New “Cookie Law” comes in force 26th May

You may or may not have heard about the new cookie law that comes into effect on 26th May.

Under the new rules, any website that places cookies on the user's computer that aren't strictly necessary for the delivery of the information or services requested are required to gain permission beforehand.

Joomla, as with most content management or e-commerce systems, uses cookies to control user sessions; for example whether a user has the necessary permissions to access certain pages or to remember the contents of a shopping cart.

These are an essential part of managing a visitor's use of the site, and consequently should be seen as being included in the “strictly necessary” category of cookie, and therefore permission is not required; although if your installation uses othe 3rd party components, you might need to check if these set additional cookies and what these do.

However, if you are using an analytics program, such as Google Analytics, to monitor visitors to your site, you now have a problem, as the recently published guidelines from the Information Commissioner's Office indicate that the ICO's view is that analytics / tracking cookies do NOT fall into the category of “strictly necessary”, and consequently to comply with the law you need to gain consent before using cookies to track visitors. To see how the ICO sees this working in practice, visit the ICO site (

One assumes that the ICO would be a trusted organisation, yet they recently announced that less than 10% of visitors to their site opted in to accept cookies, which doesn't bode well for sticking to the letter of the law if you want to track the other 90% plus of your visitors.

And to further confuse things, the latest ICO guidelines include this:

"Whilst he does not consider they are exempt from the rules the Commissioner is therefore unlikely to prioritise, for example, first party cookies used for analytical purposes and cookies that support the accessibility of sites and services, in any consideration of regulatory action."

Or, in other words, we consider they are illegal but we probably won't prosecute.

Good law, this, you just can tell when the regulatory authority is ambivalent about if and how they might enforce it.

To track, or not to track, that is the question...

But this means that you, as a website owner, are now faced with a dilemma:

To go “strictly legal”, by adding an opt-in mechanism, or by removing your analytics program altogether, in which case you will not be able to track 90% or more (or any) of your site visitors with analytics; or to ignore the opt-in requirement and trust that the ICO really doesn't intend to do anything to enforce the rules on tracking cookies.

We should also point out that the EU directive itself allows for browser settings on cookies to constitute consent, but the ICO doesn't accept that current browsers meet the necessary requirements of “informed consent”. There is a coordinated move by all the major browser developers to add such a mechanism, but it is not clear when this is likely to be incorporated in new releases; furthermore, this won't solve the problem of consent from visitors using older browsers.

To find out more about the details of the new law, see the ICO guidelines:

the International chamber of Commerce has also produced a good guide that is considerably more digestible: