Cookie law compliance - top London tech law firms' methods - table
(as at 15 June 2012)    

Now that the cookie law is to be enforced fully in the UK, how are websites complying?

On the not unreasonable assumption that law firms, especially firms reputed to be expert in IT law, ought to be aware of the cookie law and would want to be seen to be compliant, I took a look at the websites of the London firms most highly-rated in tech law to see what if anything they'd done to try to meet the law's requirements. I have not yet analysed the content of their cookie or privacy policies, just their chosen compliance mechanics, although the adequacy of the disclosure in those policies affects compliance.

The table below summarises the results of visiting their home or UK pages, as at 15 June 2012. Note that this is a moving target, as some of the firms involved seem still to be tweaking their sites - eg a week ago Herbert Smith didn't have "NEW:" by their cookie policy link, and Linklaters had no separate "Cookies Policy" link. Also, different webpages may include different scripts and therefore set different cookies (or not), eg some DLA Piper pages ran scripts from various related domains, while Herbert Smith used to host their knowhow blogs. I could not check all sub-sites, and I also didn't conduct searches on all sites, which might throw up other cookies eg if Google Custom Search was used (which may not work properly unless scripts from both and are allowed to run).

I've posted separately my detailed analysis and discussion of the top London IT law firms' methods of complying with the cookie law, and their practical implications. I've also looked at some other major (non-law firm) sites' cookie compliance, and again mean to post separately about those.

Law firms' sites - table and instructions

To sort certain columns up or down, click the links or arrows in the relevant table heading.
To restore the original table ordering, please reload the webpage.

For explanatory notes on the headings and content of the table, see below (after the table).

Firm Rank Method Location Notes
Baker & McKenzie LLP 1 Link Bottom "Privacy Statement" link (below the fold).
Several session cookies were set immediately eg language, server port; also session cookie.
Set several session cookies after allowing their own scripts to run.
Bird & Bird 1 Link Bottom "Privacy & Cookies" link (just on the fold; so not necessarily visible to those who use browsers zoomed).
Google Analytics script ran after allowing their own scripts to run.
Session cookies set on browsing around.
DLA Piper UK LLP 1 Link - specific Bottom "Cookie Policy" link, separate from Privacy Policy link but not highlighted. (Just on the fold; so may not be visible to users who set zoom)
Several session cookies were set immediately eg language, server port; also scripts from Google Analytics and AddThis (which set several cookies). A cookie was set immediately on the global site, but, on the UK site, only on allowing their scripts to run; there were other scripts on other pages or sub-sites, eg zmags script to view their online mags (which sets cookies), scripts and scripts (and session cookies) from domains related to DLA Piper.
On allowing their own scripts to run, further session cookies were set.
Field Fisher Waterhouse LLP 1 Lightbox Bottom, sticky The cookie notice only displayed on allowing scripts to run, ie they seem to use a proprietary compliance service from Evidon (the cookie compliance script's origin was, which redirected to Evidon).

Message (with i symbol):Information symbol
"Our site uses cookies so that we can remember you and understand how you and other visitors use our site. To see a complete list of these cookies and to tell us whether you want us to use them on your device or not, please access our Cookie Consent Tool.
By clicking elsewhere on the page we will use cookies on your device for the purposes set out in our Cookie Notice. You will see this message only once, but you will be able to find more information about our use of cookies and set your preferences at any time."

Note that clicking elsewhere on the page was said to be taken as consent. And indeed, Google Analytics script ran and set cookies upon clicking a link to elsewhere on the site.

Inexplicably there was no link to their "Cookie Consent Tool" within that message, but on looking further there was a grey box, bottom right hand corner of the webpage, with the text "Cookie Consent", leading to a page on Evidon's domain when clicked.

The grey "Cookie Consent" box didn't seem very obvious, but the resulting webpage was in my view helpful, cf the information overload with many  sites' info pages. It showed consent status per cookie, and direct opt-out links per cookie (ie Google Analytics). So it's not opt-in, but at least it gave people who click through the chance to opt out before going back to the site.

