Cookies on Pinsent Masons website

Our website uses cookies and similar technologies to allow us to promote our services and enhance your browsing experience. If you continue to use our website you agree to our use of cookies.

To understand more about how we use cookies, or for information on how to change your cookie settings, please see our Cookie Policy.

Cookie laws

This guide is based on UK law. It was last updated in June 2011.

Cookies are small text files that most websites use to recognise their visitors. A European law of 2002 required that these visitors be given certain information about cookies. From 26 May 2011 the law changed meaning that in addition to the provision of certain information visitors must give their consent to the placing of cookies.

This guide explains the new UK regime and outlines the current advice on how to achieve compliance. The law comprises of the Privacy and Electronic Communications Regulations 2003 as amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 ("UK Regulations").

The UK Regulations are derived from EU Directives. Each Member State has some discretion in how it implements a Directive. Therefore, the cookie laws in other European countries may differ from those of the UK.

What are cookies?

When you visit a website for the first time it is likely that one or more cookies will be sent to your computer by that website. A cookie is a small text file that can be used to assign a unique reference number to your computer. That number only makes sense to – and is only readable by – the domain (usually a website) that served it. When you return to that website on another day from the same computer, the website can read your cookie and, in effect, recognise you.

This simple technology gives websites a memory. It is possible to set your browser to block all cookies, but doing so will make some websites difficult or impossible to use.

Third party cookies

Sometimes a website will facilitate third party cookies. This is very common when the website displays advertising. A publisher, such as a newspaper website, typically will outsource to a third party the task of selecting the adverts to display on its website.
In many cases the third party will be a network that operates across multiple websites. The publisher will display a tiny, invisible image on its website, known as a web beacon (it is also called a web bug, a pixel tag or a clear gif). That image is hosted by the advertising network. The browser of a visitor to the publisher's website will access the ad network's domain to load that tiny image.

The visitor is oblivious to the fact that he is visiting the ad network's domain to retrieve this image, but in doing so, the visit opens a channel of communication between the visitor's browser and the ad network. It is through that channel that the ad network can serve cookies to the visitor and read any cookies that it served him previously. Consequently, the ad network never knows the name of Visitor X, but it can recognise that Visitor X previously visited websites A, B and C, provided the ad network has relationships with each of these websites. On the basis of that information, the network will select the advert that it deems most appropriate for that visitor. The selection of adverts based on a visitor's prior online activity is known as behavioural advertising or interest-based advertising.

Because some web users consider the use of third party cookies unreasonably intrusive, most browsers allow a user to block third party cookies without blocking first party cookies.

Some websites also use a form of cookie that cannot be controlled by most browsers. When a website uses Adobe Flash content, so-called Flash cookies may be stored on users' computers (they are properly called Local Shared Objects). Users can control Flash cookies by visiting Adobe's website. The laws described in this guide apply to Flash cookies as well as HTTP cookies.

You can find out more about cookies in OUT-LAW's sister site, The site was set up to simplify website operators' compliance with the laws described in this guide, and to help their visitors to delete and control cookies.

The UK law

The Privacy and Electronic Communications (Amendment) Regulations 2011 came into force on 26 May 2011, amending the original 2003 Regulations.

If cookies are used by a website, the UK Regulations provide that certain information must be given to that website's visitors and the visitor must give his or her consent to the placing of the cookies, unless a limited exception applies.

The relevant rules are found in amended Regulation 6, which reads as follows:

6. - (1) Subject to paragraph (4), a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.

(2) The requirements are that the subscriber or user of that terminal equipment -

(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and

(b) has given his or her consent.

(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.

(3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.

(4) Paragraph (1) shall not apply to the technical storage of, or access to, information -
(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or

(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.

What does this mean?

The UK Regulations mean that a website operator must not store information or gain access to information stored in the computer (or other web-enabled device) of a user unless the user "is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information" and "has given his or her consent".  The consent requirement in the UK Regulations replaces the previous position which provided that visitors should be given the ability to refuse cookies.

The only cookies that do not need users' consent are those that are strictly necessary to fulfill the user's request for services. That will cover, for example, the use of cookies to remember the contents of a user's shopping cart as the user moves through several pages on a website. Other cookies, including those used to count visitors to a website and those used to serve advertising, will require consent.

The term "consent" is not defined in the UK Regulations or the Data Protection Act 1998.  It is, however, defined in the Data Protection Directive of 1995, as "any freely given specific and informed indication of his wishes".  This Directive was implemented in the UK by the Data Protection Act 1998.

