17 out of 20 tested web sites flouting European “cookie law”

I’ll say upfront that I hate the European “cookie law” and I don’t really care if web site owners ignore it. In fact, the more of them that ignore it, the better.

Without going in to too much detail, the so-called cookie law is one of a number of legal directives set down by the European Union in 2009 intended to protect people online. It’s the reason why, when you visit a web site for the first time, you get that annoying pop-up window telling you about the site’s cookie policy, and nagging you for consent. There are many aspects of technology that our elected (and un-elected) officials should be protecting us from, such as identity theft and phishing scams, but cookies are a non-issue. The cookie law “protects” us from something harmless, and in doing so makes the web a much more naggy place.

But having said that, I’d been wondering recently if the cookie law actually does what it’s meant to do, which is to stop cookies from being stored on our computers without our consent. So I came up with a simple test: I googled the word “cookie” (it’s as good as any other word) and checked the first 20 web sites that came up in the results, providing they had a “cookie policy” page. That was just to eliminate any possibility that the web site owner didn’t know about the cookie law.

The web sites that I checked were: Google, the BBC, the UK Government, Cookie Law (a web site about the cookie law!), Sky TV, The Guardian newspaper, Channel 4 (British TV channel), Ebay, British Gas, Microsoft, the Wellcome Trust (health charity), Virgin Media, Amazon, Natwest bank, EasyJet airline, the Daily Express newspaper, Santander bank, ITV (British TV channel), Cadbury (confectionary manufacturer), and Lloyds bank.

As soon as you visit any of those web sites, they store a number of cookies on your computer. Most of them are the site’s own cookies, or in a few cases they are third-party tracking cookies used by advertisers and other web sites. The sites that give you third-party cookies are: The Guardian, Microsoft, the Wellcome Trust, and the Daily Express newspaper.

There’s one notable exception: Ebay. Surprising, eh? No cookies from Ebay.

After visiting each site, I simply closed it without either giving or refusing consent. The cookie law requires the use of cookies to be on an “opt in” basis, and there’s no way any site owner could claim that leaving their site constitutes consent.

Having gone through all 20 sites I then checked to see which had left cookies behind on my computer. Here’s the list of shame…

Persistent cookies

So out of the 20 web sites I tested, none of which should have been storing any cookies at all, only three cleaned up after themselves: the UK Government, the BBC, and of course Ebay which hadn’t stored any in the first place. The rest were happy to leave cookies behind without my consent.

The shocking thing here isn’t that web site owners are flouting the law. It’s a stupid law and I don’t think anyone really gives a damn. What’s shocking is that thousands of companies and individuals have had to waste time and money implementing their cookie policies and annoying consent pop-ups, and for what? To avoid breaking a law that is clearly so stupid that it isn’t even being enforced.


2 thoughts on “17 out of 20 tested web sites flouting European “cookie law”

  1. Whilst it is true that many sites do not comply with the law – your interpretation of it is not quite right. In the UK the law operates on an opt-out basis. So sites are allowed to use cookies as long as they tell you about them, and enable you to refuse or block them. Some of the sites you list do offer that choice. However it is also true that many do not.
    This is all about privacy. Cookies enable sites to track you and gather information about your habits and interests. The point of the law is to give you a choice not to have that happen. I am not saying it is perfect – the idea of the law is good, but how it has been implemented on many sites is not.

    • Hi Richard. The directive requires consent, as set out in article 2h:


      The advice from the UK’s information commissioner advice is too long to quote fully here, but perhaps the pertinent bit is this:

      Consent must involve some form of communication where the individual knowingly indicates their acceptance … It is difficult to see that a good argument could be made that agreement to an action could be obtained after the activity the agreement is needed for has already occurred. This is not the generally accepted way in which consent works in other areas, and is not what users will expect. Setting cookies before users have had the opportunity to look at the information provided about cookies, and make a choice about those cookies, is likely to lead to compliance problems.

      The full advice is a few pages long, starting on page 5:


      In summary, you could say that it is “arguably” opt-out, but someone else could say that it’s arguably opt-in. I think the average person would say that requiring consent to do something is opt-in, which seems to be the position that the ICO has taken.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s