Session cookies were set automatically after allowing their scripts AND betrad's to run.
Herbert Smith LLP 1 Link - specific, highlighted by uppercase Top and bottom "NEW: COOKIE POLICY" link amongst 10 links at top, also (in lowercase) at the bottom (separated spatially from "privacy" link)
Session cookie set immediately.
No others, on some minor clicking around - although their knowhow blogs are hosted on, and several scripts were run there - the blog's scripts,, &,,,, setting analytics cookies (site origin blank), analytics cookies from the blog domain (ie Google Analytics) and other domain cookies,, and cookies. (The firm's cookie policy only mentioned the Google Analytics cookies.)
Olswang 1 Lightbox Bottom, sticky Message:
"This site uses cookies to improve your user experience. By using this site you agree to these cookies being set. To find out more see our cookies policy. OK, hide this message [different coloured button]"

Based on an open source script by Ollie Phillips, hosted on the firm's own servers. This script seems to be a modification of the original script (which implies consent and removes notification far more readily, increasingly so with each version - currently at 1.4)

Session cookie for currentLanguage was set immediately. Also Google Analytics, Vimeo/Vimeocdn and scripts ran immediately (even before clicking "OK, hide this message"); although only the Analytics script seemed to set cookies.

On clicking "OK, hide this message", a cookie was set to record consent.

The cookie notice remained even when clicking links to other pages on the site, ie still prompting the user to choose Yes or No.
Pinsent Masons LLP 1 Lightbox Bottom, sticky Message:
"We use cookies to make this site as useful as possible. They are small text files we put in your browser to track usage of our site but they don’t tell us who you are.
Learn More About Them. What happens if I say ’no’?
Is this OK? Yes No [buttons]"

NB offered both "Yes" and "No" options, and, interestingly, also, info on "What happens if I say no?"

Session cookie was set immediately, and also on allowing the firm's own script to run. A script also ran via the firm's own script, but appeared to set no cookies.

Their compliance script seemed to require (as it displayed the cookie message only after allowing both the firm's own script and to run). Possibly because their compliance script may use the jQuery library (hosted notably on

On clicking Yes, a further "permanentConsent" cookie was set and a Google Analytics script was run.
On clicking No, a cookie was set to record that, but the 2 existing cookies were not deleted. However no further cookies seemed to be set, as expected.

Whether clicking Yes (or No), a session "consent" cookie was set (value true or false), and also a further message appeared:
"Would you like us to save your preference permanently? We will remember this preference using a cookie on your machine.
Yes No"
- this set a further preference cookie.

The cookie notice remained even when clicking links to other pages on the site, ie still prompting the user to choose Yes or No.

AddThis scripts were run on some pages, setting cookies, even without clicking Yes or No, and indeed even after clicking No.
Berwin Leighton Paisner LLP 2 Lightbox Center, sticky Message (with i symbol):Information symbol
"This site uses cookies to help us make it more useful for visitors. Our privacy policy explains what they are and how we use them. Please can we have your consent to use them?
Yes No [buttons]"

Another one of the few to offer a "No" option, and a centered message

Used script hosted on the firm's own servers. Own scripts and script were immediately run, no cookies seem to be set by the latter.

Session cookies were immediately set even before running the firm's own scripts. On allowing the site's own scripts to run, the cookie notice appeared and a "cookiesenabled" cookie was set (presumably detecting that my browser is set to allow cookies).

On clicking No, a session cookie was set to record lack of consent, and no further cookies seemed to be set on the main site - however, some sub-sites eg still ran Google Analytics scripts which automatically set cookies, without any cookie notice.
On clicking Yes, a session cookie to record consent was set, and  Google Analytics script ran, as well as other scripts.

