back to article 99% of UK gov websites are breaking the law

Most public sector organisations do not ask internet users' consent to cookie tracking, a survey has said. The UK's Privacy and Electronic Communications (Amendment) Regulations implement changes to EU law and were brought into effect in May. The new law requires website operators to make sure they have "informed consent" from …


This topic is closed for new posts.
  1. Neil Brown

    "By next May"

    "By next May" is, perhaps, the key phrase, which only appears quite a way down the article.

    ICO expects organisations to be taking steps to ensure that they are compliant by May 2012, but a lack of compliance is not necessarily an immediate problem:

    "Organisations have 12 months to make sure they comply with the new rules. In that time we expect websites to be looking at the cookies they use and where necessary putting in place steps to get your consent.

    If a website does not appear to be taking steps to comply with the new rules and we receive a complaint during this 12 month period we will provide advice to the organisation concerned on the requirements of the law and how they might comply. Where we think it is appropriate we will also ask organisations to explain the steps they are taking to ensure that they will be in a position to comply by May 2012."

    Source: ICO:

  2. Anonymous Coward

    The lunatics have taken over the asylum.

    A massive amount of time and money is being wasted on this utter crap.

    Meanwhile, services are being cut, children go without books and OAP's die in their homes through lack of heating in winter.

    Glad we got our priorities right then.

    1. Armando 123

      Dogs and cats, living together!

      Maybe if the government ignores the problems they'll get better. Then again, I'm so libertarian that I should drive a Conestoga wagon: if government does less, with rare exceptions, I'm all for it.

  3. Anonymous Coward
    Thumb Up

    Thats almost sensible...

    "Less obstructive methods, such as obtaining consent from websites' terms and conditions..."

    So to comply with this, all we have to do is add some legal bumf to the T's & C's and we're good?

    Careful, that almost sounds sensible!

    1. Anonymous Coward

      But in the real world

      How many times do people bother to search out, read and understand the Privacy or T's & C's sections before using a website?

      A tiny fraction of 1% I would imagine - that doesn't sound much like informed consent to me.

      1. Anonymous Coward

        But.... that your issue or theirs?

        Maybe should have a opt in / out box.

        Yes = to to site.

        No = goto

        This is one f***ked up law, made by dickheads that have no idea what bit of paper has been shoved in front of them and they have asked to sign.

        1. Anonymous Coward
          Anonymous Coward

          Blaming the wrong people

          If it wasn't for the marketing folks using increasingly devious ways of invading people's privacy the eurocrats wouldn't have felt the need to draw up a law like this, and it has to be drawn widely to stop them weaseling their way round it. For a couple of recent examples:

          There are loads of cases where an honest majority are inconvenienced by a law that's there to protect the public at large from a dishonest minority. It sucks to be one of the ones inconvenienced, but unless you can think of a better way to protect the public from the scum I suggest you deal with it.

      2. Yag

        even worse...

        "How many times do people bother to search out, read and understand the Privacy or T's & C's sections before using a website?"

        How many times would the cookies been set as soon as the user load the website, far before even finding the Privacy or Ts&Cs sections?

      3. Anonymous Coward
        Anonymous Coward

        "Informed Consent" is a bonkers standard in this context

        "Informed Consent" is a totally inappropriate standard to apply here anyway.

        It comes from the world of medicine, where the surgeon has to make sure you understand the implications of that vasectomy before relying on your signature as permission to apply the scalpel to your goolies.

        We don't apply anything like as high a standard in other walks of life: that mortgage you signed up for is a weight around your neck, whether or not you understood how compound interest works. With a few restrictions around 'unfair contract terms' etc., caveat emptor applies.

        Informed consent is just the wrong standard in this case (even 'click the box' consent is a bit strong, for the reasons others have pointed out).

    2. Anonymous Coward

      Unfortunately not...

