Our Ultimate Guide to EU Cookie Laws
The EU cookie law is the nickname for the ePrivacy Directive. This directive is an EU legal act that all EU countries must implement in their own ways to protect users’ personal data online. Each country has to pass laws to accommodate and comply with the ePrivacy Regulation. In this article, we will discuss what this directive covers and how your organisation can ensure compliance with this directive.
The EU cookie law (also known as the ePrivacy Directive) is an overarching piece of privacy legislation implemented to ensure data privacy in the European Union. The purpose of the directive is to protect the personal information of users online from online tracking, personal profiling, unsolicited marketing tactics, and collection of personal data by third parties without the users’ consent.
In this article, we will cover some common questions asked around the use and implementation of the ePrivacy regulation online.
The EU cookie legislation began as a directive for the European Union which is intended to protect online privacy. Some variations on the policy have been adopted by all EU countries. The Directive was passed in 2002 and amended in 2009.
If an organisation provides services or collects personal data of any user in the EU they must comply with the EU cookie law and GDPR. The EU cookie law sets out what websites, companies, and service providers are allowed to do with the personal information of their website visitors.
The EU cookie law focuses on the use of cookies on websites. Almost every website has small data files, known as cookies, that store information on the website browser and tracking the users’ actions when navigating the site. These cookies enable the site to remember information about the visit such as each page they visit and what they clicked on.
The idea is to personalise the website for the user, however, the use of cookies collecting data across multiple websites forms a profile on data subjects that can be used for advertising purposes, the issue lies where consent is not given.
The EU cookie law is designed to help companies better understand their use of cookies, their responsibility to their visitors, and the rights of data subjects to their online privacy.
The ePrivacy regulation sets out:
- what websites, companies, and service providers can do with your data
- how they must handle your data
- how and for what purpose they might share it
The EU Cookie law (ePrivacy Directive) is a directive that is to be implemented by EU member states in their own way. This directive deals how an organisation should protect the personal information of users online. It mainly details the use of cookies and their requirements, data retention, and the targeting of marketing and advertisements to the user.
On the other hand, the General Data Protection Regulation (GDPR) is a regulation that is binding in all European states. It has a much large scope than the EU Privacy Law.
The GDPR relates to the collection, use, storage, and destruction of personal data regardless of the type. (e.g. not only digital user information) It also covers the need for user consent, which is applied to cookies.
The EU Cookie Law and GDPR sit alongside each other. The EU cookie law sets specific guidance in relation to privacy and electronic communications around the use of cookies, whereas the GDPR gives guidance on the general collection of personal data.
The EU cookie law takes into account GDPR’s standards for consent. So when considering our own website compliance it is important we are in compliance with both EU cookie law and GDPR compliant!
The US does not have a cookie law, however, they will have to comply with EU cookie law if they are targeting individuals within the EU. The only state in the US to have any cookie law is California. The law is called the California Consumer Privacy Act (CCPA). If your website targets individuals within the US you must also comply with the California Consumer Privacy Act (CCPA).
A cookie policy tells the visitor which cookies are active on your website, what data is being tracked, what you are using this information for, and how it is being stored. As a website owner, you are legally obligated under GDPR to have a cookie policy to show how your website uses cookies and the option for the user to reject and accept cookies.
In addition, you need to have a cookie banner that allows the user to select and accept certain cookies. To comply with GDPR you must have prior and explicit consent from the user, which is freely given and granular (must be able to activate some cookies and reject others).
The pop-up banner on the website must not have a pre-ticked box. Rather it should enable the user to accept certain cookies than decline others by affirmative action.
How do I make sure my website complies?
The EU cookie law and the GDPR aim is to give more transparency to the user around the collection and processing of their personal data and give them the right of access, insight, rectification, and erasure of their own personal data. The EU cookie legislation requires 4 actions from website owners who use cookies:
- When someone visits your website you need to let them know that your site uses cookies. This can be done by the use of a cookie banner that pops up when the user visits the site.
- you need to provide detailed information about how the data collected from the cookies will be used. This can be done by creating a cookie Notice for your website.
- you must provide the user with the ability to accept or refuse the use of cookies on your site. This option must be made clear in the cookie banner and the option to read your cookie notice before choosing to accept or refuse cookies.
- if the cookies are refused by the user, you must not place cookies on the users’ device.
There are different types of cookies, not all require consent! Strictly necessary cookies, for example, are necessary for the running of the website and do not require user consent. But, where cookies are not essential for the general running of the site, you need to have consent from the user before they can put them onto a user’s device because these cookies track the user. Here are some examples of types of cookies that require cookie consent:
- Session Cookies – These are temporary cookies and are only stored on the users’ device for the duration of their stay. These cookies are used for actions like keeping your items in a shopping cart while you navigate around the site.
- Persistent Cookies – these cookies will linger on the browser for much longer than a session. These are usually a preference, advertisement, analytic, or social media cookies. These cookies will store user logins, language settings, targeted adverts, and personal profiling. These cookies can be from third parties which do not originate from the website operator.
Under the law all website users have the right to decide their cookie preferences, this gives the user more control of their data privacy and how the personal information collected from them will be used.
See our recent post – what is a Cookie Consent Manager?
Under cookie law, you are not required to manage consent for third-party cookies used on a site. You are required to inform users of your use of third-party cookies, their purpose, and link to reference the third-party privacy/cookies policy.
The law states that no cookies and trackers can be used on a user before you obtain consent. So your website must hold back the cookies until consent is given. However, if consent is not given, the cookies that are not essential for the general running of the website cannot be put onto the users’ device without consent.
How to report a site for non-compliance
Under cookie law, all individuals visiting a site should have the opportunity to refuse, accept and manage their cookie preferences before cookies are put onto the users’ device.
If the user is not being offered this choice when they visit a site, that site may not be complying with cookie law and the privacy of the user could be at risk. In this case, you can either complain to the site owners or to legal authorities, that require organisations to comply or face fines.
Each country has its own legal body that is responsible for giving advice and guidance to organisations on data protection matters and concerns. In the UK this is the Information Commissioners Office (ICO), on their website you can register a cookie complaint about any site and find out more about the rights of data subjects with regard to cookies.
Since Brexit, the UK comply with 2 very similar data privacy laws that apply as of November 2020. These are the General Data Protection Regulation (GDPR), UK GDPR, and the Data Protection Act 2018 (amended). Any business operating within the UK or a business outside the UK targeting UK users’ personal data, will be affected by these changes.
In addition, the current ePrivacy directive is being updated and amended into an ePrivacy Regulation in 2021. The current directive is an EU legal act that every EU country must adopt in their own ways and pass laws in their own legislative bodies to comply with EU law. The benefit of making this into regulation is that it will be an EU law that applies automatically to all EU countries without the need for interpretation and implementation.
The ePrivacy Regulation aims to amend issues, update, clarify and modernize the ePrivacy Directive to be a binding EU law. A draft text was agreed on February 10th 2021, and negotiations are taking place with the EU parliament, Counsel and Commission for implementation.
After reading this article you may be wondering “what platform can I use to ensure I am complying with current cookies laws?” Our platform, CookieScan will help you ensure your website cookie disclosure is in full compliance with ePrivacy and GDPR.
Our platform will complete a cookie scan of your website, our database will automatically categories your cookies, and build your own compliant Cookie Notice and cookie banner for your website.
This platform will regularly update your cookies descriptions if they change and the use of our portal will help you easily manage your account.
If you want to see what Cookie Scan is like for yourself, try out our 30-day trial!