Since the GDPR came into effect in 2018, web cookies have taken a centre stage when we talk about online privacy. But, even before the GDPR was codified, European Union laid out the rules and regulations to check the use of cookies in the ePrivacy Directive (ePD). The ePD came to be better known as the ‘cookie law’ or EU cookie law since its most notable impact was seen in the emergence of the cookie consent banners on websites. Prior to its arrival, most websites dropped cookies on a user’s browser, often without their consent or knowledge.

What is the EU Cookie Law?

The cookie law requires websites to obtain consent from users before storing, using, or retrieving cookies from their devices, except for strictly necessary cookies. Article 5(3) of the Directive sets the guidelines for information stored in the terminal equipment of a subscriber or user. This can be read in conjunction with cookies. It says:

  • Websites are allowed to set cookies after users are provided with clear and precise information about the purposes of cookies that are placed on the user’s device. 
  • Users should be given the opportunity to refuse cookies on their device
  • Users should be offered the right to refuse before dropping the cookies and also at any later time.
  • The method for giving information, requesting consent or offering the right to refuse should be made as user-friendly as possible.

The ePD specifies exemptions from cookie consent for cookies that fall under the following criteria:

  • Cookies that are used for the sole purpose of carrying out the transmission of a communication over an electronic communications network, 
  • Cookies that are strictly necessary in order to provide service explicitly requested by the user.
cookie banner for cookie law compliance
Cookie consent banner to comply with Cookie Law. 

How does GDPR affect EU cookie law?

Recital 30 of the General Data Protection Regulation considers cookies as part of personal data. It requires websites and web publishers to obtain valid consent when collecting personal data from users. Therefore, the GDPR and Cookie Law work in tandem in the European Union.  For consent to be valid under the GDPR, it should be:

  • Freely given: The user should have a choice to give/deny consent and should not be forced to consent.
  • Informed: The user should be informed of what they are consenting to such as the use of cookies, and the purposes for which they are used on your site.
  • Specific: Consent should be asked for specific purposes separately. For instance, cookie consent cannot be bundled with terms and conditions.
  • Unambiguous and affirmative: Consent should be given using a positive action, such as clicking on the ‘Agree’ button and cannot be implied.

The new draft ePrivacy Regulation also places consent requirements before processing any kind of data from users’ data, including cookies. If you are a website owner or web publisher, here’s what you need to do to comply with the cookie law.

Checklist to comply with EU cookie law

  • Display a cookie banner on a user’s first visit to your website.
  • Inform users of the cookies you use, their purposes in the cookie banner.
  • Collect users’ active consent to cookies.
  • Provide users the option to take affirmative action such as clicking on ‘accept’ or ‘reject’ cookies button.
  • Give users the option to opt-in to specific cookie categories.
  • Do not use pre-ticked or ‘on’ sliders for cookies other than strictly necessary cookies.
  • Block third-party cookies until the user gives explicit consent for their use.
  • Store cookie consents for proof of compliance in case you are subject to regulatory scrutiny.
  • Provide detailed information – name of the provider that sets the cookie (first-party or third-party), description and cookie duration in your cookie policy.
  • Give users a user-friendly and easily accessible option to revoke or withdraw consent.
  • Do not use cookie walls that prevent access to the website unless the user accepts cookies.
  • Do not set cookies if the user is scrolling or continuing to use a website without interacting with the cookie banner.

Add a custom cookie banner
on your website in minutes

Try for free

14-day free trialNo credit card required

How do you comply with EU cookie law?

1. Sign up on CookieYes for free

Enter your email and your website address to signup.  No credit card details are required.

2. Add a cookie banner to your website

Select and customize the cookie banner. Copy the code and add it to your website’s source code. 

3. Complete your website scanning

After adding the code to your website, verify your email address to scan your entire website for cookies. Your new cookie list will be auto-updated on your live cookie banner.

Your cookie consent mechanism is all set up and you are ready to obtain active consent from your users. Once up and running, you can access the following features that help foolproof your cookie compliance.

Consent Log: Your user consents will also be automatically recorded in the Consent Log to maintain proof of consent. 

Revisit Consent Button: You can customize the consent revisit widget that is enabled by default. It gives users the option to change consent at any time, after the banner is dismissed. 

Cookie Manager: You can also manually edit cookie details – name, description and category or add new cookies to auto-block.

Cookie Policy: You can generate a cookie policy for your website. Your complete cookie list will be embedded within your policy by default.