      ... the regulations don't allow for a simple update to the T&C. It has to be a physical message right before the user starts their journey through your site. The regulations speciafically state that anyone using Google Analytics needs to ask permission from the users as well, so there goes my stats which help me shape the content for the customer and hopefully make their visit faster and more informed, thanks EU.

      1. Camilla Smythe

        Dear AC

        Please explain to another AC, it is not my real name, how the use of Google Analytics allows you to improve your users experience?

        I do assume you have access to website logs and a bit of foss that might allow you to do the analytics yourself..... or is your arse just to lazy?

        I'd be interested in the name of your website in order to do a bit of analytics myself.

        Well..... fuck me. You mean that you sell inco products to people with incontinence problems and Google is telling you that most of your visitors are 'of a certain age'?

        Might I ask how Google came by such information?


        You hosted their 'free' tool and gave it away. How do you think your customers might feel about that one?

        ITMT what the fuck are you doing operating a website whereby you have such a basic lack of clue about your target audience that you just have a basic lack of clue?

        Meeeeeeep Meeeeeeeeeeep Meeeeeeeeeeeeep

        My website will die if I am not allowed to host third party data scrapers and get 0.000000001C for every $1 they earn.

        Sympathy bucket is empty.

        Go get a proper business model.

        1. Mark 65

          Re:Dear AC

          "I do assume you have access to website logs and a bit of foss that might allow you to do the analytics yourself..... or is your arse just to lazy?"

          I am capable of crafting my own wheel but prefer to use ones I buy "off of the shelf". I am capable of disposing of my own refuse at the local council tip but instead prefer to stick the bins out for collection etc etc etc. Please think before accusing people of laziness rather than considering whether they believe their time is better spent elsewhere - it is the basis for productivity/value add whether you consider it to have been "added" or not.

          1. Camilla Smythe

            @Mark 65

            I would mention that you do not "buy Google Analytics off the shelf" all you do is host their scripts on your site for 'free'. Of course it is not 'free' because the analytics as delivered to you are generated by the same tools that you are hosting as a result of Google analysing the behaviour of people on your site and the content of the site itself and combining that with data gathered from sites elsewhere in order to generate the associated profiles. I would suggest that wealth of data is more immensely valuable to Google than anything you receive in return but you are quite happy to gift such information about your visitors without their explicit knowledge to Google because either you do not know, do not think or do not care.

            1. captain veg Silver badge


              Google analytics is in my browsers' block lists. I don't claim to be typical, but I'm certainly not alone. So performing your own logfile analysis is definitely more accurate.


  4. Pete 2 Silver badge

    Q: How can you break the law if you can't be punished?

    If you fine a local authority, it's the council-tax payers who have to pay it. Councils don't have any money of their own: only the money they forcibly extract from people in their region. If some of that is taken away from them in fines, the local people (who paid it) either have to pay more to make up the shortfall, or suffer from reduced services.

    The council itself is never made to suffer.

    So to say that a number of councils are breaking the law, and that they could be fined because they haven't done some stuff about cookies on their websites, is meaningless. They won't suffer, even if they are found to be doing something illegal. Councils are not people: you can't anthropomorphise them and apply "punishments" or "rewards" as you would to a naughty child. As an organisation, not a person, they are immune to punishment. Consequently trying to apply laws to non-people is ineffective.

    The best you can do is ask nicely, "if they oh-so wouldn't mind terribly if they might (when it's convenient) please, have a little look at doing something about all the cookies their websites push out - no pressure at all. Thank you all, very much indeed." The answer, as with everything a council is asked (nicely or not) to do is that it will cost money and need more people - in a time when they have to cut costs and staff. So again: just as with paying fines, it's the tax-payers who get stuffed with the compliance costs.

    1. Anonymous Coward

      Good point, but not quite...

      ... I see what your saying but I think the person in charge of the website will probably have a vested interest in keeping their job, so that might be a bigger motivator for complying by May 2012.

      Don't forget, Councils do actually employ normal human beings that have wives, kids, mortgages etc.

