< Back to Blog

Ecommerce and the ‘Cookie Law’ – What you need to know about cookies

For ecommerce website owners, the deadline to comply with the Regulation 6 of the UK Privacy and Electronic Communications Regulations 2003 passed by on May 26 2012. This regulation is more commonly known as the ‘Cookie Law’ and it affects every ecommerce website in the UK. This white paper discusses how you can comply.

‘C’ is for..

Before we talk about the Cookie Law, you should understand what a cookie is. If you don’t know, the Information Commissioner’s Office (ICO) has a nice explanation: Cookies – advice for members of the public.

Now, the cookie law (Regulation 6) was actually changed in May 2011, but the Information Commissioner’s Office decided to give businesses a full year to work out their compliance before they would take to prosecuting cases.

Their reasoning was (rightly) that it would be technically challenging for most website owners to gain the explicit consent needed from a website visitor before storing cookies on their computers.

Apart from a handful of supporters, most reactions to the law have been negative; some reactions have bordered on outrage. Most seem to see this law as a poorly conceived token gesture put together by people that know nothing about the technical reasons for using cookies in the first place.

As a consequence, a lot of businesses held out for the legislation to be withdrawn, and some have yet to comply. But, the law is in place and the deadline to comply has passed and we expect the ICO to start compliance audits and prosecutions soon.

What the law is supposed to do

The law did begin with good intentions. It was originally conceived to stop advertisers and businesses from illicitly (and intrusively) tracking people’s private browsing habits across the web for advertising and targeting purposes.

The EU and the UK deemed this as an infringement of privacy and felt that the time had come to stop this practice. However, instead of working with the website browser makers (Firefox, Chrome, Internet Explorer, Safari), the ICO and its European counterparts chose to (controversially) force businesses to sort out the management of cookies.

That means you need to understand what cookies you use and how to make sure you are complying with the law.

What it means for your website

Basically, you need to ensure that your ecommerce website does not use cookies or third party software that uses cookies except in cases where the cookie is essential to carry out the transaction or is user-initiated. And even then, you must explain somewhere to the user what and why you are storing that bit of information.

Getting explicit permission to set cookies on someone’s computer is going to be bad for business. The reason is that most people don’t understand cookies and when presented with the option, they will choose not to accept cookies from your website. That could spell the end of a great experience for your visitors and a lot of lost business.

Best not to have to ask in the first place.

The ICO does give some exemptions for obtaining consent from your users. In very basic terms, you won’t need explicit permission to place a cookie on a user’s computer if:

  1. The cookie is essential for a service that is being specifically requested. This includes cookies for remembering items in shopping carts (add to cart), accessing password protected areas (log in), and even for remembering what someone has entered into a form field so that it isn’t lost if the page refreshes.
  2. The user makes a choice in their use of the website (e.g. language) and you need to store their choice to display the website correctly. This would also include storing their text-size options, colour choices and even submitting comments.
  3. It is used for anonymous site analytics and certain types of advertising.

That’s good news for most eccomerce website owners. But in every case, your website Terms & Conditions and Privacy Policy, must clearly explain what type of cookies you use, what these are used for and how your user’s personal information is protected.

There is no way around this law, and you need to do something…now.

Conduct a cookie audit

The best thing to do is consult with your web development agency to understand which cookies are being used on your website and what they are used for. Only they will know which ones are essential for the operation of your website and which ones are not.

The cookies you keep will need to be addressed specifically in your Terms & Conditions page. If you are setting any cookies that need explicit permission from the user to set (advertising and targeting type cookies), then you will need to implement a way of getting that permission from the moment a visitor lands on your website.

That can get pretty technical.

How to get consent

Even though you don’t need explicit permission to set certain cookies, you will still need to let your visitors know about cookies on your site and to control this experience through a kind of cookie control widget.


Give us a ring at the Vu Office on 01803 866 430 or email us at lets_talk@vuonline.co.uk.


  1. SEOmoz, Social Annotations in Search: Now Your Social Network = Rankings, http://www.seomoz.org/blog/social-annotations-in-search-now-your-social-network-rankings, Accessed 07.04.2012
  2. Searchengineland, Bing Ups Ante in Social Search, http://searchengineland.com/bing-ups-ante-in-social-search-re-ranking-serps-with-likes-77269, Accessed 07.04.2012