Our Ultimate Guide to EU Cookie Laws
The EU cookie law is the nickname for the ePrivacy Directive. This directive is an EU legal act that all EU countries must implement in their own ways to protect users’ personal data online. Each country has to pass laws to accommodate and comply with the ePrivacy Regulation. In this article, we will discuss what this directive covers and how your organisation can ensure compliance with this directive.
The EU cookie law (also known as the ePrivacy Directive) is an overarching piece of privacy legislation implemented to ensure data privacy in the European Union. The purpose of the directive is to protect the personal information of users online from online tracking, personal profiling, unsolicited marketing tactics, and collection of personal data by third parties without the users’ consent.
In this article, we will cover some common questions asked around the use and implementation of the ePrivacy regulation online.
The EU cookie legislation began as a directive for the European Union which is intended to protect online privacy. Some variations on the policy have been adopted by all EU countries. The Directive was passed in 2002 and amended in 2009.
If an organisation provides services or collects personal data of any user in the EU they must comply with the EU cookie law and GDPR. The EU cookie law sets out what websites, companies, and service providers are allowed to do with the personal information of their website visitors.
The ePrivacy regulation sets out:
- what websites, companies, and service providers can do with your data
- how they must handle your data
- how and for what purpose they might share it
On the other hand, the General Data Protection Regulation (GDPR) is a regulation that is binding in all European states. It has a much large scope than the EU Privacy Law.
The GDPR relates to the collection, use, storage, and destruction of personal data regardless of the type. (e.g. not only digital user information) It also covers the need for user consent, which is applied to cookies.
The EU cookie law takes into account GDPR’s standards for consent. So when considering our own website compliance it is important we are in compliance with both EU cookie law and GDPR compliant!
The US does not have a cookie law, however, they will have to comply with EU cookie law if they are targeting individuals within the EU. The only state in the US to have any cookie law is California. The law is called the California Consumer Privacy Act (CCPA). If your website targets individuals within the US you must also comply with the California Consumer Privacy Act (CCPA).
In addition, you need to have a cookie banner that allows the user to select and accept certain cookies. To comply with GDPR you must have prior and explicit consent from the user, which is freely given and granular (must be able to activate some cookies and reject others).
The pop-up banner on the website must not have a pre-ticked box. Rather it should enable the user to accept certain cookies than decline others by affirmative action.
How do I make sure my website complies?
- you need to provide detailed information about how the data collected from the cookies will be used. This can be done by creating a cookie Notice for your website.
- if the cookies are refused by the user, you must not place cookies on the users’ device.
There are different types of cookies, not all require consent! Strictly necessary cookies, for example, are necessary for the running of the website and do not require user consent. But, where cookies are not essential for the general running of the site, you need to have consent from the user before they can put them onto a user’s device because these cookies track the user. Here are some examples of types of cookies that require cookie consent:
- Session Cookies – These are temporary cookies and are only stored on the users’ device for the duration of their stay. These cookies are used for actions like keeping your items in a shopping cart while you navigate around the site.
- Persistent Cookies – these cookies will linger on the browser for much longer than a session. These are usually a preference, advertisement, analytic, or social media cookies. These cookies will store user logins, language settings, targeted adverts, and personal profiling. These cookies can be from third parties which do not originate from the website operator.
Under the law all website users have the right to decide their cookie preferences, this gives the user more control of their data privacy and how the personal information collected from them will be used.
See our recent post – what is a Cookie Consent Manager?
Under cookie law, you are not required to manage consent for third-party cookies used on a site. You are required to inform users of your use of third-party cookies, their purpose, and link to reference the third-party privacy/cookies policy.
The law states that no cookies and trackers can be used on a user before you obtain consent. So your website must hold back the cookies until consent is given. However, if consent is not given, the cookies that are not essential for the general running of the website cannot be put onto the users’ device without consent.
How to report a site for non-compliance
Under cookie law, all individuals visiting a site should have the opportunity to refuse, accept and manage their cookie preferences before cookies are put onto the users’ device.
If the user is not being offered this choice when they visit a site, that site may not be complying with cookie law and the privacy of the user could be at risk. In this case, you can either complain to the site owners or to legal authorities, that require organisations to comply or face fines.
Each country has its own legal body that is responsible for giving advice and guidance to organisations on data protection matters and concerns. In the UK this is the Information Commissioners Office (ICO), on their website you can register a cookie complaint about any site and find out more about the rights of data subjects with regard to cookies.
Since Brexit, the UK comply with 2 very similar data privacy laws that apply as of November 2020. These are the General Data Protection Regulation (GDPR), UK GDPR, and the Data Protection Act 2018 (amended). Any business operating within the UK or a business outside the UK targeting UK users’ personal data, will be affected by these changes.
In addition, the current ePrivacy directive is being updated and amended into an ePrivacy Regulation in 2021. The current directive is an EU legal act that every EU country must adopt in their own ways and pass laws in their own legislative bodies to comply with EU law. The benefit of making this into regulation is that it will be an EU law that applies automatically to all EU countries without the need for interpretation and implementation.
The ePrivacy Regulation aims to amend issues, update, clarify and modernize the ePrivacy Directive to be a binding EU law. A draft text was agreed on February 10th 2021, and negotiations are taking place with the EU parliament, Counsel and Commission for implementation.
After reading this article you may be wondering “what platform can I use to ensure I am complying with current cookies laws?” Our platform, CookieScan will help you ensure your website cookie disclosure is in full compliance with ePrivacy and GDPR.
Our platform will complete a cookie scan of your website, our database will automatically categories your cookies, and build your own compliant Cookie Notice and cookie banner for your website.
This platform will regularly update your cookies descriptions if they change and the use of our portal will help you easily manage your account.
If you want to see what Cookie Scan is like for yourself, try out our 30-day trial!