IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

What exactly is The Cookie Law?

The Cookie Law explained: What it means and why it's important


It won't come as a surprise to learn that the internet and those using the internet for business are becoming more savvy about tailoring information (and especially ads) specifically for its audience.

These days, data on your search habits, the sorts of ads you like to click on, and how long you spend on a site are all collected in the form of cookies - small files that are installed on your browser.

While the majority of cookies are there to help improve the user experience, including helpful tools like remembering what you had in your checkout basket, it used to be the case that a great deal of this data gathering was done with very little transparency.

In a bid to protect user privacy, a new EU directive was drafted to give greater power to users, known as the Cookie Law.

What exactly are cookies?

Cookies are just simple text files which contain two pieces of information; a site name and a unique user ID.

For example, when you visit a site that uses cookies for the first time, a cookie is downloaded onto your device so that the next time you visit that site, your computer checks to see if it has a cookie that is relevant (that is, one containing the site name) and sends the information contained in that cookie back to the site.

The site then 'knows' that you have been there before, and in some cases, tailors what pops up on a screen to take account of that fact. This can be helpful to vary content according to whether this is your first ever visit to a site or you visit a particular site a lot.

What is the Cookie Law?

The Cookie Law was first introduced as an EU directive on 25 May 2011 and has since been respected by all member states. In the UK, the principles of the Cookie Law were folded into an update of the existing Privacy and Electronic Communications Regulations.

Generally speaking, the law requires organisations to seek consent from visitors to store or retrieve information on a desktop, laptop, tablet or mobile device. It also gives users the right to refuse the use of cookies if they believe it will diminish their sense of online privacy.

What are the benefits?

The law was designed to protect online privacy by raising awareness among users and customers about how digital information is collected and used. It also presents them with a choice over whether or not they are comfortable with it.

When the legislation first came into force in the UK, the then Information Commissioner Christopher Graham spoke of the Cooke Law's "positive benefits", saying "it will give people more choice and control over what information businesses and other organisations can store on and access from consumers' own computers".

New revisions

In early 2017, the European Commission proposed updating the Privacy and Electronic Communications Regulation in a bid to replace the existing laws.

The draft regulation, dubbed the ePrivacy Regulation, provides a set of new rules on the use of cookies and direct marketing through electronic communications. If it comes into force, the new law would update the current rules on confidentiality of electronic communications, and bring service providers within the scope of the EU's ePrivacy laws for the first time.

The ICO's submission to the EU's consultation on the issue said the rules should be tweaked to "achieve a proportionate balance" between privacy rights and "legitimate interests of information society services".

Users of electronic communications services would also obtain a new right to object to the processing of their electronic communications data, and could potentially win compensation from communication providers if they have "suffered material or non-material damage as a result of an infringement" of the new rules by those companies, said law firm Pinsent Masons.

It was anticipated that the ePrivacy Regulation would launch at the same time as GDPR, and sit within its scope. However, further deliberation on ePrivacy has delayed its enactment, and so it's now unlikely to appear until late 2019.

A full guide to the upcoming ePrivacy Regulation, and how it will fit into wider data protection policies, is available here.

Featured Resources

2023 Strategic roadmap for data security platform convergence

Capitalise on your data and share it securely using consolidated platforms

Free Download

The 3D trends report

Presenting one of the most exciting frontiers in visual culture

Free Download

The Total Economic Impact™ of IBM Cloud Pak® for Watson AIOps with Instana

Cost savings and business benefits

Free Download

Leverage automated APM to accelerate CI/CD and boost application performance

Constant change to meet fast-evolving application functionality

Free Download

Most Popular

Warning issued over ransomware attacks targeting VMware ESXi servers globally
cyber attacks

Warning issued over ransomware attacks targeting VMware ESXi servers globally

6 Feb 2023
Yandex data breach reveals source code littered with racist language
data breaches

Yandex data breach reveals source code littered with racist language

30 Jan 2023
BT Group extends Kyndryl deal to migrate legacy mainframe apps to the cloud
Business strategy

BT Group extends Kyndryl deal to migrate legacy mainframe apps to the cloud

31 Jan 2023