The EU e-privacy directive, commonly known as "the cookie law" has come into   full effect after a year long lead-in period.

Market researchers doing online research in Europe or simply operating a website targeted at clients in Europe need to understand and implement new EU rules on cookies if they have not already done so.

The deadline for EU Member States to implement the EU e-privacy directive, notably known as ‘the cookie law’, passed one year ago and regulators around Europe are now beginning to loudly warn companies that active enforcement, including fines, will become effective very soon after the one year landmark (26 May). ESOMAR will also soon issue its own guidance to help get market researchers started.

The e-privacy directive regulates the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user. This therefore covers any research cookies or other device which store information for example about a user’s preferences on a particular website, or track a panel participant’s visits to different pages of a website using cookies. From now on, a user’s consent will be required to store or access this information on a user’s computer, laptop or mobile and this consent is valid only if the user has been provided with clear and comprehensive information about the purposes of the data processing.

The UK data protection regulator (the ICO) for example will start actively implementing from the end of May and it has been proactive in developing guidance as the regulatory carrot for companies. However, the regulatory stick will be applied to those companies who ignore the new rules or refuse to comply. It has encouraged the business sector such as the ICC’s UK chapter to develop guidance that helps companies to improve their communications about how they use cookies. While the ICC guidance cannot be considered full implementation of the new law’s requirements, it will allow companies more credit with the regulator than if they would have done nothing – the ICO has made itself plain: doing nothing is not an option.

The French data protection authority – the CNIL as well as the Spanish telecoms authority – CMT - have also issued new guidance in the past month. The implementation will vary from country to country. For example, web analytics companies will need to look carefully at differing guidance in France and the UK. E.g. in France, a link to cookie information should be provided on the main page of the website and further information about analytic cookies should be displayed, for instance in the T&Cs, but publishers cannot use analytic information to track users across multiple websites. 

ESOMAR will soon issue its own general guidance which has been drafted in consultation with experts from the top global companies in order to familiarise companies with some of the main terms and get them started on the road to compliance. While ESOMAR cannot provide a full guide to implementation at the international level due to differing national rules, it provides an introduction to the requirements of the new cookies law together with guidance on what would be acceptable to comply with ICC/ESOMAR Code and guidelines obligations and where to go to seek full compliance. It will also recommend that research companies conduct a full cookie audit with helpful tips on how to practically execute this. The ESOMAR guidance will be available in the next month.

For more details contact:


The UK data regulatory guidance can be found here:

The UK chapter ICC guidance can be found here:

The French CNIL guidance (26 April 2012) can be found here:

The Spanish data regulatory guidance can be found here: (published 31 March 2012 – law ‘Real Decreto-ley 13/2012, de 30 de marzo, por el que se transponen directivas en materia de mercados interiores de electricidad y gas y en materia de comunicaciones electrónicas’)





Share |


For press releases, media enquiries, media partnerships and interview requests:
+31 (20) 664 2141