EU Cookie Law: What You Need to Know

Europe’s data protection legislation, the General Data Protection Regulation (GDPR), and ePrivacy Directive took the digital world by storm. With their strict regulations for controlling and handling the personal data of EU users, they became the blueprint for many other data privacy laws. When we talk about digital privacy, the HTTP cookie has a prominent place in it. It may share the name with the delectable snack, but its usage is not as sweet. And it is only with the implementation of the EU cookie law that most people who use the internet are now aware of cookies and their purposes. 

A website may use cookies to collect personal data such as a user’s name, age, gender, location, email ID, IP address, telephone number, etc. As cookies collect such data that can be used to personally identify someone, their use on a website is strictly regulated in the EU.

This blog will look at the ePrivacy Directive and the GDPR that affect cookie usage in the EU and how to effectively comply with them.

Here is a quick checklist to see if your website complies with EU cookie law:

• Inform users of the cookies you use, their purposes, via a cookie banner.
• Collect users’ active consent to cookies.
• Provide users the option to take affirmative action such as clicking on accept or reject cookies button.
• Give users the option to opt-in to specific cookie categories.
• Do not use pre-ticked or ‘on’ sliders for cookies other than strictly necessary cookies.
• Block third-party cookies until the user gives explicit consent for their use.
• Store cookie consents for proof of compliance in case you are subject to regulatory scrutiny.
• Provide detailed information such as the provider who sets the cookie (first-party or third-party), cookie duration via a privacy or cookie policy.
• Give users a user-friendly and easily accessible option to revoke or withdraw consent.
• Cookie walls that prevent access to the website without cookie consent are not allowed.
• Scrolling or continuing to use a website does not indicate the user’s consent.

Adhering to EU cookie law and the GDPR may not be quite as easy as it sounds. The quick and efficient way is to implement a consent management solution. CookieYes is one such cookie consent solution used by over 1 million websites for compliance with GDPR and data privacy laws around the world.

Display a cookie banner and provide information about cookie use

As a good rule of thumb, you should provide information about the types of cookies you use, their purpose, how long their data will be retained, and with whom the data will be shared.

Along with this information, you could also include a link to your legal documents such as your privacy policy or cookie policy where the users can find details about your cookie usage in depth.

CookieYes lets you customize the consent, layout, colors, and behavior of your cookie banner whenever required.

Let users give consent by a clear, affirmative action

You should provide users with real choice and control over how you use their personal data. Your cookie consent banner must obtain consent from a user only through a clear, affirmative/positive action. E.g. use of opt-in boxes or toggle buttons to allow users to turn on/off cookies selectively.

CookieYes helps you implement a cookie banner that lets you receive freely given, informed, and unambiguous consent from your site visitors. CookieYes also sets consent banners with all the non-essential categories of cookies toggled off by default.

This banner layout helps users seamlessly enable or disable non-essential cookies, according to their preferences.

Allow refusal or withdrawal of consent anytime

Allow users to refuse (or opt-out) your use of cookies. You must also give them the right to withdraw their consent at any time without asking for any justification. You can add a ‘Reject’ button so users can refuse consent to the use of cookies.

Enabling users to change their cookie settings or preferences after they give consent, is another requirement. CookieYes allows you to include a customizable Preferences button on your consent banner.

By clicking the ‘Preferences’ button, users will be able to view cookie categories separately and enable cookie categories separately.

Now, when a user accepts or rejects your website’s use of cookies, the cookie banner gets dismissed automatically. But in case they change their mind later, you must allow them to alter their cookie preferences. With CookieYes, you can display a ‘revisit’ widget on your website so that the users can change their preferences.

Keep a record of user consents

According to the GDPR, you are obliged to record and store consents that you obtain from your users. This is important if, in the future, you need to prove to regulatory authorities that you have obtained consent from your users. Also, keeping a record of user consent is necessary to help users revoke their consent.

With CookieYes, the cookie consent management process will be completely automated. You can easily maintain a consent log, where all your users’ consent will be retained securely.

Record all user consents in anonymized form for proof of compliance.

