The ePD came to be better known as the ‘cookie law’ or EU cookie law since its most notable impact was seen in the emergence of the cookie consent banners on websites. Prior to its arrival, most websites dropped cookies on a user’s browser, often without their consent or knowledge.
What is the Cookie Law?
The EU cookie law, or simply cookie law is the commonly used term to refer to the ePrivacy Directive (ePD). It is a piece of legislation that requires websites to obtain consent from users before storing, using, or retrieving cookies from their devices, except for strictly necessary cookies. Article 5(3) of the Directive sets the guidelines for information stored in the terminal equipment of a subscriber or user. This can be read in conjunction with cookies. It says:
- Websites are allowed to set cookies after users are provided with clear and precise information about the purposes of cookies that are placed on the user’s device.
- Users should be offered the right to refuse before dropping the cookies and also at any later time.
- The method for giving information, requesting consent or offering the right to refuse should be made as user-friendly as possible.
The ePD specifies exemptions from cookie consent for cookies that fall under the following criteria:
- Cookies that are used for the sole purpose of carrying out the transmission of a communication over an electronic communications network,
- Cookies that are strictly necessary in order to provide service explicitly requested by the user.
Things to know: EU Cookie Law
- The EU cookie law came into effect in 2002 and was amended in 2009.
- Like other EU directives, it is not binding law, but rather a guideline to EU member states to create their own laws.
- The ePrivacy Regulation is set to replace the ePD in the near future. It will be binding on all member states.
- EU cookie law is enforced by the data protection authority (DPA) of each EU member state.
- The European Data Protection Board (EDPB) is responsible for the enforcement of the EU cookie law.
- The GDPR complements the ePrivacy Directive and expands on some of its requirements, but the directive is still applicable on its own.
How does GDPR affect EU cookie law?
Recital 30 of the General Data Protection Regulation considers cookies as part of personal data. It requires websites and web publishers to obtain valid consent when collecting personal data from users. Therefore, the GDPR and Cookie Law work in tandem in the European Union. For consent to be valid under the GDPR, it should be:
- Freely given: The user should have a choice to give/deny consent and should not be forced to consent.
- Specific: Consent should be asked for specific purposes separately. For instance, cookie consent cannot be bundled with terms and conditions.
- Unambiguous and affirmative: Consent should be given using a positive action, such as clicking on the ‘Agree’ button and cannot be implied.
The new draft ePrivacy Regulation also places consent requirements before processing any kind of data from users’ data, including cookies. If you are a website owner or web publisher, here’s what you need to do to comply with the cookie law.
Checklist to comply with EU cookie law
- Display a cookie banner on a user’s first visit to your website.
- Inform users of the cookies you use, and their purposes.
- Collect users’ active consent to cookies.
- Provide users with the option to take affirmative action such as clicking on ‘accept’ or ‘reject’ cookies button.
- Give users the option to opt-in to specific cookie categories.
- Do not use pre-ticked or ‘on’ sliders for cookies other than strictly necessary cookies.
- Block third-party cookies until the user gives explicit consent for their use.
- Store cookie consents for proof of compliance in case you are subject to regulatory scrutiny.
- Give users a user-friendly and easily accessible option to revoke or withdraw consent.
- Do not use cookie walls that prevent access to the website unless the user accepts cookies.
- Do not set cookies if the user is scrolling or continuing to use a website without interacting with the cookie banner.
Add a custom cookie banner
Try for free
on your website in minutes
14-day free trialNo credit card required
How do you comply with EU cookie law?
1. Sign up on CookieYes for free
Enter your email and your website address to signup. No credit card details are required.
2. Add a cookie banner to your website
Select and customize the cookie banner. Copy the code and add it to your website’s source code.
3. Complete your website scanning
After adding the code to your website, verify your email address to scan your entire website for cookies. Your new cookie list will be auto-updated on your live cookie banner.
Your cookie consent mechanism is all set up and you are ready to obtain active consent from your users. Once up and running, you can access the following features that help foolproof your cookie compliance.
Consent Log: Your user consents will also be automatically recorded in the Consent Log to maintain proof of consent.
Revisit Consent Button: You can customize the consent revisit widget that is enabled by default. It gives users the option to change consent at any time, after the banner is dismissed.
Cookie Manager: You can also manually edit cookie details – name, description and category or add new cookies to auto-block.
Cookie Law in the UK
Similar to the provision in the EU, cookie law in the UK also requires prior consent for setting cookies and follows the same guidelines as underlined in the GDPR.
Cookie laws in the US
California Consumer Privacy Act (CCPA)
California state’s privacy law CCPA does not explicitly require a cookie consent banner, it requires notice before/during the collection of personal information. Since personal information may include cookies and other trackers, CCPA requires a ‘Do not sell’ opt-out notice if websites drop third-party cookies on a user’s device.
Cookie laws around the world
As the GDPR became the blueprint for data privacy regulations across the world, consent is a key requirement for data privacy laws across the world.
While not all regulations mention cookies or have specific guidelines for cookies, the definition of personal data is broad, so identifiers like cookies, trackers and IP addresses etc. fall within the scope of the law.
General Personal Data Protection Law (LGPD), Brazil
Protection of Personal Information Act (POPIA), South Africa
Personal Data Protection Law (PDPL), Saudi Arabia
Saudi Arabia’s privacy law PDPL requires that consent is necessary to process personal data, with some exceptions. While the law does not specifically mention cookies it defines personal data as any information that identifies a person specifically or could lead to their identification. As cookies can be covered within this scope, cookie consent can be a requirement under the law.
What is ePrivacy Regulation?
The Regulation on Privacy and Electronic Communications or ePrivacy Regulation is the proposed regulation for protecting electronic communication within the EU. It will repeal and replace the ePrivacy Directive and would be lex specialis to the General Data Protection Regulation (GDPR) in the EU. It regulates the confidentiality of electronic communication, Internet of Things (IoT), metadata, cookie consent, and data collection for marketing purposes. The final draft of the ePrivacy Regulation was published in February 2021 and is expected to come into force in 2023.
FAQ on Cookie Law
What does the cookie law say?
The EU Cookie Law or ePrivacy Directive is a directive that requires websites to get consent before drooping cookies on a user’s device. Certain cookies are exempt from consent requirements, including:
- Cookies that are used to carry out the transmission of communication over an electronic communications network.
- Cookies that are strictly necessary to provide a service requested by the user.
As per the rules of the ePrivacy Directive and the GDPR website owners should:
- Provide detailed information concerning (i) the information the cookie collects and (ii) the purposes and the provider that sets the cookie.
- Provide information in plain and clear language.
Does EU cookie law apply to US websites?
The ePrivacy Directive does not have extra-territorial scope and applies to activities within the European Union. If a US-based website does not conduct any business with the EU residents, it may not be required to comply with EU cookie law.
However, if a US website does business with EU residents and collects and processes their personal data to provide its services, the EU cookie law will apply in conjunction with the GDPR. Unlike the ePD, GDPR can apply to any organization, established in the EU or not, if they offer goods and services to the people in the EU, or monitors their behaviour taking place in the EU.
Is there a cookie law in the US?