Monday, 28 May 2012

Cookie law implementation watch

Here's a quick listing of some sites, and how they have implemented the cookie law...the good, the bad and the ugly...

Last updated: 28th May 2012. Tweet your examples to me!

The Good


It gives clear information, clear routes to find out more and set preferences (a pain in the arse to implement for most small businesses, but actually very good for user-control), and an implied consent model that doesn't impact on their long term analytics and functionality (mainly due to the sheer number of page hits will receive).

Royal Bank of Scotland

Clear implied consent messaging, prominently placed. It's not amazing but it does the job, with settings easily accessible to disable cookies on site.


Barclays actually takes this one step further. While their initial messaging could possibly be a little more prominent, the way of interacting to set your cookie options is very clear and user friendly.


On the face of it, not a great implementation, opting for the less obvious "bottom toast" option for highlighting cookie options. However they save themselves well with what looks like a tool that others might be able to use that constantly stays on the page, showing the kind of cookies that are being used and quick access to turn them on or off

The Bad

Political party sites



Lib Dems

Yes, they've made an effort, a tiny little toaster pop up in the bottom right hand corner. But is it enough? In the case of the Lib Dems they follow the implicit consent model to the letter. Zero cookies on site before you continue usage, but with no options other than to change your browser preferences users are left slightly in the dark. The Tories do next best, though in reality the only cookies they seem to use are third party ones...and they let them through regardless. The presumption here seems to be they don't have to worry about third party cookies. They're wrong.

Either way, as with Labour, this messaging feels far from prominent and certainly not aimed at giving users of the site a clear choice or information.

Then you have Labour taking it to another level, setting every cookie under the sun on the presence that simply being on the site gives them permission. This is about the worst kind of implicit consent I can see. Yes they inform, yes they give links to how to cut the cookies out...but allowing all cookies all the time regardless of any user interaction seem, to me, to be stretching the advice of ICO very, very far.


Blink and you'll miss it. Instantly one of the better toaster pop ups hidden at the bottom of the is large and black and shiny looking after disappears after about 30 seconds, if that. No chance to see what it says if you missed it without going and deleting your cookies again. Quite simply someone could open this site amongst a flurry of tab opening and never see this message. Terrible.


At first glance Asda doesn't seem to implement anything to adhere to the law. Scroll to the bottom, however, and you'll see they do! Well, it might be up for debate on whether or not they actually can count as having implemented a consent mechanism here, actually...

The Sun

Marginally better than Asda, this tiny message at the bottom of the page on half faded out black is at least always nestled just out of natural view on the bottom of the window, but you don't have to scroll to see it. It's still a crappy implementation.


Like Asda, an afterthought, but at least styled better. What can I say, I don't believe that this method would stand up to any kind of scrutiny if someone took it to the ICO.

London Stock Exchange

On first inspection this may look like a good implementation, it asks an opt in question...but the reality is that it sets cookies (it tells you it sets analytical ones, not so much letting you know about the advertising based ones) and continues to use them even if you never use the message. Sure, this might be implied consent...but why have the explicit opt in message?!

The Ugly


It adheres exactly to the law, it is the shining example of how to follow the law...yet it is an ugly looking implementation that has already proved to ruin accurate analytical tracking through user indifference. It might be the right thing to do legally, but from a "business case" view, it is just a bit nasty.

All About Cookies

First I thought: "Good on them, making a statement". The prominent pop up really forces the issue in to the open. But then they still let google ads operate in the background, even when the cookie option is set to be restricted. Confusing much? Maybe they're just sticking two fingers up at the legislators while appearing to comply. *shrugs*

The Guardian

It's simple messaging, devoid of a clear opt out, instead relying on telling people that they can change their settings in their browsers. The only reason this doesn't make it in to the "bad" section is it's very clear way of showing what cookies there are on site, and what they are used for.


OK, so Ugly might be the wrong word given how cute they've tried to be (and how little most other ad agencies are bothering!)...but it kind of doesn't do what it's meant to. Like many other examples, a lack of actually letting people know what they're opting in to with a bar that is essentially just an annoyance urging you to press yes just to get it out of the way. It would be a perfect solution before ICO changed it's advice...except that it still sets an advertising cookie (or so it appears) from a third party so the information about cookies on the site is not really accurate.


Barclays and RBS really showed how you can be responsible on this front, on sites where people take their privacy and security a little more seriously as standard. This messaging by HSBC is ok, but it really feels slapped on.

Church of England

Some are preferring this option (see below), most that do so choose this route to make a statement about how ridiculous this law is. However the messaging here, to click a button that doesn't exist. The impression here is that by closing the window you're accepting the cookies, yet with such a window you'd also expect to be able to NOT accept....very poor and muddled design.

The... Absent?

Facebook/Twitter/Google etc.

These sites may be the ones you interact with most on a daily basis. They aren't required to adhere to this law, since they are not "UK based" as far as I can tell. It makes a mockery of the law in itself that UK businesses are having to go out of their way to adhere while there isn't a more "global" agreement. Other top sites viewed in the UK also include Yahoo, MSN...again, all not covered by this law that is far too geographically based for a world wide web.