      1. Anonymous Coward
        Anonymous Coward

        Councils employ actual people.....

        Yeah verily. Just as with the many instances of laptops, sticks, cds "lost" with personal data on them it is not the council that should be fined (i.e. council tax payers who have to stump up the money) but the individual officers and their managers who allow the laxity.

        As I have said before on numerous posts, council tax payers are punished when a council is fined, but the responsible individual is really punished when a gaol sentence is applied, which cannot be passed on to the long-suffering public hypothetically "served" by the council.

  5. Anonymous Coward

    99% of UK gov websites are breaking the law...

    ...and so, I imagine, are 99% of all other websites.

    Is any self-respecting website developer going to make any effort to spoil the user experience with various popups asking the user something they probably don't understand anyway?

    Some EU initiatives are worthwhile. This is not one of them.

    1. Anonymous Coward

      Re: 99% of UK gov websites are breaking the law...

      "Is any self-respecting website developer going to make any effort to spoil the user experience with various popups asking the user something they probably don't understand anyway?"

      I seem to recall an article about this where it was stated that you can go ahead and use cookies for the essential mechanisms of a site, and that the law is really only targeting tracking cookies deployed by advertisers via sites whose administrators have either sold out and started using various third-party analytical tools or who want to make a few bucks on the side by showing adverts.

      1. Yag

        Don't you think...

        ... that showing ads and using analytical tools are essential mechanisms of a site?

        Most site owners will.

      2. RegGuy


        Does this apply to HTTP etags too? Or can we simply switch to using etags rather than cookies?

    2. Anonymous Coward


      goes in the same category as the one they had about regulating the shape of bananas/cucumbers ...

  6. My Alter Ego

    186 cookies?

    That's a WTF in itself, I can see the committee decision:

    PHB #1; We need to store as much information as possible on the visitors

    Tech: Why?

    PHB #1: just because

    Tech: We'll probably need a database to do that much information.

    PHB #2: I've heard about these things called cookies, why not use them

    Tech: You've got to be shitting me. **Gets out razor blade**

  7. Anonymous Coward

    If you want to talk about UK lawbreaking websites

    why not have a look to see if you can find any websites which comply with the Disability Discrimination Act and its successors.

    E.g. the kind of standards-compliant Flash-free website that is not just inherently multiplatform, bandwidth-efficient, indexable by search engines, etc, but also usable by (eg) people with impaired vision who use a screen reader.

    Cookies are for eating.

    1. Mark 65

      Lawbreaking websites

      Can I just ask what are the criteria for determining whether the site comes under UK Law?

      *.uk? Any site registered to a UK entity (rather than a proxy registration)?

  8. Anonymous Coward
    Anonymous Coward

    This is how the law comes into disrepute...

    ... through passing bushels of ridiculous, pointless, time-wasting, unenforceable laws.

    People naturally ignore them, and thus get comfortable with paying no heed to the law.

  9. Will Godfrey Silver badge

    These laws are rubbish

    Look how easily they break

  10. Scarborough Dave
    Black Helicopters

    T's & C's Change no problem!

    Anyone seem this in any T's & C's on a website?

    Just wondering on the wording, I am expecting lots of junk mail on this issue, and lots of discussion, so if we could recover this potential to loose time (and money) on this issue with a change to some T's & C's now, then I am up for it!

  11. Anonymous Coward

    what happens if the user says no?

    Where do you store that a user doesn't want cookies if you can't use cookies in order to record their disagreement?

    1. Anonymous Coward

      Then they can have the 'Frankie Boyle Vegetarian Option'.

      As in "There is a vegetarian option - you can f**k off".

    2. Anonymous Coward

      Then you FAIL

      because you'll have to ask them over and over and over - unless of course storing a cookie to remember that they don't want you to store cookies counts as an essential function?

      1. Just Thinking

        That's fine

        I'm probably not going to rewrite my websites to work without cookies, so yes at best I could ask permission and if they say no then they get asked again every time they open a new page.