The consent requirement has been the subject of much discussion since the publication of the EU Directive amending the cookies law.  Various authorities, including the Article 29 Working Party (a coalition of data protection regulators from across the EU), the UK Government and the Information Commissioner's Office have voiced conflicting opinions on how the consent requirement will operate in practice.  The authorities have differing views on whether consent should be obtained prior to the placing of cookies. It is difficult to see how anything other than prior consent will comply with the wording of the UK Regulations.

The Article 29 Working Party warned that consent cannot be implied from browser settings.

"Consent must be obtained before the cookie is placed and/or information stored in the user's terminal equipment is collected, which is usually referred to as prior consent," said the Working Party's Opinion (24-page / 202KB PDF). "Informed consent can only be obtained if prior information about the sending and purposes of the cookie has been given to the user."

"Average data subjects are not aware of the tracking of their online behaviour, the purposes of the tracking, etc. They are not always aware of how to use browser settings to reject cookies, even if this is included in privacy policies," said the Working Party. "It is a fallacy to deem that on a general basis data subject inaction (he/she has not set the browser to refuse cookies) provides a clear and unambiguous indication of his/her wishes."

The Working Party did not go as far as to say that every website needs to ask every visitor to accept every cookie, though. Many cookies are used by advertising networks across multiple websites. For these cookies, consent can be given once to a network and cover all the websites that network serves, according to the Working Party.

Shortly before the publication of the UK Regulations the Information Commissioner published guidance that offers advice on when and how the consent may be given.

Although the guidance suggests a number of methods to obtain consent it stops short of proving definitive guidance on how to achieve compliance, leaving it to businesses and organisations to review their use of cookies and consider how they might be able to obtain the necessary consent.

Both the ICO and the Government have not ruled out the use of browser settings to achieve compliance in the future.  The Government has set up a working group comprising Mozilla, Apple, Microsoft, Google, Yahoo, the Internet Advertising Bureau and Adobe to work on a technical solution. In the meantime the ICO advises businesses to obtain consent some other way.  The guidance states:

"At present, most browser settings are not sophisticated enough to allow you to assume that the user has given consent to allow your website to set a cookie. Also, not everyone who visits your site will do so using a browser.  They may, for example, have used an application on their mobile device.  So, for now we are advising organisations which use cookies or other means of storing information on a user's equipment that they have to gain consent some other way".

The guidance continues:

"You need to provide information about cookies and obtain consent before a cookie is set for the first time.  Provided you get consent at that point you do not need to do so again for the same person each time you use the same cookie (for the same purpose) in future".

The ICO will consider issuing more detailed advice if they deem it appropriate.  They have stated in their guidance that this may include further examples of how to gain consent for particular types of cookies as methods develop.

Fortunately for operators of web sites, the ICO has indicated that during the next twelve months it will not be taking any enforcement action against companies that can show that they are considering their use of cookies and working on solutions to the problem of obtaining consent.  The key message from the ICO is that inaction is not acceptable.

How to comply with the UK's current law on cookies

Under the UK Regulations you still need to provide information on how you use cookies on your website. Therefore we still recommend that if your website uses cookies, you should:

  • include a link to your privacy policy on all pages;
  • explain in that policy how and why you use cookies; and
  • include a link in your policy to so that your visitors can access instructions on deleting and controlling cookies.

Your privacy policy should explain, for example, that you use cookies to count visitors to your website. If you facilitate the delivery and reading of third party cookies on your website, that should also be addressed. The third parties should be identified. If you use Flash cookies, address that too.

The ICO guidance states that it is a starting point for businesses to achieve compliance, In the absence of definitive methods of compliance it is difficult say for certain what steps need to be taken to comply with the UK Regulations. We suggest that businesses should at least:

  • audit how their sites operate and receive data from online partners and providers and what they receive to obtain a clear understanding of where cookies are used and for what purpose;
  • assess how intrusive their use of cookies is; and
  • whenever a new site is developed or an existing one upgraded, or a website-related commercial relationship started, ensure that there are clear details about the operation of cookies and tracking to be used.

The ICO guidance (31 page / 508 KB) suggests a number of different methods that can be used for obtaining user consent but encourages businesses to find the solution that works best for them.

