A friendlier solution for compliance

´╗┐The law requiring websites to gain consent before storing cookies on users computers was passed in the UK in May 2011. The law has been adopted in most other EU states but there are some major differences in how each state interprets the cookie law.

Apart from one or two lonely voices, reactions from website owners have been entirely negative. Many saw the law as an ill-conceived nonsense that failed to appreciate the technical reasons for which cookies are used. Many are holding out for a u-turn on the legislation, perhaps in the hope that a Conservative, red-tape-busting government might be averse to interference with the World Wide Web. Some plan never to comply and others hope for some kind of meta-solution from browser vendors and the major players like Google and Facebook.

Lonely voices

But the law isn't ill-intentioned. In fact, while it poses one or two compliance headaches, we believe that it's Quite a Good Thing.

Big providers of Internet services, particularly Facebook and Google, liberally use cookies to make their services work, track user behaviour, sell us things and personalise our browsing experience. They keep telling us that data is anonymised, that they only have our best interests at heart, and that they exist to make the world a better place. 

Even if we believe them, the fact is that data, once it is brought into existence, has a creepy way of getting about, being repurposed for commercial gain, or otherwise misused. Google, with its control over Adwords, Analytics, Gmail and a host of other services, has the means to track much of our activity online. Not that it chooses to exercise that power. And in theory laws exist to discourage it from doing so.

We think the new cookie law will produce a new kind of good practice for websites. The rules will help prevent such user-identifiable data getting into the hands of big corporates (and their governments). Ultimately, for the protection of individual freedoms online, this is a good thing.

What the law means for webmasters

There are a few steps to go through in order to achieve compliance with the law:

  • You must audit your cookies and present clear information about them on your privacy policy
  • Depending on the kind of cookies you're using on your site, you must decide on a model for managing user awareness and consent. We have identified three such models (below).
  • You must make any technical changes to cookie-storing scripts in order to test for consent before a cookie is stored.

In practical terms it means you need to avoid using cookies or deploying third party software that uses them except where it is essential for the purpose making your website work. This is because as soon as explicit consent is required, users may refuse that consent. If you see a particular feature as important, you'll want to know that it will work all the time, whether or not users have consented to cookies.

Bear in mind that in the UK, the ICO is taking a relaxed approach to analytics. Their guidance is that analytics cookies are fairly unintrusive and that therefore, as long as you inform users about their use, explicit consent is not required.

A friendlier user-interface

Cookie Control has been carefully considered in terms of user interaction design. Some solutions interrupt the critical head of the page area with a banner-style consent form. Others interrupt the entire browsing experience altogether, obscuring all content before you can proceed.

Our aim with Cookie Control is to provide a mechanism for getting consent that minimises the impact on the user experience of your website that you've spent many hours carefully crafting. A single button press is all that we require from a user to secure their consent.

´╗┐Consent Models

Information Only

Suitable for: sites where the only cookie-setting scripts are analytics, webmasters who lack the skills to adapt their scripts to interact with Cookie Control's callbacks / functions.

Behaviour: Cookie Control pops up with a notification for users about how cookies are used on the site. It appears once only. (A cookie is set to prevent it popping up on every page.)

Implied Consent (Opt-out)

Suitable for: most sites - unless cookies are very intrusive indeed. Webmasters must adapt their cookie setting scripts to work with Cookie Control callbacks and functions.

Behaviour: By default all cookies are enabled. The old "I'm happy with this" button has been replaced with a new switch toggling between "Cookies are off" and "Cookies are on". This is more akin to the BBC's current approach. By default, we'll only pop up the UI when a user first visits a site.

An ironic side effect of this approach, which will upset purists, is that a cookie must be set if a user opts out. We do, however, warn users about this.

Explicit Consent (Opt-in)

Suitable for: the extremely risk-averse, sites with very intrusive cookies. Webmasters must adapt their cookie setting scripts to work with Cookie Control callbacks and functions.

Behaviour: By default all cookies are disabled. The UI will pop up on every page load. Users may supress the pop up without opting in - although this requires, you guessed it, a cookie. This is pretty much how Cookie Control works at the moment.


We didn't want to be too prescriptive about how you use Cookie Control. When you visit the configuration page you'll find various options enabling you to change the position of the Cookie Control icon, populate your own notice text, link to your privacy policy and determine whether you want the user interface to be open on page load, or closed. For full compliance Cookie Control users should set the user interface to open on page load.

Eventually we hope the Cookie Control icon will be so well known that its presence alone will be enough to signify the use of cookies on a website.

Tweaking your scripts

Examples are provided on how to adapt typical third party scripts to test for user consent before they run, and the team at CIVIC are ready to help with custom implementations.

The solution was originally rolled out in response to the needs of CIVIC's many government clients, including the Scottish Government, SQA, Skills Development Scotland and the NHS. 

Cookie audits and privacy policies

cookie audit might sound daunting, but actually it's easy to do. We've explained a bit more over on the deployment page.

Let's try it!

Heard enough? Go ahead and grab your code.

Need support?

Please visit the support forum.


Stay connected with us. Follow us on: