Complying or Not? 16 brands and their approaches to the EU cookie directive

2 days on from the beginning of the enforcement of the EU cookie law, and 4 days on from them being ‘watered down‘ (to include implied consent as a valid form of consent in some limited circumstances), how are some popular websites looking in terms of complying? (after all there is the small issue of a £500,000 fine if they arn’t…)

Strict Compliance

Sites that have applied the law, it would appear, to the letter…

ICO (Information Commissioners Office)

Starting with the website of the company charged with regulating everyone else on the new EU cookie law – setting the example surely?

  • Full opt-in approach
  • Banner stays at the top until you action it
  • Their privacy notice explains what cookies they use and their purpose
  • Cannot disable specific cookies on the ICO website – links to the individual links and explanations of how to do it.
  • However:
    • It’s a user experience nightmare
    • Does is really educate users?
    • Even they seem to have problems keeping up with their cookies as we saw a little Twitter cookie sneak in whilst surfing their site with our audit tool at one point

Labour Party

  • Full opt-in approach – We ran the Attacat cookie tool on it and there are in fact no cookies tracked until you accept the pop-up.
  • Cookie policy of the Labour website explains that users can restrict of block cookies through their own settings and also includes a link to for more information
  • There is also a list of the main cookies used on the site
  • But not a very user friendly explanation of cookies and really just the bare bones of what is required.
  • Their pop up information does however stay up for the duration of the time on the site until you click that you accept
  • All in all seems a pretty compliant!

Gordon’s Gin

  • Along with the age consent you are agreeing to cookies being stored – a wise way of doing things if you already have to have a pop-up.
  • They give you information about the types of cookies that they collect and an explanation of how to use your browser settings to disable cookies and a link to opt out of being tracked on Google Analytics.

Complying well but not super clean!

The following sites may not be strictly compliant but in our humble opinion have done enough that the ICO will not wish to force them to do more.


  • Mostly opt-in BUT during an Attacat test before getting consent the BBC website had already set the S1 “analytic” cookie on the main page – so maybe not as clean as they seem (but in lines with revised guidance)
  • Loads of info a really good site in terms of going above and beyond in terms of ensuring people understand what cookies are.
  • Using the word ‘continue’ unlike most other website where you must ‘accept’ their agreement – making cookies perhaps seems a more positive thing?
  • The provide comprehensive information about what cookies are and the types of cookies.
  • Gives you the choice to enable or disable functionality, performance and online behavioural advertising cookies
  • Also gives you the option to opt out of specific cookie set by the BBC and their supplier including SageMetric  cookies, double click cookies and Google Analytic cookies
  • Information for their international users


  • Delayed cookie setting approach – you have 12 seconds to back out!
  • Seems to have been held up as a great example of a company (broadly) following the new law
  • Already set to ‘allow all cookies’ it is up to the user to ‘opt out’ or change settings.
  • Stays up for 12 seconds before disappearing: settings can then be changed with the famous slider tool at the bottom of the page – means you can decide how cookies are tracked.
  • They record no cookies while the pop is there as soon as it disappears they assume you have consented to allow all cookies and recording begins.
  • Slider tool clear and easy to understand and lets you choose what type of cookies BT set, strictly necessary and performance, functional or targeting.

Great Ormond Street

  • An implied consent approach that sees cookies being set as you land but with only relatively un-invasive cookies, such an approach, whilst breaking the law is unlikely to be enforced according to the new guidance.
  • Message stays at the top of each page until it is accepted.
  • Good explanation of each type of cookie used by them.
  • No opt out on the website but links for each type of browser to an explanation of how to manage your cookies.
  • Same as the BBC – uses the word ‘continue’ and not ‘accept’
  • Their hospital site has the same banner and layout.
  • After running the Attacat Cookie Audit we can see that cookies are set before you click on anything – however the ‘opt in’ does say ‘continue to use cookies’ which does suggest they have already been in use…
  • They use Google Analytics


Spotify (landing site)

  • Another example of a site using Google Analytics going for an opt-out and prominent notice approach
  • Information in the privacy policy about what cookies are and the categories they group them in to – for essential purposes, performance, functional purposes and targeting or advertising.
  • But no explanation of how to delete cookie or how to disable them being stored – not much help especially when comparing them to other policies seen.
  • But an example of implied consent they are letting users know they use cookies and there is a link so people can find out more.

Complying but a bit dodgy!??

These are sites that have made effort but we suspect might be asked to do more by the ICO. Why? Because they carry adverts powered by third parties.

The Guardian

  • Pretty small unobtrusive easy to miss banner.
  • This is an implied consent example – the ICO state that this can only be done if your users understand that this means cookies will be set, and it must be informed consent.
  • The Guardian set 1st and 3rd party cookies unless you do something about it.
  • What the Guardian does have is a very good clear page (with a graphic well worth copying) as a link from their cookie info page on how cookies on their page are used by them and third parties.


Channel 4

  • After looking at the BBC cookie policy and information about cookies it seems much less user friendly with it seems most of the information on one very long page
  • There is information about the types of cookies they use and how to manage them however this is just in the form of a link to the partners website where you can then opt out, there is no way to opt out of specific tracking on their own website.
  • Unlike the BBC this banner stays at the top until you take action on it.
  • It does not seem to matter whether or not you click on this banner – other than to get rid of it from the top of your screen ‘accepting’ here does not matter – we ran an Attacat audit tool on this: we did not click accept and within 5 clicks into the site had a total of 59 cookies made available! Accept here is not to say ‘ok Channel 4 you CAN use cookies’ its ‘ok Channel 4 I understand you DO use cookies’.

Conservative Party

  • The conservative party website assumes that from doing nothing to the settings this means that you are accepting their use of cookies. They are using the implied consent option and track cookies from the word go!
  • You can choose for them to remember your preferences by setting a permanent cookie.
  • The cookie information page in the website has an in-depth amount of information about the cookies used
  • Is this the worst wording of any consent box out there?

Channel 5

  • Another media site not getting opt-in for advertising cookies
  • There is no choice to block cookies before they start being used on the Channel 5 site.
  • Through the ‘corporate information’ pages there are links to block certain cookies and change your settings.
  • Channel 5 description of Cookies in not overly user friendly but the information is easy to find and they are simply using implied consent.


  • Attacat Cookie Tool test showed that 73 cookies were set after just two pages without any consent having been given!
  • They are using the AdChoices (self regulatory program) icon to signify use of behavioural advertising
  • No banner to explain that the site uses cookies, just a very small box in the left hand corner saying ‘cookie consent’.
  • But….one of the nicest cookie controllers we’ve seen implemented.  Very easy to change by cookies by clicking on the cookie consent box to turn off certain cookies and it explains what they are used for in good clear detail.

At Risk?

Sites that are taking a high risk approach to the legislation?

John Lewis

  • Only “consent mechanism” appears to be a small link at the top of the page – whilst this may be OK if they just used analytics cookies…
  • They are using remarketing (you will start seeing John Lewis adverts on other sites once you have visited) which is considered to be highly invasive and therefore likely to require “meaningful consent”
  • Excellent cookie information pages but no control mechanism

the social networks

I include Facebook, Twitter etc in this category as an example of the many organisations offering functionality for third party websites (think share buttons and widgets) that place cookies and do little to help websites that use these functions to understand how their users may be impacted.

the ad networks

Doing their best to self-regulate with an easy opt-out out and increased notification, the industry continues to fall short of genuine consent IMHO. Personally we would like their approach to succeed in getting past the law makers but are worried that it won’t.

the affiliate networks

I’m not convinced the general public will be that thrilled to find out that the exchange of commissions is common practise on the internet. The networks may drop cookies with time but the law makers probably won’t drop the privacy concerns.

