The Cookie Directive

(Also referred to as the Revised E-Privacy Directive or Directive 2009/136/EC – this is a Directive issued by the EU which is due to be adopted by all EU Member States by 25 May 2011.)


  • The Cookie Directive requires users to give “consent” for cookies to be placed in their browsers.
  • It’s possible to take a very literal interpretation from this Directive that would require users to give explicit consent before any cookie can be placed in their browsers HOWEVER it’s also possible to interpret the Directive in a more practical, common-sense way.
  • The UK has already signalled its intent to implement the provisions of this Directive in a practical manner by allowing “consent to the use of cookies to be given via browser settings”.
  • We are hopeful that other Member States will take a similar common-sense approach to the interpretation of this Directive.

NOTE: We’re not attorneys/solicitors/lawyers/legal experts. We are the Team behind StatCounter and we have prepared this post in reponse to a number of queries we have received recently. This post is for informational purposes only. This post is not, nor is it intended to be, legal advice and should not be considered as such.

EU Directives

  • Directives are binding on EU Member States NOT on EU citizens. (The related national legislation is binding on EU citizens.)
  • A Directive should be passed into law by each Member State (by a specified date) at which point it becomes binding on the citizens of the relevant Member State.
  • Each Member State must interpret each Directive so it’s possible for different Member States to have differing laws all based on the same Directive.

This means that it’s the legal interpretation of the Directive in each Member State that is relevant rather than the actual Directive itself. The Cookie Directive is supposed to be transposed into national law by all EU Member States by 25 May 2011. It’s not clear how many Member States will comply with this deadline.

The Cookie Directive – what does it mean?
The new Cookie Directive goes further than current legislative provisions, stating that “consent” must be given for cookies to be stored/accessed on users’ computers.

If the Cookie Directive is interpreted literally, it appears that an internet user could be required to give consent each time a cookie is placed on that user’s computer (e.g. via some sort of pop up consent form that asks visitors if they agree to the installation of specific cookies).

There are numerous potential problems with this Directive including:

  • The internet as we know it could not function without cookies. David Naylor has created an interesting (and worrying) example of the possible consequences of this Directive here. Not a pleasant prospect…
  • The scope and applicability of the new legislation is not clear but presents many potential problems. Will the new legislation apply to all EU citizens? If so, how will the EU force non-EU websites to comply? If non-EU websites are not subject to these draconian provisions, then will EU websites suffer a reduction in traffic as a result? Or will EU businesses considering relocating in order to avoid the penal legislation?
  • As Member States may all adopt different legislative provisions in relation to this Directive, a single entity operating in several EU countries may have to provide different website consent and privacy options in every jurisdiction. This could present administrative and technical difficulties and cause particular hardship for smaller businesses.
  • By placing severe restrictions on relatively harmless cookies, this law may encourage the use of more invasive technologies.
  • All cookies appear to be covered by this Directive regardless of how much (or how little) information they hold.
  • No account is taken of the value of advertising funded content and services nor the consumer support for interest-based advertising.

Reading the Directive, it appears to us that as each Member State adopts the relevant legislation, that interpretation of the legislation will apply to all citizens of that Member State. (We’re open to correction on this, so please feel free to comment below.) If that is the case, then theoretically every website in the world may have to apply a different set of regulations to their website for every set of visitors to their site from every Member State. In practice, it’s difficult to see US, Australian or Chinese sites tripping over themselves to comply with differing sets of EU legislation plus it’s not at all clear how an EU State could impose a sanction on such a website for non-compliance in any event. Will this lead to non-EU sites (without burdensome consent requirements) being favoured by EU citizens?

Alternatively, if the transposed legislation applies to EU websites – then what is the definition of such a site? As mentioned earlier, will EU businesses be encouraged to move their hosting out of the EU to avoid the penal legislation? And while we’re on the subject of definitions the lack of same in the Directive has resulted in huge uncertainty…for example no definition of “consent” is offered – but equally, this leaves the door open for Member States to adopt a flexible and common-sense approach to this seemingly archaic Directive.