The cookie notice remained even when clicking links to other pages on the site, ie still prompting the user to choose Yes or No.
Bristows 2 Link - specific, highlighted Bottom "*NEW* Cookie Policy" link ie bold capitals (and pink!) for "NEW".
Session cookie immediately set. ShareThis script ran automatically (which set ShareThis and cookies).
On allowing their own scripts to run, Google Analytics script ran.
(Side issue: this website could be tweaked to accommodate different browsers, as the text at the bottom - including the Cookie Policy link - was completely invisible in Firefox & Chrome though OK in IE and Opera)
CMS Cameron McKenna LLP 2 Link - specific Top "Cookie Policy" link amongst 6 links. Separate "Privacy Statement" link at the bottom.
Session cookies eg Language were automatically set.
Google Analytics and AddThis scripts were automatically run (each setting cookies). Twitter scripts were also run ( script triggering a script), and set a cookie. On allowing the firm's own scripts, no further cookies seemed to be set.
Hogan Lovells International LLP 2 Link Bottom "PRIVACY POLICY" link only.
Session cookies were automatically set. Google AnalyticsAddThis, and scripts (suggesting they use Amazon Web Services IaaS) were automatically run.
When allowing their own script to run (in conjunction with the script), further session cookies were set plus and cookies. On further allowing amazonaws,  a script was run, setting a further cookie. The AddThis script also set several cookies.
Kemp Little LLP 2 - - None, not even privacy policy. No cookies were set by the site even after allowing their scripts to run.
But a Google Analytics script ran once their own scripts were allowed, setting cookies.
Latham & Watkins LLP 2 Link Bottom "Privacy" link only, just on fold.
Session cookie immediately set.
No further cookies on allowing their scripts to run, or clicking around.
Linklaters LLP 2 Link - specific Top "Cookies" link amongst 8 links. ("Privacy policy" link at the bottom.)
Session cookies immediately set, including WEBTRENDS_ID.
Google Analytics script automatically ran once their own scripts were allowed.
Mayer Brown International LLP 2 - - "Legal Notices" link at the bottom below the fold, which led to a page that itself linkd to the Privacy Policy, ie no direct privacy policy link on the website's home page itself.
No cookies seemed to be set either immediately or after their own scripts ran - not even session cookies. However, on another visit, a cookie appeared, even before allowing their own scripts. Although some pages embedded Google Maps, no scripts tried to run.
Morrison & Foerster (UK) LLP 2 Link Bottom "Privacy Policy" link only.
Several session cookies were set immediately, also cookie.
Further session cookies on allowing their scripts (sometimes the cookie was set only after this).
Google Analytics scripts ran once their own scripts ran.
Pages for individual offices also involved a script - presumably due to embedded Google Maps; once run, it ran scripts, whereupon cookies were set.
SNR Denton 2 Link Bottom "Privacy Policy" link only.
Session cookie and cookie set immediately. ShareThis script automatically ran, setting ShareThis and cookies.
On allowing their own scripts plus, further session cookies were set including "ns_cookietest", and the Google Analytics script ran.
Taylor Wessing LLP 2 Lightbox Bottom Message (with i symbol):Information symbol
"Our website is set to allow the use of cookies. For more information and to change settings click here. If you are happy with cookies please click 'Proceed'.
>  Proceed! [button]"

Clicking a link to elsewhere on the site, the message remained, and indeed slid up afresh.

Used script hosted on the firm's own servers - the cookie notice only appeared once their scripts were allowed to run.

Session cookie was automatically set. Google Analytics script ran automatically to set cookies on loading the firm's own script, even before clicking "Proceed", and similarly for AddThis scripts on some pages. So it seems the Proceed button does nothing except get rid of the cookie notice? It may be that more clicking around of pages and sub-sites is needed to test the true effect of clicking (or not clicking) the Proceed button.

On some pages, scripts ran - presumably again for Google Maps. Again these ran scripts, which set cookies.
Addleshaw Goddard LLP 3 Link - specific Bottom Message with link:
"For info on our use of cookies please read our Cookies policy.  To manage our use of cookies please click here disable cookies [button]"

A hybrid method - used a link permanently at the botoom of each page rather than lightbox, but with more info accompanying the link, plus a toggle button to disable/enable cookies. (Once "disable cookies" was clicked, a session cookie was set to record this, and the button then displayed "enable cookies" instead). This method therefore implied consent, as with most other sites here, but at least tried to provide an easy immediate way to disable cookies from being used by the site. However, clicking "disable cookies", apart from setting a session cookie, did not seem to stop eg the Google Analytics script, while conversely clicking "enable cookies" did not cause any further scripts to run or cookies to be set. Again, as with Taylor Wessing, perhaps more investigation is needed to check the effect of this button.

Session cookies were set immediately and a Google Analytics script ran automatically. After allowing their own scripts a script ran (analytics service) although the latter did not seem to set any cookies.

