By Craig Buckler

Why Your Site is Now Illegal in Europe

By Craig Buckler

As of May 26 2012, any website available to European visitors must comply with the EU E-Privacy Directive. New laws came into effect in 2011 which prevent identifying information being stored a user’s computer without their knowledge and consent.

If you’re using cookies or any other technologies for non-essential tracking, you must:

  1. Tell users that tracking technologies are used.
  2. Explain the reasons for using those technologies.
  3. Obtain the user’s consent prior to using that technology and allow them to withdraw permission at any time.

The specific technology is not important. While cookies are an obvious target, the law applies to client-side storage, Flash cookies, image trackers, browser fingerprinting or any technology used to identify an individual.

A user’s consent must involve communication where the individual knowingly indicates their acceptance, e.g. clicking an icon or checkbox. Wherever possible, setting cookies must be delayed until a user has the opportunity to understand what technologies are being used and make an informed choice.

The only exceptions are sites where tracking is strictly necessary for the provision of a service or communication requested by the user. Shopping baskets, some online applications and client-side caching to improve page speed would not require authorization. Sites using analytics, advertising or customized greetings must comply.

The website setting a cookie is primarily responsible for compliance. However, in the case of third-party cookies, both parties have a responsibility to ensure users are informed about cookies and consent is obtained.

The law applies to European companies even if their website is hosted overseas. Organizations outside Europe with websites designed for the European market should consider that those users will expect information and choices about cookies to be provided (although legal enforcement is unlikely).

In essence, if you’re using Google Analytics without the user’s consent, your website is operating illegally in Europe.

How Can You Comply?

The UK’s Information Commissioner’s Office (ICO) admits the new rules require considerable work and makes the following recommendations:

  1. Audit your site’s tracking technologies and usage. Take the opportunity to remove unnecessary cookies.
  2. Assess how intrusive that tracking is, i.e. is it an essential application session cookie or a one that has privacy implications.
  3. Decide on what solution is best to obtain the user’s consent.

British Telecom has one of the better examples. On accessing BT.com for the first time, the user is presented with a pop-up message:

BT cookie pop-up

The cookie option panel can be accessed from links in the pop-up or page footer:

BT cookie opt-in choices

Whether BT’s implementation abides with the law is another matter. The pop-up disappears after 12 seconds which won’t be enough for some users. In addition, full cookie approval is assumed if you don’t click the pop-up or footer link. The law clearly states that a user must knowingly indicate their acceptance; you cannot presume they understand or agree to your terms by their inaction.

The ICO’s Guidance on the rules on use of cookies and similar technologies offers pragmatic help. It’s a long read, but well-written in clear English.

The Penalties

In the UK, a fine of up to £500,000 can be levied against companies deemed to be operating illegally.

However, the ICO will initially issue information and enforcement notices. This is understandable when you consider that few Government websites have implemented cookie-acceptance systems! Formal action will only be considered when an organization refuses to take steps to comply or is actively using privacy-intrusive technologies.

The Practicalities

Laws can only succeed if they’re clear and enforceable.

The current EU directive is intentionally vague because it’s almost impossible to legislate computer code and functionality which can be developed in an infinite number of ways. The onus is on organizations to determine whether they are breaking the law and take steps to rectify the situation. Unfortunately:

  • Few website owners understand the issues or know whether they comply.
  • Web developers won’t necessarily know when and where cookies are used in a complex system.
  • Assessing the legality of individual cookies will be impossible until precedents are set.
  • The legislation has arrived very late and it’s impossible to police millions of websites.

There will not be crack Government teams dedicated to hunting illegal websites; the ICO and equivalent bodies throughout Europe will respond to individual complaints.

But who will complain? An independent survey commissioned for the UK Government concluded that only 13% of users stated they fully understood cookies. 41% were unaware of different types of local storage and 37% admitted they had no idea how to manage cookies within a browser. Even when you know a cookie has been used, it’s impossible to determine whether it’s breaking privacy laws without accessing the back-end source code.

The ICO accepts the legislation will be difficult to enforce, but will act against any company flouting the spirit of the law.

Open Season for Scammers

While this law is aimed at protecting users, it’s scammers who gain the biggest benefit. If you’ve not been contacted yet, expect to see emails such as this appear in your inbox:

Your website contravenes The European E-Privacy Directive 2009/136/EC. The legislation was passed in all European countries on May 25 2011 and your website fails to comply.