  • pop ups or similar techniques asking for consent can be used. Pop ups are discouraged by Web Content Accessibility Guidelines. They may also spoil the experience of using a website  Users can also block pop ups by default, making this impractical;
  • consent can be obtained by using terms of use or terms and conditions.  In using this option consent is given by the user when they first register or sign-up.  If this method is used it is essential that a user is made aware of any changes made to the terms to include consent for cookies and specifically that the changes relate to the use of cookies.  It would then be necessary to obtain a positive indication that the user understands and agrees to the changes;
  • preferences that users choose when visiting a website can also be used as a means of obtaining consent.  Consent could be gained as part of the process by which the user confirms what they want to do or how they want the website to work, provided sufficient information about the use of the cookies is provided.  This would apply to any feature where a user is told that a website can remember certain settings they have chosen;
  • website features, such as videos, that remember how users personalise their interaction can also determine user consent.  In this case, where the user is taking some action to tell the webpage what they want to happen – opening a link, clicking a button or agreeing to the functionality being 'switched on' – then their consent to set a cookie can be asked at this point;
  • for use of analytic cookies to gather information about how people access and use a website it may be possible to add a footer or header to a webpage containing text.  This text is highlighted or turned into a scrolling piece of text when a site wants to set a cookie on a user's device.  In turn this could direct the user to read additional information, possibly contained in a privacy policy, and make an appropriate choice;
  • where a website allows a third party to set cookies the process of getting consent is more difficult.  Initiatives that seek to ensure that users are given more and better information about the use of information, for example the use of the "i" symbol, referred to below, should be used.  Anyone whose website uses or allows third party cookies must ensure that the right information is delivered to users so they can make informed choices.

As an alternative businesses may wish to consider using a non-cookie website. A simple brochure-style website with no way to login and no e-commerce functionality may not use cookies, meaning that the new law will not affect the website. This option may not be practical for many businesses as it could place them at a competitive disadvantage to competitors and sites outside the EU. A non-cookie site may lose revenues from advertising meaning that it is not cost effective to run such a website. Organisations could charge for these sites but is it unlikely that users will pay to see such a website.

In the absence of definitive methods a hybrid of the above methods is likely to be the way forward for the time being at least.

You may want to have a look what the ICO has done on their website.

Website owners/businesses should consider what would work for them by looking at their business and how they use their website.


For the avoidance of doubt, you do not have to link to to comply with the UK Regulations. It is a website run by Pinsent Masons, the law firm behind OUT-LAW.COM. If you do not link to it or a website like it, you should provide your own instructions to users on how they can delete and control cookies.

We created in August 2002 as a central repository of instructions on deleting and controlling cookies in various browsers. Many organisations choose to link there to minimise the length of their own privacy policies and to avoid having to revise their own instructions every time there is a new version of browser from developers like Microsoft, Mozilla, Google, Opera and Apple. Anyone can link to Pinsent Masons does not charge for the service.

Behavioural advertising

If your website uses behavioural advertising – i.e. when the choice of advert displayed to a particular visitor is based on that visitor's past browsing activity – consider going further than addressing this in your privacy policy. You could, for example, display a link on pages that display the adverts that says "How we choose the ads you see".

In May 2010, the Office of Fair Trading called for trade body the Interactive Advertising Bureau (IAB) to develop a standard label for such adverts. The IAB has developed the "Advertising Option Icon" at an EU level. This pan-European self-regulatory framework was launched on 14 April 2011 with a view to providing enhanced transparency and consumer control, without disrupting their online experience.  Trade bodies in the US have already created an icon – a stylised 'i' within a circle – that members use to identify ads that are the result of behavioural targeting. (See: OFT calls for labelling of behavioural advertising, OUT-LAW News, 26/05/2010)

Through the use of the icon web users will be able to manage information preferences or stop receiving behavioural advertising via a new pan-European website A user clicks on the icon to see the relevant information.

The initiative is supported by many leading content providers, including the BBC, Financial Times and Telegraph Media Group, as well as AOL, Microsoft and Yahoo!

Not all third party cookies are used for behavioural advertising. For example, OUT-LAW.COM uses Google Analytics to monitor traffic to the website. This involves Google setting cookies on visitors' computers, but neither we nor Google uses these cookies to deliver adverts.

Penalty for non-compliance

New powers have been introduced so that a serious breach of the UK Regulations can result in an ICO fine of up to £500,000. Before this the fine was £5,000 and companies may have been willing to run the risk but with these increased powers the result of enforcement action is potentially more severe.

If a complaint about a website is received by the ICO they are likely to take a dim view of an organisation that cannot show that it is taking steps to change current practice to bring about compliance with the new laws. Only once enforcement action starts though will we really know which of these methods the ICO thinks are within the law.


Following the publication of the UK Regulations, the ICO guidance and a subsequent Government open letter, it is our view that for the time being at least businesses should not rely on current browser settings to obtain consent.  Until such time as a technical fix is developed, consent should be obtained in some other way, based on the suggestions made by the ICO in its guidance.  The provision of information on the use of cookies is also key, as is the ability to demonstrate you are reviewing the use of cookies and are developing of a plan for compliance.


Useful links