EU Cookie Law

EU Cookie Law: What You Need to Know

Last updated on July 29, 2021|Published on November 3, 2020

The cookie popups that you often stumble upon on the internet result from privacy regulations like the EU cookie law and the GDPR. Data such as a user’s name, age, gender, location, email ID, IP address, telephone number etc. can all be collected via cookies. As they collect such data that can be used to personally identify someone, their use on a website is strictly regulated in the EU.

This blog will explain the important regulations that affect cookie usage and how to effectively comply with them.

ePrivacy Directive (ePD)

The ePrivacy Directive 2009/136/EC (aka EU cookie law), which came into effect in 2002 and later amended in 2009, is an EU directive on data protection and privacy, including cookie usage.

Article 5(3) talks about the information stored in the terminal equipment of a subscriber or user. This can be read in conjunction with cookies.

  • Websites should obtain a user’s consent before storing or retrieving information from a user’s device. except for strictly necessary cookies.
  • The user must be provided clear and comprehensive information about the purpose of processing the data.
  • The exemptions to consent requirements are:
    • Cookies used for the sole purpose of carrying out or facilitating the transmission of a communication or 
    • Cookies that are strictly necessary in order to provide a service explicitly requested by the user. 

Regulation 66 of the ePrivacy Directive sets grounds for third parties who may wish to store/access information from a user’s device.

  • Users should be provided with clear and comprehensive information if third-party cookies are used.
  • The methods of providing information and offering the right to refuse should be as user-friendly as possible.
  • The exception to the right to refuse cookies should be limited to those situations where the technical storage or access is strictly necessary for service explicitly requested by the user.

Note: The forthcoming ePrivacy Regulation will replace the ePrivacy Directive. But, the regulation on the use of cookies is set to remain the same. Read more about the draft ePrivacy Regulation here.

Privacy and Electronic Communications Regulation (PECR)

The PECR is the UK’s implementation of the ePrivacy Directive. The official text has not included the term ‘cookie’ anywhere, but it can be read in conjunction with the rules set out for ‘electronic communications network’. The PECR states the same provisions for consent as Article 5(3) of the ePrivacy Directive.

The General Data Protection Regulation (GDPR)

The arrival of GDPR in 2018 cemented the ePrivacy Directive or EU cookie law. Currently, both the ePD and GDPR work together as the laws that regulate cookie usage in the EU.

The GDPR primarily deals with the personal data processing and data privacy rights of EU residents. While GDPR does not explicitly mention cookies (except once), since they can collect personal data, their use is subject to the GDPR.

Recital 30  of the GDPR states that online identifiers like cookies and IP addresses can be used directly or combined with other identifiers to create profiles about individuals and identify them. Hence, they can be considered personal data.

GDPR establishes (Article 6) consent as one of the 6 lawful bases for processing personal data. This means personal data can be processed only after obtaining consent from users. Article 4(11) defines that consent should be freely given, specific, informed and unambiguous, given by clear affirmative action.

Article 7 adds additional conditions for consent.

  • You should be able to demonstrate that users have consented to the use of cookies on your website.
  • The consent mechanism should be made available in an intelligible and easily accessible form, using clear and plain language.
  • Users should be able to withdraw consent and it should be as easy to withdraw consent as it was to give consent.

Data Protection Act, UK

The UK Data Protection Act 2018, which has been amended from the UK Data Protection Act 1998 is the UK’s implementation of the GDPR. Therefore, when it comes to cookie usage, the DPA mirrors the GDPR requirements. You can read about it in detail, here.

Checklist to comply with EU cookie law

  • Inform users of the cookies you use, their purposes, via a cookie banner.
  • Collect users’ active consent to cookies.
  • Provide users the option to take affirmative action such as clicking on accept or reject button.
  • Give users the option to opt-in to specific cookie categories.
  • Cookie notices hould not use pre-ticked or ‘on’ sliders for cookies other than strictly necessary cookies.
  • Block third-party cookies until the user gives explicit consent for their use.
  • Store consents in case you are subject to regulatory scrutiny.
  • Provide detailed information such as the provider who sets the cookie (first-party or third-party), cookie duration via a cookie policy.
  • Give users the option to revoke or withdraw consent
  • Cookie walls that prevent access to the website without cookie consent is not allowed.
  • Scrolling or continuing to use a website does not indicate user’s consent.

Comply with EU cookie law

Adhering to EU cookies law and the GDPR may not be quite as easy as it sounds. The quick and efficient way is to implement a consent management solution. CookieYes is one such cookie consent solution used by over 1 million websites for compliance with GDPR and data privacy laws around the world.

Display a cookie banner and provide information about cookie use

As a good rule of thumb, you should provide information about the types of cookies you use, their purpose, how long will their data be retained, and with whom the data will be shared.

Along with this information, you could also include a link to your legal documents such as your privacy policy or cookie policy where the users can find details about your cookie usage in depth.

EU cookie law compliant cookie banner
CookieYes lets you customize the consent, layout, colours and behaviour of your cookie banner whenever required.
Let users give consent by a clear, affirmative action

You should provide users with real choice and control over how you use their personal data. Your cookie consent banner must obtain consent from a user only through a clear, affirmative/positive action. E.g. use of opt-in boxes or toggle buttons to allow users to turn on/off cookies selectively.

CookieYes helps you implement a cookie banner that lets you receive freely given, informed, and unambiguous consent from your site visitors. CookieYes also sets consent banners with all the non-essential categories of cookies toggled off by default.

Granular consent to comply with with EU cookie law
This banner layout helps users seamlessly enable or disable non-essential cookies, according to their preferences.
Allow refusal or withdrawal of consent anytime

Allow users to refuse (or opt-out) your use of cookies. You must also give them the right to withdraw their consent at any time without asking for any justification. You can add a ‘Reject’ button so users can refuse consent to the use of cookies.

Enabling users to change their cookie settings or preferences after they give consent, is another requirement. CookieYes allows you to include a customizable Preferences button on your consent banner.

EU cookie law compliant cookie banner
By clicking the ‘Preferences’ button, users will be able to view cookie categories separately and enable cookie categories separately.

Now, when a user accepts or rejects your website’s use of cookies, the cookie banner gets dismissed automatically. But in case if they change their mind later, you must allow them to alter their cookie preferences. With CookieYes, you can display a ‘revisit’ widget on your website so that the users can change their preferences.

Keep a record of user consents

According to the GDPR, you are obliged to record and store consents that you obtain from your users. This is important if, in the future, you need to prove to regulatory authorities that you have obtained consent from your users. Also, keeping a record of user consent is necessary to help users revoke their consent.

With CookieYes, the cookie consent management process will be completely automated. You can easily maintain a consent log, where all your users’ consent will be retained securely.

Consent record to comply with EU cookie law
Record all user consents in anonymized form for proof of compliance.

CookieYes also helps you to:

  • Geo-target and auto-translate cookie banner in 30+ languages.
  • Auto-block 93+ third-party cookies till user give consent.
  • Scan your website for cookies and auto-update cookie lists.
  • Support browser’s DNT settings.

Start a 14-day free trial

Trials start with all our features enabled. Cancel anytime. No credit card required.