You must act immediately. To avoid a monetary penalty notice of up to £500,000, please forward payment of £10,000 to Korupt & Vyle, Internet Solicitors, so we can advise further. If we do not receive payment within seven days, your company will be reported to the UK Government Information Commissioner’s Office and all EU regulatory bodies.

Is this blackmail? Or is the scammer exercising their right to sell you compliance services before reporting you to the authorities for illegal activities? Put it this way, if you send enough emails, you’ll eventually find someone with enough naivety and cash.

What Should You Do?

If you’re using cookies or other tracking technologies for dubious purposes, you already know it and probably aren’t concerned about EU or any other laws. For everyone else, I suggest a simple approach:

  1. Ensure you have a privacy policy link in the footer of every page. You might want to change this to “Privacy Policy & Cookie Usage”.
  2. Explain your use of cookies and, where necessary, link to the privacy policies of third-party systems such as Google Analytics (google.com/analytics/learn/privacy.html).
  3. Rather than devise a complex opt-in system, link to cookie resource sites such as aboutcookies.org which explain how to block, control and delete cookies.
  4. Do not respond to unsolicited emails offering cookie legislation help.
  5. If you are contacted by a genuine regulatory body, work with them to identify any privacy breaches and devise solutions. They will not charge for that service.

While the EU cookie directive may be dumb and unenforceable, it’s still a law. Unfortunately, common sense is not a legal defense.

  • “While this law is aimed at protecting users, it’s scammers who gain the biggest benefit.”
    So much for trying to protect us. :)

    What’s the fine in an EU country, apart from the UK? So far I have had negative feedback on the new cookie law implementation. Nobody wants it on their website. So if we know the consequence EU wide we’d be able to advise accordingly.

    • As far as I’m aware, France, Germany, Spain and Denmark have not reached the final stages of legislation which will determine their fines. They should have, but haven’t — probably because of the backlash against the directive.

      • Italy has not ratified the regulation yet.

      • I really struggle to understand how they would implement these fines. The internet is global, and the website could be hosted in more than one country. The service provided online could be targeted to more than one continent, let alone country.

        Sitepoint is as awesome as you maybe, is used worldwide, and even sells to anybody. Even though you’re based in Australia, you @Craig Buckler; from what I understand live in England, and the hosting for this website is likely to be more close to us than Australia.

        What grounds do they base our location on? Where the site is hosted? Where the company is registered? Where we live? Where our customers are from? How do they know where we live? Would they get this from the billing address of an eCommerce site? Could I not just create a billing address to another country? Seams that there might be too many factors that are out of the hands of the law makers.

        I really don’t think this is going go to work, and it’s a matter of time before they remove such a silly law and pass it down to the internet browsers than we’re using instead of the website owners, if that at all makes sense.

      • Also no two countries can agree on how the law should be implemented!

  • This is the result of people who do not understand how the web works dictating how the web should work in order to protect users who do not understand how the web works.


    • Well said!

    • Jason

      Indeed, well said. The thing I hate most about my job is having to deal with the massive, MASSIVE amount of stupid people, designers, developers and all other IT people included.

      “Think of how stupid the average person is, and realize half of them are stupider than that.” – George Carlin

      • Agreed, why can’t lawmakers think of what is happening. If I head into a physical store, and there’s a camera recording my movements, do I have to sign a consent form before I am allowed into the store? After all, its tracking my movements too.

      • And, of course, there’s little to prevent a government monitoring your electronic communications for “national security” reasons, either. Unless GCHQ are now going to ask permission?

  • My understanding is that the only state that has ratified this EU legislation, in a perhaps overzealous way (I guess there are other priorities), is UK. Others are ignoring the matter, so this statement is not exactly true:
    “In essence, if you’re using Google Analytics without the user’s consent, your website is operating illegally in Europe.”

    It really depends on where your company is located – even fines or other forms prosecution will surely vary from one member state to another.

    • It’s an EU directive so all member states were obligated to pass enforcement laws by 25 May 2011. How they implement and enforce those laws will depend on the country itself. To be fair, several have bigger problems than cookie rules so I guess it’s not at the top of their agenda!

  • Patrick

    I was infuriated when I learned about this legislation. Absolutely idiotic and unnecessary. One of the worst examples I’ve seen of misguided laws being passed by people who don’t understand what they’re doing. If every company complies with this, browsing the web (from the UK at least) will become far less smooth and natural. Virtually every website uses cookies – do you really want a popup asking you to set your cookie permissions on every single site you go to? Is that a good user experience? And of course, tracking the user’s choices requires a cookie itself, unless you want to ask every time they come to the site. Browsers already allow for cookie control anyway – concerned users can set exceptions for specific domains and domain patterns in any modern browser.