        Problem with that is, people who currently have cookies turned off and put up with the minor inconvenience they might encounter will then find my website totally unusable. How does that benefit anybody?

        1. Will Godfrey Silver badge

          -1 (imaginary website)

          @Just Thinking

          If your site can't function at all without cookies then you are *definitely* doing it wrong!

          best get on with that rewrite.

          1. Just Thinking

            The crux of it

            My site (mostly) works fine if the user disables cookies. What I can't easily do is to configure things so that the site doesn't try to use cookies.

            So at the moment someone who has disabled cookies can use my site. In future they won't be able to use my site because I will have send them somewhere else if they decline cookies when I ask them.

            I'm not arrogant enough to think that being unable to visit my website is a great loss to anyone, but multiply that across lots of websites and it becomes a problem. Ironically, this law could harm people who are already dealing with their own privacy concerns by disabling cookies.

            ICO should just say - every website uses cookies, they are mostly harmless, but here is how to turn them off.

  12. Anonymous Coward

    Councils (and businesses) often have highly paid directors

    "As an organisation, not a person, they are immune to punishment. Consequently trying to apply laws to non-people is ineffective."

    You make a good point but miss the answer. Apply the laws to the people in charge. The people in charge pay themselves as individuals lots of money because "they are responsible". So if they are responsible and there are punishments to be dished out, why are the "responsible" people (who paid themselves a great deal) also not picking up the punishments.

    It would help focus these folks minds.

    I do realise it's not going to happen just yet, but I suspect if things were done this way there'd be noticeable differences.

    1. Anonymous Coward

      Re: Councils (and businesses) often have highly paid directors

      "You make a good point but miss the answer. Apply the laws to the people in charge. The people in charge pay themselves as individuals lots of money because "they are responsible"."

      They are only responsible for the good stuff - and consequently reward themselves handsomely. If anything bad happens, I think you will find that someone else is repsonsible for that.

      Applies to large corporations too.

      Esc key 'cos I would like to. Anyone know a good place to go?

  13. Derichleau

    Mute topic

    If the ICO have already deemed that organisations have 12 months grace then I fail to see how they can be contravening the law.

  14. xlq

    It sounds like websites control your computer.

    HTTP is a stateless protocol, which means between page loads, the web server normally has no way to know who's who. Cookies solve that, by letting each visitor identify itself every request. It works as follows:

    <visitor> I'd like to look at this web site.

    <server> Sure, here's the web site. Also, next time you visit, give me this cookie (a number), so I know who you are.

    ... time passes ...

    <visitor> I'd like to look at another page. Here's that cookie you gave me last time.


    With this absurd legislation, the server would have to ask permission for the visitor to return the cookie? It doesn't make sense! It's up to the visitor to return the cookie!

    Or maybe the exchange would be more absurd:

    <visitor> I'd like to look at this web page.

    <server> No, you didn't give me any cookies. You can't have accepted our cookie policy. Read this cookie policy instead, asking you to permit me to give you cookies.

    * visitor reads page

    <visitor> OK, I accept the policy.

    <server> Who are you?

    <visitor> I'd like to look at this web page now.

    <server> No, you didn't give me any cookies. You can't have accepted our cookie policy...

    The legislation is just a poor attempt at solving the problem that most users don't know how to control their software.

    1. Anonymous Coward

      Er no

      " the server would have to ask permission for the visitor to return the cookie? "

      The website would have to ask permission to set the cookie in the first place. The server doesn't do anything to get the cookie back - that's the browser and HTTP. The browser would ALWAYS return cookies, because they would (in theory) have been legitimately set in the first place.

      And it wouldn't mean the user couldn't view ANY page without accepting the cookie policy. That would be retarded. Do you require a session cookie before someone views your site(s)?

      The user doesn't need to know how to (fully) control their software, this legislation is another example of lawmakers not fully understanding (or bothering to) how modern tech works and that it's a lot more complicated than their stuffy old brains would like.