Number 10

Why? The website of the premier office in the land...and they're technically breaking the law. Sure, they have a link to cookies in a prominent place, but this is 2003 legislation, not 2011 that would require some form of consent!

Money Saving Expert

After a brief tweet earlier I came to understand that the Money Saving Expert team seem to believe that having a link to a page for Cookies on each page, at the bottom amongst other legal links, is enough to adhere to the law. I don't know if this is just oversight, or poor advice, but even under new ICO advice it'd be surprising if this stance would constitute the correct "context" within which it's reasonable to assume a user has given consent.

Just to reitterate how ICO put it, if you roll up someones sleeve in a doctor's surgery and they don't stop you, then you don't have to explicitly ask them if it's ok to take their blood pressure, you can take implied consent since it's clear (from the environment, reason for the visit, and the action) that they would know what you're doing and tell you if they weren't ok with it. Is simply being on a website enough knowledge of how they work to take implied consent? If the law makers believed that users were that clued up then they wouldn't have felt the need to make the law in the first place!

DMA/Assorted digital agencies

The DMA are just an example of really how hostile (or indifferent) those who actually directly interact with this law as part of their profession are to the Cookie law. Look, they have at least 2 or 3 mentions of the Cookie law on their site, yet no adherence! This is the same across many of the top digital agencies in the country. Telling.


Arguably the biggest businesses in the UK, certainly in retail terms...does this mean they care about giving people information about the cookies on their site? Not yet.

Independent/Daily Mail/Express, etc.

I'd expect it of the Daily Mail and Express, sticking it to those EU bastards that are probably only doing this to hit the mail's visitor stats and therefore ad revenue </conspiracy theories> but why can't the Independent get it's act in gear?


So there may be an implementation here on the way, but for now I thought I'd just highlight the above. Essential cookies? According to who? Certainly not the ICO who take the user's view that analytical tracking, A-B testing and CERTAINLY "allow us to reward some external websites for directing you to us", are not "essential" functions for your site!


Quite simply, if the BBC can do it, and the ITV can try and fail to do it, why can't Sky at least have a go at implementing a solution?

The Monarchy

One does not care about cookies, it seems.


I won't bother with screenshots, suffice to say that while other banking groups have pulled their finger out to varying degrees, these have not. You'd think that things like PPI and causing an economic global crisis might make them a little more keen to play ball.

The Law Society

They're the law society. The LAW....SOCIETY...OF LAW... and yet they don't yet follow the rules. Enough said?


  1. as the ICO changed the ruling to implied consent 48 hours before the deadline, I think the best implementation is a link to a cookies policy in the footer. Anyone agree?

  2. Absolutely disagree. I think you need to be careful about what the ICO advice actually says, I reproduce it here for clarity...

    "It has been suggested that the fact that a visitor has arrived at a webpage should be sufficient evidence that they consent to cookies being set or information being accessed on their device. The key here is that the visitor should understand that this is the case. It is important to note that it would be extremely difficult to demonstrate compliance simply by showing that a user visited a particular site or was served a particular advertisement unless it could also be demonstrated that they were aware this would result in cookies being set."


    "This remains the case if information is provided to the user but only as part of a privacy notice that is hard to find, difficult to understand or rarely read. This is why the “do nothing” approach is not enough. The understanding is all on the website operator’s side and the user “giving” consent is unaware that their actions are being interpreted in this way. The user is not informed so in the context of the Regulations, this is not valid consent."

    I would argue the very least you need to do is to have a link about cookies on your site *at the very top* with options therein to disable cookies on the site.

  3. The ICO's advice isn't what people should be following here; they should be following the law itself, which says:

    "A person shall not store or gain information, or to gain access to information stored, in the terminal equipment of a subscriber or user unless ... the subscriber or user ... is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and ... has given his or her consent".

    And also:

    "For the purposes of [the paragraph above], consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent."

    So, reading the law and the law alone, to achieve compliance you must only provide users with "clear and comprehensive" information about the purposes of the cookies your site uses by way of a privacy policy or dedicated cookies policy. Most sites already do this. The law does not say this information has to be thrust in the user's face at the top of the page or in a pop-up message; it only says the information has to be "provided".

    Furthermore, your site does not have to seek users' consent to set cookies as users will already have "signified" consent by changing their "internet browser controls" (sic), or opting not to change the default settings, to accept all cookies from all sites. The law does not even say that consent must be given on a per-site or per-cookie basis, only that it must be "given" and that changing browser settings count as giving it.

    The ICO advice is neither here nor there. Follow the law.

  4. Since it is ICO who will be essentially administering the law, the ICO advice is both here and there.

    1. They certainly are responsible for enforcing the law, but they can't read into it what isn't said in it, and that's what they're doing by asserting that relying on a privacy policy and a user's browser settings would be non-compliant.

    2. You've quoted the law:

      "consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses"

      Amends, or sets. Using the browser in it's default mode, therefore, is not consent.

      Given that browsers (and portals to access content that do not even have cookie control) do not yet provide enough information to websites to show that consent has been given in this way, it falls on the websites themselves to get consent.


Got something to say about my post? I'd love to hear it!

Try to keep it civil, I don't delete comments unless obliged to or feel the thread is getting too out of hand, so don't make me do it.