Some commentators have also discussed the possibility that cookies necessary to the operation of a site may be excluded from the consent provisions… but again, no definition of “necessary” is provided. Perhaps unsurprisingly, we view our own StatCounter cookies which we use to track visitor activity as vital to allow us to maintain and improve our sites. (Our tracking cookies contain minimal information and are used to determine unique and returning visitors only.) We know many of our members share this view. Reflecting on this Directive, we feel that the restrictions on cookies may have been initially aimed at behavioural advertising only… but somewhere during the drafting process this important distinction became lost resulting in headaches for website owners and operators throughout the EU.

Solution to a Non-Existant Problem? Cookies
We’re just not sure why the EU has decided to target cookies in this Directive… Cookies are harmless text files which are placed in your browser to document your preferences, keep you logged into a site, store your shopping cart contents… Cookies are not viruses, cookies cannot scan your system or search your computer for private information.

Furthermore, control of the cookies in your browser is already in your hands – you can clear cookies at any time and you can opt to reject some/all cookies via your browser settings… which is why we are confused about the point of this new Directive. If you want to reject cookies – you can do so! (Learn how to adjust cookie settings for IE, Chrome, Firefox and Safari.)

It would appear that this Directive has been badly drafted and takes little or no account of how the internet actually works. To obtain prior consent for every cookie, would result in a severe diminution of the quality of the online user experience. Imagine… Every website in the EU would have to use a pop up form to obtain consent for evey cookie… Users would be obliged to deal with these pop ups multiple times every day… Web browsing would become frustrating and cumbersome… And, somewhat ironically, the very people who reject cookies would suffer the worst experience; websites wouldn’t function correctly; shopping carts wouldn’t work and, as they don’t allow any cookies to remember their preferences, they would be prompted to opt in/out on potentially every page of every site they visit! In the end, most people would probably opt in to all cookies simply to eliminate all the pop ups… thereby defeating the purpose of this Directive in the first place!

The new Directive seems to be making a misguided attempt to “protect” some web users (who may not be aware of their browser settings) at the expense of everyone else… in our view, the money spent on developing this Directive would have been better spent educating people about the options that already exist, rather than implementing a whole new set of regulations and placing unnecessary burdens on websites and online businesses.

Solution to a Non-Existant Problem? Behavioural Ads
Behavioural advertising has a bad reputation – but in short it simply means that if you view or purchase furniture, for example, on a website, that same website may advertise their furniture to you on another site. Cookies are used to remember your previous browsing history and show you related ads. After all, if you have viewed or purchased a product on a site, you may be inclined to purchase from them (again) in the future.

We feel that this Directive may have been originally intended to target behavioural advertising cookies (but was widened somehow to cover all cookies)… but even restricting behavioural ads in this nonsensical manner seems OTT. “Traditional” advertising involves analysing trends and behaviour to allow advertising space to be sold based on demographics and preferences… this Directive appears to be punishing online advertisers who are effectively doing the same thing!

Behavioural advertising online is very similar to store loyalty cards – loyalty cards are used to track your purchases, spending habits and shopping behaviour in a particular store, that information is then used to offer you discounts and offers relevant to your interests. Online behavioural advertising works in a parallel fashion.

PLUS – if you don’t like targeted ads online – then you can just opt out! Using your browser settings you can disable all cookies, reject certain cookies or you can use the NAI opt-out tool to opt out of over 70 behavioural advertising programs (but remember that to opt out, you must accept a cookie to remember your opt-out preference!).

Practical Approach
Despite the possibility of taking a very strict (& restrictive) view of the Directive, we understand that the UK has decided to take a practical approach.

For example, the consultation & implementation documents drawn up by the Department for Business Innovation and Skills state:

The internet as we know it today would be impossible without the use of …cookies …so it is important that this provision [regarding cookies] is not implemented in a way which would damage the experience of UK web users or place a burden on UK or EU companies that use the web.

Further the DBIS goes on to explain its preferred option for obtaining consent:

“Option 2: Allow consent to the use of cookies to be given via browser settings. This is the preferred option because it allows the UK to be compliant with the E-Privacy Directive without the permanent disruption caused by an opt-in regime.”

