How are companies complying with the new cookie law?

Our evaluation, recommendations and examples for UK companies

With the new UK “cookie law” now in force, many UK companies will be wondering what they need to do to be within the law. Given the difficulties in interpreting the guidance on this law we thought it would be helpful to create a summary of what the largest companies have done to comply.

If you missed it the ICO issued new, detailed guidance on Friday 25th May, this included a big change with more advice on implied consent. If you haven't read that, it's important to "get your head around it". It's actually good news since it means explicit opt-in, e.g. through a pop-up isn't necessary as we thought it might be at one point.

The companies I evaluate here will have the resources to implement the changes and to take the decisions balancing interpretation of legal requirements against problems against a negative impact on user experience, brand and commercial results.

Evaluation of cookie compliance for large UK companies

We have done an evaluation based on the type and format of privacy message and the options for controlling use of cookies. You can then see from the evaluation that the companies that have taken actions to implement the law and may be the best models to follow (most have followed implied consent). We have mainly selected companies from the FTSE 100 covering a range of sectors.

Review of results

“Mixed” is the best way to describe the action taken. No companies seem to have full opt-in consent where the user has to take a pro-active action such as ticking a box in a pop-up before cookies are placed (like on the ICO site). This is positive since it suggests we won’t see a rash of pop-ups on sites and after initial browsing the message will disappear. It also suggests that other companies can use implicit opt-in in line with the latest guidance mentioned at the top of this post.

Many companies have taken no, or limited action which is maybe reassuring for other, smaller companies who have been unwilling or unable to take action based on technological or resource limitation (at SmartInsights we’re in this category and would rate ourselves similar to the companies that get 1/4 compliance.)

Steps to get compliance

1. Minimum (quarter circle)

A. Review use of cookies through an audit, classifying theme as Strictly necessary, Functional, Performance and Advertising (see the BBC or BT as an example)

B. Update privacy message

C. Provide a direct link to “cookie-use” policy from all pages

2. Sufficient? (half-circle)

We have this ambiguous label since with the new guidance on “implicit opt-in” we’re not sure for compliance you need to build complex/expensive opt-out solutions such as those built by the BBC and BT.

At this level you have a prominent panel above the fold with a link to more details which disappears as users click forward (implicit consent - we do recommend this).

3. Compliant for implicit opt-in (three-quarter circle)

As above, but with selection of cookies possible, examples BBC, BT and Burberry.

4. Full opt-in compliance

We haven’t seen any examples of this, other than the ICO site. Have you?

Examples of UK company compliance

Finally, let’s now look at some examples of good practice to learn from from those with more advanced implementations.

Fashion retail - Burberry

Burberry seem to be one of the few retailers to implement compliance with this minimalist approach.

Financial services - Barclays

One of the best implementations in FS? This is a prominent message which disappears after the first page view. A good model for implicit consent - better than the HSBC and First Direct version which is on the home page option and always there currently.

Media - publishing - The Guardian

A similar approach to Burberry

Media / publishing - The BBC

Similar to the Guardian, again disappearing after the first page view with implicit consent.

If you do want to implement opt-out, this is a good model:

Telecoms - BT.com

BT have a less clear, but sophisticated widget offering opt-out