How to
SEO advice
Categories: How to, Internet, Latest. Tags:

EU cookie law: 4 examples of sites already implementing it

June 2, 2011 16 Comments

Worried that implementing the EU cookie directive is like telling your website viewers to sod off? Here are some examples of sites who have implemented it.


EU cookie directive in action

Delia Online

Delia's got a pop-up box to tell you what she's up to ...

Delia's cookie warning

Delia on cookies. That's funny, right?

Information Commissioner's Office

They had to do it, right? Here's how (at the top of their site).

ICO cookie warning

Not all that understandable ...

This reads: "On 26 May 2011, the rules about cookies on websites changed. This site uses cookies. One of the cookies we use is essential for parts of the site to operate and has already been set. You may delete and block all cookies from this site, but parts of the site will not work. To find out more about cookies on this website and how to delete cookies, see our privacy notice." Here's an analysis of their approach.

All Things D

Here's the initial warning on AllthingsD (top of page again, after a short wait).

Allthings D cookie warning

Here's what says

It reads: "Some of the advertisers and Web analytics firms used on this site may place “tracking cookies” on your computer. We are telling you about them right upfront, and we want you to know how to get rid of these tracking cookies if you like. Read more »

This notice is intended to appear only the first time you visit the site on any computer."

It only appears on your first visit to the site (I presume they use a cookie to do that!). Here's what you see (full text) when you click to see more.

AllthingsD full cookie warning


Radio Times

The Radio Times used to have a pop up box, but it has removed it now. Here's a screenshot.

Radio Times cookie warning

Radio Times cookie warning

Company on the Isle of Man

Here is a blog post from a company that looked into implementing it- but is no longer doing so, presumably because of the year's grace we've been given (PDF) now to put it into practice (they also tell me they aren't sure if it applies in the Isle of Man). Here is how it would have worked (small bar along bottom that expands).

Small bar along the bottom

Step 1

Expanded warning

Step 2

Photo credit.

You might also like
  1. Delia Smith relaunch gets worse …
  2. Login designs: the 9 worst ones and where to find good examples
  3. Delia Online relaunch slices her traffic in half
  4. The SEO of 1 to 20
  5. Sites that drive the most USA traffic to UK newspaper sites

Share this post

Follow me on Facebook or Twitter


  • Gerry White says:

    This is a great post, on something I have been trying to find real information on - if the ICO example is true then it literally breaks Google Analytics and all other JS / Cookie based analytics tools out there... (it doesn't track referals)

    If the RadioTimes version is legal then this seems to be the best approach to go with, "we use cookies, here is some information". The DirectGov example is also pretty good.

    I am reluctant to produce advice for clients til I know confidentally what is legal, what isn't...

  • Very nice post! I've seen several different implementations of this directive lately, and some are not that user friendly.

    I still believe however that the main issue is that this will potentially kill off any anonymous web tracking (i.e. Google Analytics) - surely almost no one would ever click 'Accept' to a cookie request, even one that claims to be anonymous?

    Read our view on the subject here:

  • Ken Hall says:

    I have followed the ICO standard as I wish to remain complaint with the law. The irony is my site only ever used one cookie, which is set as a default installation of PHP in the way that PHP handles session information which is required for the running of any membership based site. In order to check for acceptance of that non-identifying, temporary cookie, which was a cookie which is always destroyed at the end of a session, I have had to place another permanent cookie on the user's browser to show that they have given permission for me to place a temporary cookie on their machine.

    The implementation of this EU cookie law is ridiculous.

  • Diane says:

    But how do you cookie a "no cookies please" response without driving the person mad?

  • Vicky Brock says:

    Well Andreas is right. I recently made an FOI request that shows that in the case of the ICO, no one does opt-in to accept an anonymous analytics cookie. As the graph here shows, "measured visits" to the ICO website fell by 90% after making cookies opt-in:

    This leaves the ICO's web analytics dead in the water. And why would they be measuring their site in the first place? To improve user experience, deliver on the e-accessibility EU directive and to prove they were delivering tax payer value by investing their budget wisely. Quite who gains from destroying those efforts I have no idea.

  • Chris says:

    This is great, would love more examples, I keep looking. Quite like the last one actually, very unitrusive, we were thinking of splitting it down to tracking and user preference seperately.

    Interesting that when you visit the ICO website, the messge does come up but even if you don't select anything to accept cookies, you still get two google analytics cookies set. As seen in Fiddler2. So I guess that means ICO have half implemented the solution.

  • Nick says:

    As I pointed out to ICO, their website is not compliant. The law clearly states that the user must have given consent, but there is no way of telling whether the same user is on the terminal equipment from one page to the next. For example I might be happy to give my consent, but my wife might then come on and use the site. She is not asked, but she might not want to give her consent. Since ICO have no way of telling if it is the same user from page to page then they (and all sites) should be asking the question every time on every single page they display.

    • Nick - what did they say in reply?!