There were social media buttons on some pages, but no scripts from those services appeared.
Allen & Overy LLP 3 Link Bottom "LEGAL NOTICES AND PRIVACY POLICY" link, just on the fold.
Automatically set session cookie. On allowing their scripts, no further cookies were set. Session cookies were set on clicking around, although one had the value "30DayCookie" despite (according to the cookie inspection tool used) expiring at the end of the session.
(Side issue - the website doesn't center properly in Internet Explorer 9.)
Clifford Chance 3 Link - specific, highlighted Top and bottom "NEW: COOKIES AND PRIVACY" link in the top right hand corner, with only 2 other links.
Also, "New: Cookies & Privacy" at the bottom, just on the fold
Set session cookie and analytics session cookie automatically. No further cookies seemed to be set on clicking around.
When their scripts were allowed to run, Google Analytics script ran.
Freshfields Bruckhaus Deringer LLP 3 Link Bottom "Privacy Policy" link only.
Automatically set session cookies including on clicking around, eg EkAnalytics.
Google Analytics script ran on clicking more links.
Milbank, Tweed, Hadley & McCloy LLP 3 - - Not even a privacy policy or legal notices link, not even for the London office's page. At the bottom there was just a "Disclaimer" link
Session cookie automatically set.
On allowing scripts from, script and, further session cookie and cookie were set, and Google Analytics and scripts were run (the latter running and scripts). Presumably the google scripts were for Google custom search, as a session cookie was set after performing a search using their search box.
Slaughter and May 3 Link - specific, highlighted Top "Cookies" link, top center, in a different colour from other links, amongst 5 links.
Session cookie automatically set.
Google Analytics script ran on allowing their own scripts.  No other cookies seemed to be set on clicking around.
Technology Law Alliance 3 Link - specific Bottom "Cookies Statement" link.
Session cookies (with names like exp_last_visit, exp_last_activity and exp_tracker) automatically set.
Google Analytics script ran on allowing their script.  No other cookies seemed to be set on clicking around.
Hunton & Williams - Link Bottom "Privacy policy" link only, below fold.
Session cookies automatically set, also Also, AddThis scripts ran automatically, setting cookies.
Google Analytics script ran on allowing their own scripts.  No other cookies seemed to be set on clicking around.
Sidley Austin - Link Bottom "Privacy policy" link only.
Session cookies automatically set.
On allowing their own scripts, cookie set. No other cookies seemed to be set on clicking around.
Speechly Bircham - Lightbox Center, not sticky Message:
"Welcome to Speechly Bircham
We would like to place performance cookies on your computer to improve our website service.
To find out more about how we use cookies, please see our cookies statement.
I consent to cookies from the site   Continue [button]"

Tooltip text that appears when hovering over "performance cookies" (the only example of tooltip use here):
Performance cookies collect information in an anonymous form about how visitors use our website.  They allow us to recognise and count the number of visitors and to see how visitors move around the site when they are using it.

Used script hosted on the firm's own servers, the cookie notice appeared only on allowing their scripts.

It was impossible to click through to other pages on the site without clicking "Continue", ie positive opt-in consent was sought, and use of the site was in practice conditional on acceptance of cookies - the only practical options were to click Continue, or to leave the site eg by closing the tab/window or entering another site's URL. (Use of the site was possible if Javascript was disabled in the visitor's browser, but as most cookies are set by Javascript, disabling Javascript would generally also prevent cookies from being set.)

Session cookie was set automatically.
Google Analytics script ran once "Continue" was clicked; also, on clicking around, scripts from ran (no cookies set), and scripts also ran.  (data protection training experts) - - No cookie or privacy policy.
Session cookie automatically set.
Google Analytics script ran once the site's own scripts were allowed. No other cookies seemed to be set on clicking around.
Amberhawk blog  - - Automatically set cookies from (which hosts the blog), (analytics service), (market research), (an ad/analytics service).
No further cookies seemed to be set on allowing their own scripts or quantserve scripts to run. scripts ran scripts from which ran other scripts from eg, (which set session cookies), Google Analytics, and further and scripts, resulting in more cookies from, and (which seems to be an analytics service).