    In addition to hurting the user experience for everybody, it will only serve to confuse most users. Most users will not magically gain a proper understanding of cookies because of this legislation – they’ll make uninformed choices and probably in many cases restrict the use of cookies for no real reason other than a vague sense of “better safe than sorry”, hence reducing their own user experience. Then they’ll complain to site owners that the website doesn’t work properly any more.

    The ICO knows all of this. This is just another embarrassing piece of legislation that will be impossible to properly enforce anyway. Even most UK government websites are not compliant. The ICO has already effectively said they will not enforce this legislation in any meaningful way. I will not be complying with this at all until they directly threaten me with a fine.


    • Yep — the ICO is well aware of it. Have a read through their guide … it’s evident that the author(s) think it’s dumb too. Unfortunately, they must uphold the law even when it’s plainly ridiculous.

      • Patrick

        Must they really? Can they not stand up and say this law is unenforceable? This law is so badly designed and vague that there’s no realistic way we can ever get a majority of websites to comply with it? Can’t they turn around and tell the legislature that they’ve been asked to do something impossible and immeasurably damaging (if it was ever fully enforced)? Do we really have no recourse than to play along with this monstrosity?

        Can parliament (or the EU legislature, or whoever) not fast-track legislation to undo this? Laws are not permanent. They can be revoked. I’m sure if someone sits down with a few ministers somewhere and explains it in small words so they don’t get confused, we could reverse this patently retarded decision. The ICO should be leading the charge to repeal this.

      • Reading between the lines, the ICO are stating they are responsible for upholding the law no matter how stupid they consider it to be. It may eventually be overturned but, for the moment, it’s law and that’s that.

        I’d like to know whether these laws are or can be applied in retrospect. If you built a site two years ago and haven’t modified it, how can it suddenly become illegal?

      • Patrick

        From the sounds of it the law is applicable to all active websites. The ICO is specifically trying to get the 50 largest sites in the UK to comply – I’m sure most of those will be more than a year or two old. In the same way as older companies being forced to comply with new data security legislation regarding credit card processing (actually useful laws), the rationale here is that those poor, naive end users should be protected on any site of any age.

        What I’m interested in is how they intend to enforce it given the global nature of the web – hypothetically, if a UK registered company has a website hosted on a server in Dallas (or on a globally distributed network of servers), which they had developed by a freelancer in Sydney, and they serve page views to users from Tokyo, are they expected to comply with this? If I have an international website accessible from any country, am I supposed to selectively show a cookie notification / checkbox to people from Europe only? How am I supposed to know where my users are coming from? IP address is not really a reliable measure of user location. As far as I can tell, this is not addressed in the ICO guidelines.

      • Have you seen this article? “Dear ICO, this is why web developers hate you”

  • Sigo

    I say block your sites via ip for european countries and avoid problems

    • Patrick

      That’s great unless you happen to be a european company or have european customers.

      Also, using IP to determine country of origin is not reliable.

    • There’s very little European authorities can do if you’re based outside the EU zone. Blocking IP addresses will only harm one company — yours.

  • AB

    If my website is based and hosted in the US, do i need to worry about this?

    • If you are based in Europe and have European visitors then, yes — the law applies to you. It doesn’t matter where the site is hosted. That said, the legal practicalities of obtaining your source code to check cookie use would be far more difficult for the authorities. I’m sure it’d never come to that, though.

      Few European sites are implementing any changes so, unless you’re a large company, don’t worry or spend a fortune updating your systems.

      • AB

        Ok, thank you.

  • The UK’s Guardian newspaper is reporting that the cookie law has been changed to introduce “implied consent”. In other words, the act of accessing a website implies your acceptance of its cookies. You don’t need to change anything.

    I’m not convinced and the updated document is still a little vague. There’s also the question whether the UK is now out of line with the EU.

    The situation’s a mess and no one knows exactly what they should do to comply with the law.

    • MM

      Craig, this is what I know:

      The law has not been changed; it’s the way the UK decided to implement it and they’re risking penalties because of it. Implied consent is not valid according to this law.

      Wether client-side storage has “privacy implications” is irrelevant; unless it “is strictly necessary for the provision of a service or communication requested by the user” (which analytics is not) you’ll need consent.

      “in the case of third-party cookies, both parties have a responsibility to ensure users are informed about cookies and consent is obtained”
      The party hosting a website using analytics is the only party responsible.

      • Len

        As no other country in Europe seems to be implementing the legislation at all [citation needed] I don’t think the UK has to worry about being penalised.