    2. M Gale


      This law is specifically about tracking cookies, not session cookies. That is, the cookies that Google et all like to set that have expiry dates of some time after 2030. Not a session cookie that helps your site maintain state while the viewer is watching it, and expires some sensible time later (say, 24 hours).

      Normal cookie usage is unaffected. You may feel free to POST a session ID instead though, if you want to make sure of your legality. Just don't use GET unless you want your users getting hacked by copy-pasting a URL to the wrong people.

      1. RegGuy

        Cookie type

        Wot, not big biscuits? Bummer...

  15. Just Thinking

    What privacy?

    The guy at the corner shop probably vaguely recognises me and knows which Sunday paper I read. He doesn't know anything else, eg my name. That isn't an invasion of my privacy. He doesn't need my permission to vaguely recognise me.

    Tesco, if I was daft enough to use a loyalty card, know my name and address, virtually everything I buy, hence a lot about my family and lifestyle, how much petrol I buy and where, even which theme park I take my kids to when I spend my points. That is an invasion of privacy and I deserve a choice (which I have, of course, I don't own a clubcard).

    That seems to be pretty much the same as most websites - most websites can't track you as you move around the web, they can only track you as you move around that website. To track people any further than that you would need your own code running on lots of other peoples' websites.

    So this law only really matters if you are Google, but we all have to comply, and it could be very difficult for CMS users who don't have detailed knowledge of exactly what their site is doing under the hood. Unless the major CMS projects address this, we are going to have millions of lawbreakers, or a hell of a lot of static HTML sites.

    1. Anonymous Coward
      Anonymous Coward

      Pretty good but

      I like your analogy, but I don't think the CMS projects need to address anything - as you say it's the ad networks that do the cross site tracking (Google esp, getting sick of expansys adverts everywhere just coz I work there and happen to go on the site a fair bit)

      The EU needs a kick in the teeth so that it legislates only against the ad groups, who should be the ones required to get permission to track between domains.

      1. Anonymous Coward

        RE: Pretty good but

        I agree the CMS Vendors shouldn't have to do anything it really should be targeted at the Ad Networks, unfortunately common sense and some technically minded people in central governement and EU Parliament are unfortunaetly absent from the process.

    2. Anonymous Coward
      Anonymous Coward

      my grocery store knows who I am, too.

      I'm the guy that buys:

      candybars and rope - lunch plus stabilizing furniture during a friends' move

      apples and razor blades - lunch plus i was cleaning windows after painting

      antifreeze and dogfood - car needed antifreeze and parents dog needed food

      cucumbers and condoms - ok, this was a joke because I only needed the cucumbers and just couldn't resist.

      If I'm bored and have a big list, I'll match up the items in creepy pairs and buy them, with cash, usually ones, wearing gloves, at the 4 stores in the chain closest to my house.

      If I'm really bored, I'll turn my phone off and go out for a drive. And start driving in circles, mall parking lots are best, and turn my phone on one corner and off at the opposite corner, over and over until I get bored.

      I wouldn't be surprised if my car had more than one tracking device attached...

  16. Anonymous Coward

    Socitm uses cookies without user consent

    I went to my local gov site and a socitm survey popped up. It left cookies on my computer despite my do not track setting. These people are retards.

    1. Anonymous Coward
      Anonymous Coward


      Just viewing the (not the saves a TestCookie and no sign of a tick box.

  17. Will 28

    Could someone clarify this for me

    Is this new law banning use of any cookies without consent, or just tracking cookies. The testing they've reported suggests to me that it's all cookies, but that's just stupid. They are a perfectly reasonable way of storing state (and this is coming from someone who whitelists cookies). It may be persisting a session id for authentication, the on screen location of a widget, or the page you're on in a survey. That's not tracking you, it's simply working around the stateless nature of http.

    I can see the reasoning behind the law, but please tell me it's only applying to cookies that uniquely identify you, and persist for a significant period of time.

