That’s The Way The Cookie Crumbles

On 26th May 2011, the law in the UK governing how cookies and similar technologies for storing information on user equipment may be used changed. In its guidance notes for implementation, The Information Commissioner’s Office (ICO – an independent authority set up to uphold information rights in the public interest) advised that there would be a “lead in” period of 1 year, during which marketers would have an opportunity to move toward compliance. This period of grace is now close to ending, and enforcement of the revised legislation will commence in earnest at the end of May 2012.  Marketers will be expected to be compliant or be on the way to compliance from this point.

What are the implications for online marketers? Basically, before cookies may be used to monitor and store data about the behaviour of their users, those users must have been provided with clear and comprehensive information about the use of cookies, and provided their consent for this to take place in return.

The legislation is not prescriptive about the level of detail that needs to be provided to users, but as a minimum requirement, marketers should:


    • Tell users that the cookies are there.


    • Explain what function the cookies perform.


    • Obtain consent to store a cookie on their device.

You could consider doing all of the above by categorizing cookies according to what they are used for rather than trying to explain each separate cookie in detail.

Methods to achieve compliance with these requirements could include:


    • Overlays, banners, lightboxes and similar techniques


    • Email notifications


    • Terms and conditions


    • Settings-led consent


    • Features-led consent

For all approaches the text should be sufficiently full and intelligible to allow individuals to clearly understand the potential consequences of allowing the cookies should they wish to do so. The ICO is attaching a lot of importance to the principle of “intrusiveness”. The level of detail and visibility that is applied to the notification should therefore be regarded as a function of how invasive the cookies are to the user. As a side note – upcoming EU data protection reforms are going to focus heavily on a requirement for explicit consent, and proactive marketers will already be considering how to make sure that their opt-in processes achieve maximum transparency.

There are two exemptions from a user’s right to refuse a cookie:


    • Its sole purpose is for carrying out the transmission of a communication.


    • If it is strictly necessary to provide the information society service that is being requested.

However, the “strictly necessary” is to be interpreted narrowly as meaning “essential” rather than “reasonably necessary.” The focus is also on the provision of the cookie being strictly necessary for the user rather than the service provider – cookies used for analytical purposes therefore remain subject to the legislation.

For email marketers, the headline story lies in the definition of cookies that appeared in the ICO’s guidance notes in December 2011:

“The Regulations apply to cookies and also to similar technologies for storing information. This could include, for example, Local Shared Objects (commonly referred to as “Flash Cookies”), web beacons or bugs (including transparent or clear gifs).”

This means that email broadcasting platforms that use single-pixel image open tracking (and that will be most of them) are subject to the new legislation. The technology that is used by tools such as Return Path’s Campaign Insight may also fall within this definition. Those who use such tools (e.g., email marketers) have the responsibility to determine the appropriate level of notice to and consent from end users.  Note that Return Path requires users of Campaign Insight to adhere to the Network Advertising Initiative’s Guidance for Notice and Choice regarding web beacon usage.  We recommend all email marketers, regardless of what platform they utilize for web beacon functionality, adhere to these sound practices.The Information Commissioner, David Evans, has indicated that he will be pragmatic in the enforcement of these regulations. I was fortunate to meet recently with him. He made the point that good email marketing programs – those that apply best practices, provide real value to their members, and aren’t excessively intrusive – will have very little to worry about. Enforcement will be led by complaints (a principle that email marketers should understand well!) so programs that don’t antagonise their members will not be central on the ICO’s radar.

For marketers who have not yet taken steps to make their programs compliant with the new legislation, doing nothing is not an option. At the very least, you need to be able to demonstrate that you are taking demonstrable steps towards compliance. For those who have already done so, it is still worth benchmarking your approach against the most recent interpretations. There are some excellent resources on this subject, which are listed below, and I strongly urge all marketers to familiarise themselves with as many of these documents as they have the time to read. Given the importance of this subject, that should mean all of them.


    1. Information Commissioner’s Office:


    1. Direct Marketing Association:


    1. Internet Advertising Bureau:


    1. Econsultancy:


    1. International Chamber of Commerce:


    1. All About Cookies:

Legal Disclaimer
The information contained in the site is for general information purposes only and should not be construed as legal advice to be applied to any specific factual situation.  Users of this site should consult with their own attorney for legal advice.  The author of this blog post is not an attorney, and the views expressed herein are those of the author alone and do not necessarily represent the views of Return Path, Inc. (“Return Path”).  As the law changes rapidly, differs in each legal jurisdiction and may be interpreted or applied differently depending on the location or situation, the information on the site is not guaranteed to be correct, complete or up-to-date and is not a substitute for the advice of an attorney.  Those links to other resources are provided merely as citations and aids to help you identify and locate other Internet resources that may be of interest, and are not intended to state or imply that Return Path sponsors, is affiliated or associated with, or guarantees any information in such links.

minute read

Popular stories



BriteVerify email verification ensures that an email address actually exists in real-time


The #1 global data quality tool used by thousands of Salesforce admins


Insights and deliverability guidance from the only all-in-one email marketing solution

GridBuddy Cloud

Transform how you interact with your data through the versatility of grids.

Return Path

World-class deliverability applications to optimize email marketing programs

Trust Assessments

A revolutionary new solution for assessing Salesforce data quality


Validity for Email

Increase inbox placement and maximize subscriber reach with clean and actionable data

Validity for Data Management

Simplify data management with solutions that improve data quality and increase CRM adoption

Validity for Sales Productivity

Give your sales team back hours per day with tools designed to increase productivity and mitigate pipeline risks in real-time