    • Patrick

      I’ve seen a few conflicting reports about this. Some seem to be saying that implied consent (i.e. the same thing we’ve had forever) is what they’ll be trying to enforce (does it even need enforcing?), others suggest that implied consent will be accepted for now, but the ICO may start cracking down and requiring explicit consent in the future.

      The ICO itself is doing an absolutely horrible job of communicating any of this to anybody.

      In any case, the policy seems to be that the ICO will only go after companies if they get a specific complaint, and their first response will be to encourage compliance rather than a fine. So I think the best strategy is to ignore all this (at least until they make their mind up about what they’re going to require) and take action only if you’re actually contacted with a complaint.

  • itmitică

    There are technical issues that come along, a different sort.

    Let’s assume you have a mobile version for your site. Your mobile users have a link on that mobile site that leads them to the full site. Without cookies, or some storage of sorts, how are you going to respect a mobile user wish to use the full site instead from that point on?

    • Absolutely.

      Also, how does a site remember that the user doesn’t want cookies? You store a … ahh.

      • itmitică

        It would be passed on in the URL.Which would possibly revert all the good permalinks provide?


      • Patrick

        Passing it in the URL is not a viable solution as it interferes with site-critical tasks like SEO.

      • itmitică


      • If the user clicks a button to indicate they don’t want cookies, you can cookie them for that purpose alone because not receiving cookies (and not being continually bugged by pop up boxes) is a service they have now requested of you. I think.

        As a UK-based web design company I’ve changed the title of my privacy policy and listed out the cookies I use for analytics and remembering commenter details. Now I’m waiting a bit to see what happens, but will probably implement the Silktide Cookie Consent code because its nicely implemented and allows for user wishes to be seen by websites that utilise it.

  • I’m in the UK right now and sitepoint isn’t asking for cookie permission?

    • SitePoint is an Australian company that hosts in the US and has a global market. UK and EU-specific laws don’t apply.

      Besides, how many European websites have implemented cookie-permission technologies?

      • No matter where you’re hosted or based, the law still applies if you have a European audience. Although being based outside the EU probably means they can’t touch you, which is fortunate! Although that’s not stopping the ICO from wanting to go after other non-UK companies like Facebook: http://www.computerworlduk.com/news/public-sector/3360129/ico-gives-amazon-cabinet-office-and-facebook-warning-over-cookie-law/

        I’m not quite sure if international websites need to comply, and what the level of threat is, so will be watching this quite closely.

      • My comment was inline with David Ball’s below. Euro audience apparently = need for cookie permission request. Needless to say, it’s a pointless law.

  • camus

    on bt.com if you disable javascript , no pop up shows asking for permission. and when i revoke the permission the cookies are still on my computer. It is just impossible to comply with a law written by bureaucrates that dont understand anything about webtechnologies. Way to ge Europe , cant wait to get rid of UE.

  • One of my clients has complied with the law in it’s original state and asks for users permission to place a google analytics cookie. Looking at the analytics, the client has a opt in rate around 10%. Which means that using that data is a a bit pointless.

    • That’s a big part of the problem. When faced with a question such as “Do you want cookies stored on your PC?”, most users won’t understand what to do and simply click “No” even if they’re warned about having a lesser experience.

      The cookie law hopes to educate users but neglects to consider that most people couldn’t care less about how technology is implemented.

      • In my own experience most people just ignore the pop over.

    • Len

      Same thing happened to the ICO when they added their ‘opt-in’ box.

  • Dave

    I won’t be implementing anything on this myself. Asking users for permission or putting an easily visible notice on your site that it uses cookies will just confuse them. A privacy policy that details why you use cookies and what information is stored is enough in my opinion.

    I can’t see the majority of websites implementing this either, and expect the law will either be modified, dropped, or ignored.

  • Kudos to Craig Buckler for the understatement of the decade:

    To be fair, several [EU countries] have bigger problems than cookie rules so I guess it’s not at the top of their agenda!

  • My response to this is exactly the same as my response to the need to charge VAT. I’ll ignore it.

  • Sean

    Not there, don’t care. From the Eurozone and don’t like cookies? Here’s a rat hole and a bag of sand.

    • Remarkably this actually seems like the most sensible response to the situation.
      (sorry to those poor bastards who don’t have that out)

  • intrr

    You see… it’s not Global Warming, Starvation, or Wars that will ultimately destroy society. It’s beurocratic fucktards sitting in their parallel universe spending their time and taxpayers’ money to think of new ways to fuck the world.

Get the latest in Entrepreneur, once a week, for free.