Local Sites

So moving on to what is going on with Cookies around Edinburgh websites!…

Edinburgh Castle

  • An interesting site because it crosses domains (from Edinburgh Castle and Historic Scotland)
  • Opt-out approach method with prominent pop-up.  Using a lot of third party cookies for functions including Google Maps and a lot of tracking cookies from advertising networks
  • Pop-up that disappears after around 12 seconds but reappears on each new page – Clicking “I am happy with this” really should say “OK, stop irritating me now” as all it does is prevent the pop-up reappearing (we think!).
  • Goes to Historic Scotland Privacy Policy which has a list of the name and use of cookies used
  • Users are advised they can disable the use of cookies on their own however there is no explanation of how to do this.
  • We put these sites in the category of “may be asked to do more”

Dynamic Earth

  • Very similar to Edinburgh Castle –  both using Civic Cookie consent tool
  • Seemingly no advertising network cookies but do have cookie setting YouTube videos.
  • No link on the consent tool to the privacy policy as Edinburgh castles did – and in fact could not find the privacy policy or information about the websites cookies use anywhere – even looking at the sitemap or searching gave no results.
  • Our verdict – could do more without impacting the visitor experience but likely to be low on the ICO’s priority list!

NHS Lothian


  • No cookies set before you have accepted – but able to do nothing until you have (and of course a cookie is set to say you’ve consented ;))
  • Very limited information about cookies – no information available about how to turn this off or a link to privacy policy or information about cookies – this was not available to find through search or the sitemap
  • Google Analytics is the most invasive cookie we found.
  • Have implemented a cookie free Twitter feed
  • Our verdict: strictly compliant but misses the spirit of the directive and adds nothing to the user.



There are many ways to ask users for consent, or in some cases tell users they must give consent before using the site; or in other cases just let people know that your site uses cookies unless they go off and do something about it themselves…

… but who is correct!??! Do you agree with our quick assessments?

Leave a Reply

Your email address will not be published. Required fields are marked *

5 thoughts on “Complying or Not? 16 brands and their approaches to the EU cookie directive”

  1. Attacat Tim says:

    We should have added Amazon to the “at risk” list. Adveritisng cookies all over and seemingly no notice what so ever.

  2. Mike says:

    Working on a lot of public sector websites I have always been aware of accessiiblity issues etc. Therefore we have always informed people that we use cookies on the website. But, to create a law after all these years for web developers to provide some intrusive banner/popup notifiying using of non-essential cookies being used on the site is absolutly ridiculous. It would be much better educating people as to what cookies are and how they can simply block cookies (e.g. 3rd party cookies etc etc) via their web browser.

    Like many users on the BBC website, one claimed it was a good law due to, and i quote “not liking websites storing information on them”. Such ignorance proves the lack of knowledge about cookies, if a user visits my site i can store all sorts of information about the user such as location, this will even be in my server logs! (lol), and if they buy anything i can store that too!

    5 reasons why the user should be educated:

    1. There is no guarantee that the website will block cookies on their website once you have asked them ‘not to’ putting the user in a false sense of security
    2. Law is not global so user could be put at risk when visiting other websites not in EU therefore thinking that cookies are not used
    3. Popups, intrusive Banners – No standard convention of presenting information to user, will leave users confused and disorientated.
    4. User will be met with the same banners everytime the cookie expires which registers their decision or when they clear their browser cache etc
    5. User will not be aware what a cookie is therefore simply not accept it and wonder why the website they are trying to use isn’t working correctly.

  3. Christopher says:

    Great article. It was well-written, informative and with lots of images to break up the text and highlight the points in question. It would have been nice to see links to Anti-Cookie tools that actually work, as that is how I ended up finding your article after doing a search on Google! I’m currently using the “Civic Cookie consent tool” on our business website ( and a client just brought what you mentioned to my attention: even though he clicks the “don’t remind me again” button, the box keeps popping up on each page… and it’s annoying as hell!
    I’ve just taken a course on the LSSICE law here in Spain so am looking for a decent tool that will make our Website compliant with the cookie laws. If you know of any, then please let me know Christie. Lang may yer lum reek!

  4. Rusty Fox says:

    Following Brexit, it’s just a matter of time before the dictatorial European Union falls apart. Who do they think they are, saying that they’ll impose fines on people who don’t live or operate in the EU, simply because people in the EU can access a site? Sorry, but the last time anybody European tried to take over the world … Well, you remember.

    If I had websites, I would NOT put these notices on them. If the EU gets themselves all worked up over it, let them send their police outside the EU where they are just civillians, and see what happens.

    The net is already teeming with pop-ups and spam – and this bunch of autocrats want more pollution? Wake up, Euroidiots.

Like the Brain? Sign up for the packed-full-of-tips monthly newsletter