"Rank" is the ranking of the firm according to Legal 500's list of top IT and telecoms firms in London. I investigated the sites of firms in the top 3 only (several firms are ranked 1, several ranked 2 etc). Firms are listed in the order shown on the Legal 500 webpage but the list is sortable as mentioned above. I've added info on a few other firms not in that league table of general IT law firms, who nevertheless run respected data protection law or data protection training practices (no offence intended to any I've left out! Please let me know of any major omissions, any particularly good implementations etc). With international firms not headquartered in the UK, I checked the page or sub-site for their London office.
"Method" is the method which seems to be used by that firm to try to comply with the cookies law, eg link or lightbox.
"Lightbox" is a box containing text etc overlaying the webpage, rather like a popup except that it's constructed differently, is more flexible to use, and isn't blocked by browsers' popup blockers. Also known as "modal window" or "modal dialog". "Sticky" means the lightbox remains in place even when scrolling the webpage up or down. Lightbox messages are included in full for criticism/review purposes, but should any firm object to my including their message, please let me know and I'll remove it.
"Link - specific" means a specific link to cookies info or a specific cookie policy; otherwise, "Link" is simply a link to a general privacy policy or similar (such policies normally include information about cookies). I use "highlighted" to mean that something has been done to make a specific cookie link stand out from other links in its vicinity, eg with a "New" indicator, using a different colour for that link, etc.
"Location" is the location on the webpage of the lightbox or link, ie top or bottom of the web page, or centered. Obviously top is more prominent than bottom, centre even more so.
In "Notes" I've tried to indicate the origin of Javascript code used for a lightbox, eg whether a script seems to be hosted on the firm's own servers (although the script's code may have been produced by the firm or a third party), or by a third party source or service. Where the script's code states that it has been produced by a third party, even if hosted on the firm's servers, I've indicated that instead of "own" (this applies only to the script used by Olswang, as far as I can see).
"-" means none or N/A.
The "fold" indicates how immediately viewable certain content on a webpage is. If content is "below the fold", it is not immediately visible to visitors, who will need to scroll down the page in order to see the content. For some sites that displayed their cookie or privacy notice link at the bottom of the webpage, accessibility considerations could be an issue. Even where a link is meant to be on the fold or just above the fold, it may not be seen by visitors with poor vision who set their browsers to a higher zoom level (like me), ie it may effectively be below the fold in the case of some visitors. This is of course not an issue for sites that place those links at the top of their webpages.
"Session cookie" is shorthand for a session cookie set by the visited domain; cookies set by other domains all seemed to be session cookies also, ie should be deleted on closing the browser.
Google Analytics scripts set analytics cookies, so any reference to these scripts running means that they set cookies too; I've not always explictly mentioned the cookie setting in these cases. Google Analytics cookies are typically set when a site runs Google Analytics scripts either directly via code in the webpage or, for more sophisticated sites, through running the site's own scripts, which then incorporate the Google Analytics script. Google Analytics cookies will technically appear as originating from the domain of the site itself rather than Google, so in that sense are first party rather than third party cookies.
Red text indicates domains associated with cookies that were set, except that Google Analytics is highlighted in yellow instead, to give a visual impression of its prevalence of Google Analytics cookies, and similarly AddThis cookies are highlighted in pink. AddThis is a service that provides a single script that allows sites to easily add buttons for sharing to several different social media services. ShareThis is similar.

Only one tab, for the site being checked, was open. After loading the site's home or UK page, I checked for any cookies set. I then temporarily allowed the domain's own scripts to run, and checked for new cookies; similarly for eg scripts which might be needed by the firm's own scripts. (Note that I blocked scripts deliberately in order to check whether scripts, on being individually allowed to run, set cookies. For most normal visitors using standard browsers, all scripts would run automatically on their visiting the site without the visitor doing anything further, unless the site has taken active steps eg to pause certain scripts from running until the visitor clicks a button.)

I clicked a link or two to elsewhere on the same site, and checked again. I revoked all temporary permissions for scripts, deleted all cookies, closed the tab, and opened a new tab to check the next site. Cookies were viewed using Cookies Manager Plus, Scripts were detected using NoScriptin Firefox. I listed the domain of origin for scripts, as typically (although not always) cookies are set by scripts, but didn't check all cookies set by running all the scripts (not all scripts set cookies). I didn't do a long-term complete test of all pages on all these sites, which might have thrown up more scripts - and even on some of the pages I checked, because of timing etc issues sometimes scripts may run on one visit which were not run on a previous visit, so please note this limitation.

(For anyone wishing to repeat this exercise, note that in Firefox and Chrome (not tested Opera) but not Internet Explorer, Google will keep setting a PREF cookie. It's not the site you're visiting who's setting that, it's Google, and it will keep happening even if your browser is not viewing any webpages, as long as it's open.)

