But you should probably obey it if you run a website

May 26, 2012 19:31 GMT  ·  By

The dreaded cookie law is about to start to be enforced in the UK. The Information Commissioner's Office doesn't seem intent on going after everyone that disobeys the law from day one, but it will get to that eventually.

If you run a website in the UK and much of Europe, it helps to know what you're up against.

The UK law stems from an EU directive which is supposed to be implemented by all members countries.

So far, some have, some haven't. Even the countries that implemented the directive chose to interpret it in different ways.

The directive says that websites must have permission from user before placing cookies or any other type of data on people's devices, for the purpose of retrieving it later.

Cookies are the most common use case, but it also applies to HTML5 local storage, Flash local storage and so on.

Cookies and other data that are needed for the site to function, i.e. non persistent login cookies, don't need any confirmation.

The part that has been left to interpretation is about the "consent" part. Some countries, including the UK, argue that users must be notified and have to agree, i.e. click on "yes," "confirm," "continue" and so on, before sites can place cookies.

Other countries believe that browser settings are enough to know users' preferences. For example, if the browser is set to accept cookies, as most browsers are by default, users implicitly agree to them.

Another wildcard is the Do Not Track setting, which would simplify the issue a lot, but the various laws around Europe don't all deal with the feature.

For now though, in the UK, you're going to have to build a way for your website to get consent before placing cookies outside of those needed for the site to work.

This means for analytics cookies, ad cookies and any other type of tracking cookie, but it is not limited to that.