Notable facts about EU Cookie Law

  • EU cookie law came into effect in 2002 and was amended in 2009.
  • It regulates the personal data in the electronic communications sector including email marketing, data minimization and the use of cookies on websites.
  • Like other EU directives, it is not binding law, but rather a guideline to EU member states to create their own laws.
  • The ePrivacy Regulation is set to replace the ePD in the near future. It will be binding on all member states. 
  • EU cookie law is enforced by the data protection authority (DPA) of each  EU member state.
  • The European Data Protection Board (EDPB), made of the representatives of the DPAs, is responsible for the enforcement of the EU cookie law.
  • The GDPR complements the ePrivacy Directive and expands on some of its requirements, but the directive is still applicable on its own.

Cookie Law in the UK

The Privacy and Electronic Communications Regulations (PECR) is the UK version of the ePrivacy Directive. Similar to the Directive, PECR regulates electronic communications in the UK such as electronic marketing, including telephone calls, SMS messages, emails and faxes and the use of cookies and trackers on websites. It works alongside the UK GDPR

Similar to the provision in the EU, cookie law in the UK also requires prior consent for setting cookies and follows the same guidelines as underlined in the GDPR.

Cookie laws around the world

As the GDPR became the blueprint for data privacy regulations across the world, consent is a key requirement for data privacy laws across the world. 

While not all regulations mention cookies or have specific guidelines for cookies, the definition of personal data is broad, so identifiers like cookies, trackers and IP addresses etc. fall within the scope of the law.

California Consumer Privacy Act (CCPA), US

California state’s privacy law CCPA does not explicitly require a cookie consent banner, it requires notice before/during the collection of personal information. Since personal information may include cookies and other trackers, CCPA requires a ‘Do not sell’ opt-out notice if websites drop third-party cookies on a user’s device.

General Personal Data Protection Law (LGPD), Brazil

Brazil’s privacy regulation LGPD defines personal data as any information related to a natural person and therefore can cover the use of cookies and trackers.  As per the LGPD, consent must be a free, informed, and unambiguous indication, given for specific purposes. As this closely resembles cookie law in the EU, a cookie banner is required to comply.

Protection of Personal Information Act (POPIA), South Africa

South Africa’s regulation POPIA does not explicitly regulate the use of cookies, but the definition of ‘unique identifier’ in POPIA can include cookies and trackers. As per POPIA, websites are required to obtain opt-in consent whenever users are asked for their personal information and consent should be voluntary, specific and informed action. Therefore, a cookie consent banner is required under this act.

Personal Data Protection Law (PDPL), Saudi Arabia

Saudi Arabia’s privacy law PDPL requires that consent is necessary to process personal data, with some exceptions. While the law does not specifically mention cookies it defines personal data as any information that identifies a person specifically or could lead to their identification. As cookies can be covered within this scope, cookie consent can be a requirement under the law.

What is ePrivacy Regulation?

The Regulation on Privacy and Electronic Communications or ePrivacy Regulation is the proposed regulation for protecting electronic communication within the EU. It will repeal and replace the ePrivacy Directive and would be lex specialis to the General Data Protection Regulation (GDPR) in the EU. It regulates the confidentiality of electronic communication, Internet of Things (IoT), metadata, cookie consent, and data collection for marketing purposes. The final draft of the ePrivacy Regulation was published in February 2021 and is expected to come into force in 2023.

FAQ on Cookie Law

What does the cookie law say?

The EU Cookie Law or ePrivacy Directive is a directive that requires websites to get consent before drooping cookies on a user’s device. Certain cookies are exempt from consent requirements, including:

  • Cookies that are used to carry out the transmission of communication over an electronic communications network.
  • Cookies that are strictly necessary to provide a service requested by the user.

As per the rules of the ePrivacy Directive and the GDPR website owners should:

  • Inform users that the website uses cookies (eg: via a cookie banner.
  • Provide detailed information concerning (i) the information the cookie collects and (ii) the purposes and the provider that sets the cookie.
  • Provide information in plain and clear language.

Does EU cookie law apply to US websites?

The ePrivacy Directive does not have extra-territorial scope and applies to activities within the European Union. If a US-based website does not conduct any business with the EU residents, it may not be required to comply with EU cookie law. 

However, if a US website does business with EU residents and collects and processes their personal data to provide its services, the EU cookie law will apply in conjunction with the GDPR. Unlike the ePD, GDPR can apply to any organization, established in the EU or not, if they offer goods and services to the people in the EU, or monitors their behaviour taking place in the EU. 

Is there a cookie law in the US?

No. There are no federal-level privacy laws in the US. However, state-level privacy regulations like the California Consumer Privacy Act (CCPA) and Virginia Consumer Data Protection Act (VCDPA) have provisions to regulate the use of cookies. For instance, CCPA requires websites to display an opt-out notice so users can opt-out of the sale of their personal information (i.e. data sharing with third parties).