There is a good deal of confusion on the recent changes in government legislation regarding the use of cookies on websites, and how best to comply with it. On this page we will attempt to clarify our understanding  of the legislation and what steps we can support you with in terms of compliance.

*Please be aware that this is a response from concerned techies and not lawyers.

What is the legislation asking for?
The new  EU Privacy Directive requires that end-users (website visitors) consent before cookies are set on their computers, unless it is "strictly necessary" for the online service they're using (eg. when someone logs into a site or adds an item to a shopping cart, a cookie is considered strictly necessary).

What is a cookie?
A cookie is a small piece of data left on a user's computer by a website they visit which lets the website track information about the visit.

Sounds fair enough - What's the big deal?
The problem is that whilst the intention of the legislation is good, to stop gathering of data about users and intrusive behavioural advertising, the effect is quite ridiculous.  Many privacy experts see this update to the EU privacy directive as a misdirected approach to a genuine problem.  By legislating against normal use of all cookies (including e.g. the Javascript cookie Drupal uses to optimise content according to your browser's settings), it's estimated that 90% of websites in Britain are now non-compliant with the law.  We know that some cookies can be abused for commercial reasons, but the user's ability to delete and control local information makes cookies amongst the least intrusive ways of storing data from sessions. Unfortunately for all of us Drupal is one of many CMSs that requires cookies as an integral part of how it works and makes pages interactive.

So what do we do now?
Strict compliance with the law requires that no information from your web site is stored on your users' computers without their explicit prior consent. However the Information Commissioner's Office (ICO) has said that if a website owner has taken reasonable steps towards compliance, prosecution is very unlikely.

Meaning what in practical terms?
For our Drupal websites, we can help with compliance by adding a banner when a user first visits your website, which highlights the use of cookies set by the site and requests explicit consent for cookies to be set by the site. It also links to a page of generic information explaining the use of cookies and how to control them. In addition we can take steps to prevent the use of a session cookie until and unless the user logs into the site. We can see that this is not a perfect solution as the only option for the truly cookie-phobic user is to leave your site altogether, as it's practically impossible for us to meet accessibility standards on your website without the use of cookies. However we think that this is as far as it's practical to go with Drupal. The conundrum for all web developers is how to disable cookies on request, when the only way for the site to record the user's request is by setting a cookie. Our monitoring of other sites suggests that the cookie banner and information page is sufficient to keep the commissioner satisfied.

So is that it on the cookie front?
Well nearly. Regardless of the cookies which get set as part of Drupal's content management functionality (and which are therefore somewhat within our power to modify), it is likely that your site is also setting cookies by virtue of having third party embedded objects such as Google Analytics monitoring, YouTube videos, Share This buttons etc.. These will automatically set cookies on your users' computers. And as our information page explains this cannot be prevented except by the user changing the settings on their computer. It's suggested you embed any YouTube videos using "privacy-enhanced mode", but the video still sets cookies.

What should I do next?
Read this message again, check what others are doing and get advice from anyone you know who's well-versed in EU Directives.  If all of that leaves you thinking you'd like a cookies banner on your site like the one you may see at www.gn.apc.org, write back to us at webprojects@gn.apc.org and we'll set it up for you. The cost of a default implementation of the banner is £60 + VAT (or 2 support tickets if you'd rather do it that way). Costs for additional customisation will be given on request.

You may be interested in further reading at:


And of course if you'd like more information do get in touch.