CookieYes also helps you to:

• Geo-target and auto-translate cookie banners in 30+ languages.
• Auto-block third-party cookies till the user gives consent.
• Scan your website for cookies and auto-update cookie lists.
• Support browser’s DNT settings.
• Pre-filled templates to create privacy and cookie policy for free.

Privacy and Electronic Communications Directive 2002/58/EC, also known as ePrivacy Directive (ePD) is an EU directive for data protection and privacy. It regulates the confidentiality of data, electronic communication, spam, and cookies. It was amended in 2009 and introduced the regulation of cookies and cookie consent, giving it the name ‘EU Cookie Law’.

Regulation on Privacy and Electronic Communications or ePrivacy Regulation is the proposed regulation for protecting the confidentiality of electronic communication within the EU. It would replace the Directive and would be lex specialis to the General Data Protection Regulation (GDPR) in the EU. After a series of delays, the final proposal draft was published in February 2021. It regulates the confidentiality of electronic communication, Internet of Things (IoT), metadata, cookie consent, and data collection for marketing purposes.

The ePrivacy Regulation is subject to further dialogues and is expected to come into force in 2022. 

Read the full text of the draft here.

As mentioned, EU cookie law is another name for the ePrivacy Directive, owing to its specific clause for cookies. 

Article 5(3) of the Directive deals with the information stored in the terminal equipment of a subscriber or user. This can be read in conjunction with cookies.

• Websites should obtain a user’s consent before storing or retrieving information from a user’s device, except for strictly necessary cookies.
• The user must be provided with clear and comprehensive information about the purpose of processing the data.
• The exemptions to consent requirements are:
  • Cookies used for the sole purpose of carrying out or facilitating the transmission of a communication or 
  • Cookies that are strictly necessary to provide a service explicitly requested by the user. 

Read more about cookie consent exemptions here.

Regulation 66 of the ePrivacy Directive sets grounds for third parties who may wish to store/access information from a user’s device.

• Users should be provided with clear and comprehensive information if third-party cookies are used.
• The methods of providing information and offering the right to refuse should be as user-friendly as possible.
• The exception to the right to refuse cookies should be limited to those situations where the technical storage or access is strictly necessary for service explicitly requested by the user.

Please note that the updated ePrivacy Regulation has almost the same regulations for cookies as the Directive. Read more about the draft ePrivacy Regulation here.

The GDPR is yet another data protection legislature from the EU enforced to protect the personal data of EU residents. Enforced in 2018, the arrival of GDPR, the EU cookie law. Currently, both the ePD and GDPR work together as the laws that regulate cookie usage in the EU.

The GDPR primarily deals with the personal data processing and data privacy rights of EU residents. While GDPR does not explicitly mention cookies (except once), since they can collect personal data, their use is subject to the GDPR.

Recital 30  of the GDPR states that online identifiers like cookies and IP addresses can be used directly or combined with other identifiers to create profiles about individuals and identify them. Hence, they can be considered personal data.

GDPR establishes (Article 6) consent as one of the six lawful bases for processing personal data. This means personal data can be processed only after obtaining consent from users. Article 4(11) defines that consent should be freely given, specific, informed, and unambiguous, given by clear affirmative action.

Article 7 adds additional conditions for consent.

• You should be able to demonstrate that users have consented to the use of cookies on your website.
• The consent mechanism should be made available in an intelligible and easily accessible form, using clear and plain language.
• Users should be able to withdraw consent and it should be as easy to withdraw consent as it was to give consent.

GDPR cookie consent is extremely crucial if you want to comply with the law.

There are a few, but significant differences between the ePrivacy law and GDPR, however, their rules for cookies remain more or less the same.

The one difference between the ePrivacy Directive and GDPR is the territorial scope of the laws. ePrivacy Directive applies to organizations that process personal data in the European Union and provides services over electronic communication. The GDPR is much broader as it applies to organizations, established in the EU or not, offers goods and services to the people in the EU, or monitors their behavior taking place in the EU. Therefore, if a US-based website does not conduct any business with the EU residents may not be required to comply with EU cookie law. 

If a US website does business with EU residents and collects and processes their personal data to provide its services, the EU cookie law certainly applies. The proposed ePrivacy Regulation’s territorial scope is most likely similar to the GDPR. Therefore, we may see some changes in that regard when the ePrivacy Regulation comes into effect.