And a few other sites

The website of the UK's ICO had a privacy notice and, as is well known, their site used a banner cookie notice at the top; the site was designed not to set any cookies without positive tickbox action. Their own scripts did not set cookies without consent, and although the site used scripts, no cookies seemed to be set. (The site search didn't seem to work in Firefox: XML Parsing Error: no element found - and sometimes on trying to allow cookies! This could be a temporary server issue). On allowing cookies, a cookie was set to record that, and a Google Analytics script was run.
The European Data Protection Supervisor's site had a Legal notice link top left (amongst 2 others, though not as obvious as in a tab) with info on cookies,and automatically set session cookies; on allowing their own scripts, no further cookies were set.
The Article 29 Working Group's sub-site set no cookies even when the site's scripts were allowed to run (and unsurprisingly displayed no cookie notices). (This group comprises EU data protection regulators.)
The CNIL (France's data protection authority) uses Piwik, a self-hosted open source analytics tool to set 6-month cookies. Separate privacy policy and cookies links are at the bottom. They automatically set session cookies including "acceptPiwik". When allowing their scripts further session cookies were set.
Ireland's Data Protection Commissioner has a Privacy Statement high in the sidebar and set a session cookie only.
The Law Society's site has a Privacy Statement at the bottom whose page (more than halfway down and well below the fold) links to a Cookies page. The site set session cookies and automatically ran scripts (which didn't seem to set any cookies). Their scripts when run ran Google Analytics scripts. The Solicitors Regulation Authority site has a Legal, copyright and privacy notice at the bottom; the site set session cookies and ran Google Analytics scripts when their own scripts were allowed.
(I didn't click around all those sites, it could be that cookies are set only when navigating round rather than on the first visit.)

Some sites I control (ish) or am associated with

In the interests of fairness (and for my own compliance purposes!), I also checked some sites that I control or am associated with: (hosted on Google App Engine) - initially I had no privacy policy, as no cookies were automatically set; on running scripts from the site, no cookies were set. On allowing (whose script I use to display posts from my blog), no cookies were set (at least initially, I'm still checking whether on other occasions it sets cookies from, and similarly on clicking around. I therefore decided to join the gang and introduce Google Analytics code and a privacy policy. As analytics cookies seem to be considered relatively non-intrusive, and following in the footsteps of most of the firms listed above, I included a  link to the site's cookies and privacy policy at the top of the blog, in a different colour from other tabs to make it prominent. (hosted on Google's Blogger/ service) - PRIVACY & COOKIES link in first tab and (highlighted with yellow background) at top of sidebar as well as at the bottom. session cookies were automatically set (blogger_TID). On allowing to run, no further cookies were set, but on allowing the site's own scripts to run, and scripts ran, even though I haven't activated display of ads on the blog. On clicking around, (blogger_TID) and (S) session cookies appeared and Google Analytics scripts ran, setting analytics cookies. No further cookies seemed to appear on using the built-in Blogger search box. These cookies were all automatically set through; I had no control over them.
Queen Mary's Cloud Legal Project site, where I'm part-time consultant (but I obviously don't dictate their policies) - had a lightbox appearing at the bottom initially, but now has a "Privacy and cookies" link at the bottom. Google Analytics and scripts ran automatically on allowing their own scripts, as did and scripts, although only the analytics script set cookies immediately. The search box used Google Custom Search and searches worked only on allowing and scripts, which set Google PREF cookies on running a  search.

Cookie law tools

Listed at my cookie law links page are a few free tools to audit sites for cookies, insert notice and consent mechanisms, and provide privacy policies / cookie policies.

I'll soon be posting a review of these tools, including a modification of the one that I personally think is the best free solution.


I've previously worked at CMS Cameron McKenna, Sidley Austin, Slaughter and May and SNR Denton, and currently work with people who are associated with Baker & McKenzie or Bristows. I've spoken or been invited to speak at seminars/workshops held by Amberhawk, DLA Piper, ICO, Linklaters and Sidley Austin, and have been on panels with lawyers from other firms such as Bird & Bird, Slaughter and May. Rather inevitably, I also know or have met lawyers from many of the firms listed. But obviously, I'm not letting any of that influence the neutrality of my approach to this research.