  18. Old Handle

    It would have been so simple to make this simple

    But instead we (well, those of us in Europe) are stuck with something confusing ans unenforceable that people will just ignore, because there is no other viable option. As I understand it, the law does have an exemption for cookies that are "necessary", but doesn't provide any further clarification.

    But all they would have had to do is specify that first-party session cookies can be used without restriction. That would be a whole lot more helpful, and should cover the majority of what is truly necessary.

  19. Anonymous Coward

    FFS - Lies

    Balls - they've pinged sites checking for cookies being set - that's it. That's not an audit.

    Cookies being set != no consent.

    The updated directive (it's not new) is not specifically about cookies, it's about storing and persisting data on the local machine (by any means) without consent. The persistence is an important, as this differentiates between session and tracking cookies.

    Also any mechanism of local data critical to the function of service provided is exempt, such as cookies on an eCommerce site persisting your shopping cart.

    The wording is actually reasonable clever in ensuring that it targets tracking cookies without explicitly stating so. And for these cookies, providing clear information on your terms and conditions is actually enough to comply - this wouldn't be identified by this cocking "research".

    So if a LA site sets a session cookie, that's not breaking the law, it really isn't. And the idea that a site is setting 186 cookies - nonsense - that's their "auditing" software failing. And the 99% figure also nonsense - how do I know, I visited 30 sites this evening and checked, typically you're dealing with 3 (session + socitm survey + google analytics) - online payments might issue a 4th but as stated, this along with the session cookie, would be exempt.

    In any case, ICO aren't doing anything for year, and have already stated that the user agent vendors (Google, Microsoft, Mozilla, etc.) will be responsible for compliance. Leaving web site owners for all intents and purposes with nothing to do.

    Beyond the idiocy of SOCITM (in this statement), is that it hasn't been challenged by the journalist copy/pasting the press release. *sad / grumpy face*


  20. Anonymous Coward

    El Reg Glasshouse?

    Anyone remember seeing a pop-up requesting permission to store cookies from El Reg?

  21. sheep++;

    Losing track...

    Well I started reading all the posts on here, and did get slightly bored. Plus I'm surprised that no-one converted the word "Socitm" into "Scrotum". Yeah, I'm slightly mad, but hey, I've been up all night coding.

  22. Anonymous Coward
    Anonymous Coward

    Guts or stupidity to publish an article like this (check your own backyard first)

    Boy it really takes some courage to point out how everyone (including yourself) is in violation of an EU directive! I am not sure though, did you think you were compliant? Let's look at this one page.

    So throwing "consent" out the window, as I would certainly not make the case that I consented to the 10 cookies this single page issued, I would then ask the question of notice. Does this page even provide me with actual notice about its cookie use. I see in the privacy policy that you acknowledge use of cookies from DoubleClick and Atlas. What about the MediaMind cookie that is clearly on the page? Where is the notice for that one (again never mind consent)?

    Also let's look at the statements about what these folks are doing with their cookies : "They do not use information gathered through their cookies for their own use, and they do not collect personally identifiable information".

    I am not sure how this exactly jibes with e.g. DoubleClick's statements that the cookie data is controlled solely and exclusively by its clients who may make use of it (including mapping identity to the cookie) as they see fit. MediaMind also in its privacy policy allows for personal data to be tied to a cookie when that data is personally volunteered (volunteered on site XYZ and then recalled on Atlas too suggests that while data is anonymous to them, they do allow for clients to assign client specific customer identifiers to the cookies (so that the real controller of the data - the client - can identify the cookie). This is right in the 3rd party's privacy policy. Good job guys 0 for 3. Ohh wait 0 for 2 you didn't even know that one was there.

    I don't mean to be too hard on you here. This site is 1000% closer to meaningful notice than most other sites. The sad part is that being the best means you still don't give users accurate notice of who is collecting data or what they are doing with it (accurate notice being a presumed prerequisite for any definition of consent).

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2022