      • Nick says:

        Still waiting for a reply from them. In actual fact what they have currently done, and presumably what everone else is going to do in following their example, actually makes the situation far worse that it is at the moment. I am completely in favour of people having more control over their privacy, but consider that in a family household - where privacy is important - a computer could be shared by children as well. A child could visit a site and give wide ranging authority that the adults never know about because the question has not been asked again - there is no attempt made to determine the valididy of the terminal user to enter the contract. So I will definately be waiting for further clarification and maybe browser changes before applying this stupid and dangerous fix to any websites.

  • Nick says:

    Also Google Analytics is a third party tool, and it is Google that is storing the information on the terminal (information that is not actually available to the site that deploys Analytics) - it is therefore possible to argue that it is Google that needs permission and Google that should be asking the question.

    Traditionally however it is the overall responsibility of the publisher to ensure that all the components of the communication channel meet the necessary criteria.

    So there we see another obvious point of non-compliance from the ICO. They use Twitter to publish information, and when I go to their Twitter pages I do not get asked anything about Cookies. So, going by their example on their own website (where they take responsibility for asking the question regarding Analytics) they either need to discontinue their use of Twitter or to ensure that their Twitter pages ask the question when I visit them.

    • Vicky Brock says:

      Google Analytics uses a 1st party, not a 3rd party cookie - meaning the cookie is issued from the website using GA, not by Google in a third party capacity.

      Therefore it is the business, not Google, that issues the cookie from its own domain, the data cannot be altered or retrieved by any service on another domain.

      No personally identifiable information is captured (to attempt to do so would be in breach of GA's terms of service). The information stored on the terminal is available to view by the business and the end user alike - a recent one I picked up looks like this:


      It tracks nothing about me personally, in this instance it just shows how I arrived at the ICO website - google, that it was organic (not paid) search and what specific search term I used to get there.

      My browser already lets me delete this or can even block my machine from accepting it in the first place, again at browser level.

      Google Analytics does not store information the business does not have access to - the only information it captures that it does not let the business see is the visitor's IP address. This provides a degree of regional context to the reporting, but is anonymised by Google. This is the only piece of "hidden" information and as a GA user, I have no desire or need to see it. IP can even be anonymised directly in markets or by businesses that require it, meaning Google doesn't hold the data either.

      I think there is a lot of fear about the wrong thing here - on a scale of cookies, GA is about as benign as you get. Given that this ruling came into to tackle suspect 3rd cookies exploited by behavioural targeters and cookie exchanges, I find it frustrating that the focus settles on an above board 1st party cookie that was never the target of the legislation - but simply got fudged into the guidelines.

      Most of the privacy controls Nick mentions already exist at a browser and user access control level. I am really not sure an individual online business should be expected to police a families web usage via cookies - surely this kind of control should be managed by the family at the device and browser level?

      • Gerry White says:

        Agreed - the risks of cookies etc.. is absolutely minimal compared with some of the other technologies such as Phorm, I actually don't mind a slightly personalised web and whilst I am pretty open about the fact I am straight (married), I know that some people do not want aspects of their politics, religion, medical searches and sexuality available to other people. I don't think that cookies really carry this information to the extent that others think it does - Yes, using some clever tracking and Atlas for example, I could see Mark who bought a mobile from "Mobile Store A" also visited these other websites, and there is a lot of information about people who visit website 1 also visit website 2 but not 3 etc... My point really is that this law is unworkable and a tad ridiculous but if it is law we can't pick and choose which laws, or can we ? I think it is still a written law that taxi drivers in london should still have a bail of straw in their boot ....

      • Nick says:

        "1st party", "3rd party", "cookie".

        We all get drawn into this.

        Storing information on the terminal has security issues. Hmm. Not particularly interested.

        I look at this and I see only a couple of things that are required by advertisers, businesses, etc, but might not be wanted by the end user:

        1) The ability to identify the session
        2) The ability to identify the computer (i.e. the returing session)

        These are the two core things that are important to GA I think.

        Anything other than this should be illegal as far as general browsing goes. I can't see why the lawmakers can't define it simple rather that waffling with rubbish about storing things on terminals.

        • Nick says:

          And someone will correct me to say that 3rd party cookies are used across multiple sites to give a higher level of information. This is the thing that should definately be blocked by the law in my mind.

          The trouble we are going to have now with privacy is that the browser vendors are simply going to put the stats into their browser id. You have already ticked the box to say that you don't mind this. They already have your unique product key. They already know who you are.

  • The poster child for implementation should be the Information Commissioner's website because they are the enforcers for the UK. They have actually reduced their message length and visitors are asked to tick a box.

    It is woefully confusing though because it doesn't tell you what happens if you don't tick the box and continue to use the website, the privacy policy explains all the cookies in detail, even giving you links to privacy policies of third parties, but it doesn't let you selectively block cookies - only accept the cookies.

    In other words, the website of the body that is supposed to be showing people how to make the use of cookies more transparent for users is actually proving how impossible it is to do that.

Leave a comment!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.

Be nice. Keep it clean. Stay on topic. No spam.

You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

This is a Gravatar-enabled weblog. To get your own globally-recognized-avatar, please register at Gravatar.