In his recent half-term update Christopher Graham, the Crown appointed Information Commissioner, stated that UK businesses “must try harder” to comply with EU cookie regulations.

If you’re unfamiliar with these directives they can be summed up in this one statement from the Information Commissioner Office (ICO):

“The Regulations make clear that UK businesses and organisations running websites in the UK need to get consent from visitors to their websites in order to store cookies on users’ computers.”

Protecting the privacy of web visitors is the key aim of the legislation and despite my personal reservations in its suggested implementation, I agree that we need greater transparency of how visitor tracking is handled.

Being compliant

Within the ICO’s guidance document they advise that businesses follow these three starting steps:

1: Audit your use of cookies

Try using this cookie audit spreadsheet as a starting point to list out what Cookie’s your site uses. There are many free tools available to report on the Cookies a website drops during a visit. Personally I use Firefox with the web developer tool bar. ICO’s advice recommends updating your Privacy or Cookie policy document to list the cookies you use and their purpose.

2: Assess how intrusive your use of cookies is against the provided guidance

For example Cookies that help store basket information are largely exempt. Cookies that profile a user for advertising purposes are considered intrusive.

3: Decide what consent is required for your cookies and begin designing a solution

Christopher Graham appears to be very pragmatic. He wants to see organisations moving towards compliance rather than achieving it overnight. Reading between the lines in his article, if your organisation was to be investigated; evidence that you understand the rulings, know what cookies you’re dropping and that you have plans to put a consent solution in place will be enough (for now)!


There is no need to panic and turn off all your cookies.

Whilst the guidance is strict, it is being enforced sensibly by the ICO. They’re unlikely to come banging on businesses’ doors yet with fines unless there are reports of serious violations. Even then, if you can prove that you’re doing something about it, you’re unlikely to be whacked with one of the £500,000 fines.

Start with a simple audit of your website’s cookies. Ensure that you understand why they’re used and what for. Also read and discuss the ICO’s guidance document ( with your web team. Work out what solutions would work for you and how major the technical challenges will be.

Further reading:


Photo by edwardkimuk