generated by online advertising will suffer the hardest hit. Lots of advertising is run by a ‘network’ which fills vacant advertising space with ads personalised to the user according to their browsing history and habits. It’s hard to imagine a future for this type of advertising if the websites supplying the column inches for the ads are required to get consent for third party cookies first.

Do you want to allow cookies?

The default position, for those users who don’t know much about cookies and are asked whether they want to allow them will most likely be a resounding “no.” Without any publicity in the run up to the 26 May 2012 deadline for compliance, or indeed a visual and linguistic identity for cookies and the new legislation, the uninitiated will see the word privacy or permission and baulk. Who’d blame them?

The digital switchover campaign got an instantly recognisable shade of pink, a grinning character and lots of airtime to ease the Great British population into digital television over the course of several years. The same population lives in a world where breaches of electronic privacy hit the headlines every day. Ask an internet user if they want to accept or allow something they don’t understand, and the subtle semantic connotations those words carry will prevail.

And another thing…

Supplying information and obtaining consent without disrupting the user’s experience of a website will be a challenge. Without prescriptive details of how a request for consent should be presented, the move could result in users battling an advancing army of notifications or pop-ups whenever they visit a website – at home, at work or on the move.

“Do you collect Nectar points?”

“May I have your Nectar card, sir?”


It isn’t all bad

Some good will come of this. In fact, when internet users are educated about the technology they use every day, and come to regard cookies as clever rather than creepy, we’ll look back on this and wonder what the fuss was all about.

While the information and advice for website owners has been a little fuzzy, the overall goal of the EU legislators is commendable: an open and honest web, where users exercise choice in how websites collect and use information derived from their online behaviour.

“No, I don’t have a Nectar card.”

  1. Purportedly first uttered by user blue_beetle in August 2010, and repeated without proper citation by the world’s media thereafter.
  2. PDF: Guidance on the rules on use of cookies and similar technologies (ICO, 13 December, 2011)
  3. Cookiepocalypse: Implementing New Law Drops Use by 90% (Chinwag, 22 June 2011)

Worth a look

EU “Cookies” Directive: Interactive guide to 25th May and what it means for you (David Naylor, 9 March 2011)
EU cookie law: UK government crumbles? (Econsultancy, 26 March 2012)
 How will the new law on cookies affect internet browsing? (Guardian, 13 April 2012)
 Tracking the trackers: help us reveal the unseen world of cookies (Guardian, 13 April 2012)
 Tracking the trackers: first progress report (Guardian, 18 April 2012)

Update from Sarah Chapman:

Adding to the widespread confusion already caused by the ICO's ambiguous advice on implementing 'cookie law' compliance, the organisation changed its guidance on the last working day (Friday 25 May 2012) before the legislation started to be enforced (Saturday 26 May 2012).

The revision is significant: it's a move from 'informed' to 'implied' consent which represents a shift in responsibility from the website owner to the website user.

Predictably, the move has provoked an angry response from online businesses who have invested heavily in achieving compliance, most likely damaging the user's experience of their website in the process.

Visit the Guardian for an overview of the change. The ICO website carries the new guidance.


About this article

Here at With we have been talking about this legislation for a while now and it is a very tricky thing to explain. We knew of someone good at just that – explaining the tricky. Sarah has been following the current legislation to consult and propose methods that website owners could adopt. Who better then to ask to write this article?

We really didn’t want to use a picture of a cookie or CCTV on this article. But the more we thought about this subject the more we realised how hard it was to visually or symbolically represent exactly what’s going on.

The illustrations on this page are from a patent filed on 17 July 1929 for a counter device by Edward A Slye. This invention can be seen to introduce the idea of reducing individuals to simple numbers, understood once one has comprehended the complex language of patent filing.

Portrait of Sarah Chapman

Sarah Chapman is a digital content producer by day and freelance writer by night. She invites thoughts and feedback on this article via Twitter, Sarah also blogs, jams and is thinking about throwing away her Nectar card.