Client refuses to pay for Cookie Law implementation

So a client asks me to set up Analytics on his new website I just completed. Okay no problem. I quoted a fee and was told it was ridiculous, ‘analytics takes 5 minutes to set up and is free!’. So I explained that the cost included various other items other than implementing the tracking code and setting up the Google account, such as; tutorial/demonstration time, setup of custom reports, the new cookie law implementation alert/banner for acceptance, and a cookie policy & web page to go with it for further visitor information.

After some thought and calling around, the client decides he will proceed with the analytics charge (reduced) but is not willing to pay the initial price quoted as they don’t see the need/want or worry in the cookie law stuff. The client says they are happy to sign a disclaimer or release of liability should any legal action arise further down the line that would keep me safeguarded and protected (though I am left with the task of producing such a document for the client to sign)…

My question is;

Is this type of scenario acceptable?
And what would you do?

a) Insist that the additional ‘cookie work’ is part of the job and stick to the initial price?
b) Refuse the work?
c) Or do it without the ‘cookie work’ and leave the client at their own risk as per their request?

How would one go about even compiling such a disclaimer/no-liability document?

PS: What would you do if existing clients with cookies refuse to pay for additional cookie law work on pre-law existing websites? Take their site down?
PPS: What do you charge for setting up GA - and how much extra have you bolted on to allow for all the additional cookie law work that is now required?

[FONT=verdana]Assuming the client is bound by the cookie law (that is, they are operating from within the EU, and their site uses cookies in the relevant way), they are certainly wrong not to implement it. On the other hand, it’s perfectly reasonable for them to exclude this work from your brief, and you should accept it if that’s what they want. In other words, go for option c.

That said, you should certainly do a disclaimer to cover yourself. I would simply write them a letter (on paper), stating that you understand that they have explicitly asked you not to do the cookie stuff, and that they accept they will take all responsibility for the consequences. Get them to write back, saying they accept the terms of that letter.

Regarding your existing clients who refuse to pay for cookie work, this is not your concern. If you created their site before the law came into effect, it is up to them to ensure the site now conforms to the law. Whether or not they choose to hire you to do that is entirely up to them. (But that wouldn’t apply if your original contract has some provision which makes it your resonsibility to always update the site so that it conforms to the law; but that would be an onerous provision, and not one that most contactor would accept.)

As for taking the client’s site down if they don’t hire you to do the work, that is definitely not an option. It is unethical, unprofessional, and could leave you open to legal action.

Finally, you asked how much to charge for this type of work. Unless you have a good reason not to, the obvious answer is to charge at your normal hourly or daily rate.

Hope this helps.



Well first and foremost the most important question is to ask yourself what kind of clients you wish to surround your business with (and are willing to promote/use for referrals). If you feel strongly about following the law in your work and not taking a path of a disclaimer to remove liability (because you stand behind your work), then your best option is to refuse the work and stand your ground. Politely ask them to find someone else for the work they are requesting and potentially even find a new host (if you feel that you can still be held liable if their site is sitting on your server).

If you don’t feel strongly one way or another, you need to think about it hard and choose a stance over this type of situation that you will be happy with. Then choose the route that you can live with (without regret).

If you choose to go the disclaimer route, I’d consult a lawyer and have a document drafted (one that can be reused since you will likely encounter similar situations in the future). Make it generalized, so you can apply it to remove ALL liability associated with a client, and not for a specific purpose (this way the client will likely think about what they are signing/agreeing to and whether it is worth it).

I would never take down a clients site, unless they breached their contract with me over hosting (uploaded improper material, abused resources, etc). I have politely asked that they find a new hosting arrangement and have given them 2-3 months (whatever I consider ample time) to arrange it before I disconnect their presence from my server.

As for what to charge, I imagine your charge is fair based on the number of hours you would have to invest in the project. So don’t change your pricing. stick to your guns, stand your ground. I have clients that come to me, not because I am the cheapest (sometimes I am, most of the time I’m not). They come to me because they know in the end, they’ll get exactly what they wanted with very little fuss and it “just works”. Those are the clients I keep close relations to, when I get one that tries to negotiate every little detail, I usually walk away (but then again, my freelance is purely up to 12 projects a year – not my primary source of income, so I can do that).

Hope this helps.

Thanks for the replies!

The type of sites im building are largely brochure, small scale sites with Analytics code or Social Network API plugins (Facebook Like buttons and the like), so I believe these are the low risk/low compliance or small fish of the cookie law? So it may not be a really big deal, but still - I am concious of the new regulation.

After a little googling online I have read and wonder: Would a small disclaimer/footprint at the bottom of such websites stating something like ‘By using this website you accept our use of cookies for google analytics and social network plugins’ would suffice for compliance?

@Miki - the idea of the letter is something I was favouring, but rather than requiring a reply letter it would be a declaration of intent or a statement which would nullify me against any consequences of non-compliance, and the client would be required to sign the document to relieve me of all liability and accept all liability in regard to the cookie law. Do you think that would work? Alone and/or in addition to the small footer foot-note idea mentioned above? As I say my only real crossings with cookies would be GA and social network plugins


rather than requiring a reply letter it would be a declaration of intent or a statement which would nullify me against any consequences of non-compliance, and the client would be required to sign the document to relieve me of all liability

It doesn’t make any difference. Whether they send a letter back to you, or sign your letter to show they accept it, the effect is the same.

Would a small disclaimer/footprint at the bottom of such websites stating something like ‘By using this website you accept our use of cookies for google analytics and social network plugins’ would suffice for compliance?

I doubt it. The law requires the user to make an “informed decision”. Putting small print where the user is unlikely to see it won’t cut it, especially if you use terms that the average visitor won’t understand.

