I’ll say upfront that I hate the European “cookie law” and I don’t really care if web site owners ignore it. In fact, the more of them that ignore it, the better.
Without going in to too much detail, the so-called cookie law is one of a number of legal directives set down by the European Union in 2009 intended to protect people online. It’s the reason why, when you visit a web site for the first time, you get that annoying pop-up window telling you about the site’s cookie policy, and nagging you for consent. There are many aspects of technology that our elected (and un-elected) officials should be protecting us from, such as identity theft and phishing scams, but cookies are a non-issue. The cookie law “protects” us from something harmless, and in doing so makes the web a much more naggy place.
But having said that, I’d been wondering recently if the cookie law actually does what it’s meant to do, which is to stop cookies from being stored on our computers without our consent. So I came up with a simple test: I googled the word “cookie” (it’s as good as any other word) and checked the first 20 web sites that came up in the results, providing they had a “cookie policy” page. That was just to eliminate any possibility that the web site owner didn’t know about the cookie law.
The web sites that I checked were: Google, the BBC, the UK Government, Cookie Law (a web site about the cookie law!), Sky TV, The Guardian newspaper, Channel 4 (British TV channel), Ebay, British Gas, Microsoft, the Wellcome Trust (health charity), Virgin Media, Amazon, Natwest bank, EasyJet airline, the Daily Express newspaper, Santander bank, ITV (British TV channel), Cadbury (confectionary manufacturer), and Lloyds bank.
As soon as you visit any of those web sites, they store a number of cookies on your computer. Most of them are the site’s own cookies, or in a few cases they are third-party tracking cookies used by advertisers and other web sites. The sites that give you third-party cookies are: The Guardian, Microsoft, the Wellcome Trust, and the Daily Express newspaper.
There’s one notable exception: Ebay. Surprising, eh? No cookies from Ebay.
After visiting each site, I simply closed it without either giving or refusing consent. The cookie law requires the use of cookies to be on an “opt in” basis, and there’s no way any site owner could claim that leaving their site constitutes consent.
Having gone through all 20 sites I then checked to see which had left cookies behind on my computer. Here’s the list of shame…
So out of the 20 web sites I tested, none of which should have been storing any cookies at all, only three cleaned up after themselves: the UK Government, the BBC, and of course Ebay which hadn’t stored any in the first place. The rest were happy to leave cookies behind without my consent.
The shocking thing here isn’t that web site owners are flouting the law. It’s a stupid law and I don’t think anyone really gives a damn. What’s shocking is that thousands of companies and individuals have had to waste time and money implementing their cookie policies and annoying consent pop-ups, and for what? To avoid breaking a law that is clearly so stupid that it isn’t even being enforced.
CityTog 
Whilst it is true that many sites do not comply with the law – your interpretation of it is not quite right. In the UK the law operates on an opt-out basis. So sites are allowed to use cookies as long as they tell you about them, and enable you to refuse or block them. Some of the sites you list do offer that choice. However it is also true that many do not.
This is all about privacy. Cookies enable sites to track you and gather information about your habits and interests. The point of the law is to give you a choice not to have that happen. I am not saying it is perfect – the idea of the law is good, but how it has been implemented on many sites is not.
Hi Richard. The directive requires consent, as set out in article 2h:
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML
The advice from the UK’s information commissioner advice is too long to quote fully here, but perhaps the pertinent bit is this:
The full advice is a few pages long, starting on page 5:
Click to access cookies_guidance.pdf
In summary, you could say that it is “arguably” opt-out, but someone else could say that it’s arguably opt-in. I think the average person would say that requiring consent to do something is opt-in, which seems to be the position that the ICO has taken.