So – that appears to mean that if a user *allows* cookies via their browser, then that constitutes consent. The above would appear to be a reasonable approach and, in short… nothing will change!

So what will happen on May 25?
This is debatable. Until the Directive is passed into law it’s very difficult to anticipate the exact implications. In the future, guidelines on obtaining consent and information on enforcing the legislation will have to be released however, for now, it looks like the 25 May deadline will have no impact whatsoever. Further, if all Member States follow the example of the UK (as outlined above), then nothing will change at all!

We are hopeful that practical, common-sense and commercial realities will take precedence over an overly-zealous and misguided piece of legislation, particularly given the fact that the power to reject cookies is already in the hands of the people this Directive seems to be trying to “protect”.

We welcome your comments below.

Related links:
Europe’s ad industry issues response to cookies opt-in
E-Privacy Directive on Cookies
Why the EU Privacy Directive is not a real threat

Access to European Union Law


  1. If you are bothered about cookies affecting your identity or personal data just use one of the many software programs out there that wipe your history, cookies and cache when you close your browser. Alternatively use C-Cleaner or similar – job done!

  2. May the increase of consumer price average help to improve the economic state of Jordan. Jordan deserves for this achievement, for they have a good service in terms of Transportation, rental, especially in Fuel and Lighting. I believe that if the people in Jordan will participate to maintain the peace in their country, there will be lots of achievements they will have in the future. Wish more luck to Jordan.

  3. This is such a great idea! Egypt and Tunisia really needs it nowadays. This will help them improve and modernize their economies and generate more oppurtunies in their population. Also, this will help resolve the economical issue of poverty and hunger caused by the continous war between the military and Hosni Mubarak in Egypt and Ben Ali in Tunisia.

  4. If this idea will help improve lives on the affected country then why not. Just consider the factor of what will be the effect and who will be affected.

  5. @ Walt.

    I don’t know if you realize; but there are a number of freeware programs that will delete all cookies on your system: “CCleaner” and “Window Washer come readily to mind. I think they may be loaded at start-up too.

    End of problem.

  6. Pingback: Can we use analytics with the new UK cookie law? | Silktide blog
  7. Why doesn’t statcounter make the cookie optional? Something in the code like ‘var use_cookies=0;’ along with the other variables? Or a setting on the config page? I know this would switch off some of the functionality, but while everything is still unclear this would help a lot.

  8. It is frightening how much market research will be lost with the permission to put a cookie on a device. I believe in freedom of information however I wish that the end user did not have to opt in to allow it. This will be detrimental in any business from toys to the public library. I believe online retail will be the big loser here.

  9. Than you so much for this blog subject. I’ve been suspicious of Cookies ever since they hit the scene. We must always be vigilant regarding internet security, even more-so today. This information is invaluable.

  10. I think this is hilarious also, there´s a huge need of controlling not only Internet but everything lately, anyway i don´t think this will happens …..
    Internet should be used at every user´s risk !

  11. That’s a new cons-productive decision, as many other done in Europe about a socalled Internet security measure. I think that many european websites will be penalized by this obligation and many webmasters will switch their current hosting to a non resident provider.

  12. This post was useful in the fact that it exposed the truth about internet cookies. Continue to shed light in these areas.

  13. your site’s really great articles.keep for sharing.thanks so much

  14. 写得不错,学习了。。。

  15. Pingback: Cookies – an EU and ICO Directive |
  16. There are actually a variety of details like that to take into consideration. That may be a great point to convey up. I provide the thoughts above as common inspiration however clearly there are questions like the one you convey up the place the most important thing will likely be working in trustworthy good faith. I don?t know if finest practices have emerged round issues like that, but I am positive that your job is clearly recognized as a good game. Both girls and boys really feel the impression of only a second’s pleasure, for the rest of their lives.

Comments are closed.

Try Statcounter free for 30 days

No credit card required. Downgrade to the free plan anytime.

Try it for FREE!