But that’s not the point. If the client says not to do it, then don’t do it. It’s not your responsibility to figure out a way round it.


Ultimately if your client chooses not to implement processes for the EU cookie law, you personally will have no comeback from the ICO, as it’s not your site. As for your client suing you for poor advice, its not your responsibility to warn your client about every possible legal issue they can face on their own site, because ultimately you are not a lawyer and I assume do not market yourself as some kind of legal expert. What about the disability discrimination act, do you warn them about that? Copyright infringement? The list goes on, none of it is your responsibility as a web designer. In the end, you are just some person who knows how to code web sites (no offence) - keep your relationship within that realm and you’ll be fine.

Do you have a contract? Does it have liability and indemnity clauses? I’d say use the money you get from this job to hire a solicitor to write you up a decent, to-the-point contract that covers all the general liability and indemnity stuff and one that helps define your ‘responsibilities’ as a web developer, get all clients to sign it, and leave it at that. But I seriously doubt any client is ever going to try suing you over you ‘not’ advising or mentioning some matter such as this. You are more likely to get sued for ‘actually’ advising and giving incorrect or misleading advice that itself gets the client into trouble.

As for this client, if they don’t want to pay for cookie implementation, don’t do it for them. If you feel so strongly that they should, then walk away. TBH if I had a client who was forever telling me ‘pah that job only takes 5 minutes’, and is always ringing round other developers to knock my price down, I’d definitely walk away.

As for implementing cookie law, well that’s all a bit open ended and my thoughts are that it’s one of those laws that will not actually be enforced except in extreme cases (IANAL) - I also believe that you would get fair warning before getting into actual legal trouble - but I think it’s going to be reserved for the really naughty businesses who are purposely abusing cookies on a big scale. But the best implementation examples I see are the little bottom right hand corner triangle that needs to be clicked for more info.

Thanks Shadow! :slight_smile:

Just following up on this cookie law disclaimer / release of responsibility idea put forward by Mikl…

I know that (probably) no one here is a lawyer, and that any responses do not constitute legal advice and I as well as anyone reading this should consult a qualified legal expert or their lawyer, but… all that aside; do you think something like this would do the trick? …is there anything you think should maybe be added or changed?

Privacy and Electronic Communications Regulation (PECR)
EU COOKIE LAW (e-Privacy Directive)

[SIZE=2]What is a Cookie?

A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is usually a small piece of data sent from a website and stored in a user’s web browser while a user is browsing a website. When the user browses the same website in the future, the data stored in the cookie can be retrieved by the website to notify the website of the user’s previous activity. ~ Wikipedia[/SIZE]

EU Cookie Law (e-Privacy Directive) and how it affects you

Your website, currently uses Cookies in the following way(s):

Google Analytics – requires a cookie to be placed on each visitor’s computer / tablet / mobile device in order to track their usage of your website and relay this data back to your analytics report.

Statement of Intentional Non-conformance & Release of Liability

As a result of the above cookie usage, additional work is required to ensure conformance of your website with the new cookie law. Such conformance would involve additional coding; offering visitors the chance to opt out of such data files being stored on their systems. A website ‘cookie policy’ is also required and will be drawn up and embedded into a new web page, which would be linked to from all pages of your web site.

DesignCompany/Freelancer understands that you have explicitly asked us not to carry out the above works in relation to conformance with the cookie law. You have stated that you are willing to take full responsibility and be solely liable, fully indemnifying DesignCompany/Freelancer and its employees, contractors, and suppliers from any legal action which may arise in the future as a direct result of non-compliance.

You understand that you have been advised to proceed with the additional conformance works as described above in order to become abide by the cookie law, and have been warned about the consequences of non-compliance.

Please sign below to indicate your acceptance of full liability and responsibility in this matter, and to signify your agreement with all information, statements and terms set out above, in this document.

Sign, print, date, ClientCompanyName

I personally like it. I think you did a good job describing the issue at hand, how it relates to the law, and then removing yourself from any liability to this particular law. Very well done if you ask me.

Be sure to version it with the date you established it, so you have a record of any updates along the way, and so if it were to be presented in a legal fashion (court, through lawyers, whatever) you have a way of knowing which draft it was related to (not that I see this changing very much, but you never know what the EU may decide on this law in the future).

I like it too. I think it hits the right balance. You’re stating the situation clearly, but you’re not being aggressive about it. It will be interesting to know how it pans out.


I think it’s massive overkill, and thus seems amateurish to me. Just send them a memo with some language like,

“Client understands that their site uses cookies, and that systems to ensure compliance with EU Cookie Law cookie laws will not be implemented as part of this contract, as specifically requested by client. It’s strongly recommended that client seek legal counsel and ensure that the final website is fully compliant with all applicable laws prior to launch.”

That is all you need to say. You are not in the business of providing legal advice, or telling other people whether they should be lawful. So, over explaining the situation makes YOU more involved in the whole issue which doesn’t serve you. There is no liability do disclaim, I don’t think, so why bother with that language?

The only thing you need to protect yourself form is that you might be accused of not informing your client that they are at risk of non-compliance with the law. So, all you need to do is get a clear affirmation that you have informed them of this risk, in clear unambiguous language, and they understand that you are not building something that necessarily complies with the law. That is all you need to do, and going further than that serves no purpose.

I think it’s pretty safe to ignore the EU cookie law for now. Nobody seems to know what it means and it’s just plain weird. You have to set a cookie to keep track of if you have asked for permission to set the cookie you already sat. Most government agencies here in Sweden break that law, so I am not that worried.

And then you have the British company actually trying to get sued without success: