How to Get Your Website to Comply with the EU Cookie Law?


In May 2011, the Information Commissioner’s Office first announced that websites have to explicitly seek consent for cookies (cookies are text files that record your activity online). Later known as the EU cookie law, it took effect in May 2012 with a grace period of a year.

Developers were outraged, every website in the EU would become illegal, and users would not be happy with popups every second or so. Interestingly, 24 hours before the prosecutions started, there had been a clarification of the law that said you only needed to have implied consent from users to use cookies.

What’s the cookie law all about?

The cookie law is a piece of privacy legislation that requires websites to obtain consent from visitors to store or retrieve any information from a computer or any other web-connected device, like a smartphone or tablet.

It has been designed to protect online privacy, by making consumers aware of how information about them is collected by websites, and enable them to choose whether or not they want to allow it to take place.

If you are based in the EU and own a website, you are now expected to comply with the law.


How to comply to the EU cookie law?

The easiest way to comply with the cookie law is to follow the accepted standard: implied consent.

Implied consent does not require a visitor to explicitly opt-in to the use of cookies on a website. However, it does mean there has to be an action taken by the user to confirm that consent is given, after there has been sufficient attempt to clearly inform the user about the use of cookies on the website.

These actions may be moving from one page to another, clicking on particular buttons on the website or choosing to continue to use the website.

What are the penalties if you do not comply?

The maximum penalty is £500,000. Whilst this is the ‘maximum’, its worth pointing out that this would be a rather extreme case of failure to comply. A formal warning and enforcement notice are far more likely, but should be avoided nonetheless.

How we did it?

Since we deploy a lot of web applications and websites for our clients and ourselves, we wanted to develop a standard system for resolving this issue.

We took inspiration from Google’s approach, as you probably noticed when you visited our site. We added a simple floating element to our page that says that we use cookies, and if you don’t disable them in your browser settings, you are OK with us using cookies to enhance your experience.

As we work primarily with Ruby on Rails, we created the cookies_eu gem to make any web application simple to comply by just adding the gem to the Gemfile. It’s open source, and you’re welcome to use it for your own Ruby on Rails applications.

If you don’t use Ruby on Rails, you can probably roll your own solution quickly in the technology you favor. We’ve provided a sample of a cookie privacy page that needs to be located somewhere on your webpage, which you can see here.