In this article

Sign up for our newsletter

Share this article

We’ve all heard of the GDPR (General Data Protection Regulation), but did you know about the EU Cookie Law? It’s almost certainly impacted your internet browsing experience—in the EU, this law is responsible for the cookie consent banners that pop up when you visit websites.  

What Is the EU Cookie Law? 

The EU Cookie Law is the common name for the ePrivacy Directive, officially known as the Privacy and Electronic Communications Directive (PECD), which will soon be replaced by the ePrivacy Regulation.  

Does that sound confusing? Let’s start from the beginning. 

The EU has some of the most stringent consumer data protection laws, and it’s been this way since before the dawn of the digital era. Even during the times of traditional wired telecommunication, “listening, tapping, storage […] without the consent of the users concerned” (Article 5.1) was prohibited by the PECD. 

Service providers were also expected to “take appropriate technical and organisational measures to safeguard security of its services” (Article 4.1). 

In 2002, the PECD was updated to also cover digital communications and became known as the ePrivacy Directive (Directive 2002/58/EC). Like the GDPR, this regulation focused on data minimization, traffic data, spam, and—of course—cookies. 

When Did the PECD Become the EU Cookie Law? 

The Directive was updated in 2009 to include the reporting of personal data breaches. This amendment also included the requirement of user consent before businesses could store information on their devices or access this information.  

In short, if you want to install first- or third-party cookies on user devices, you need their permission before you can do so. This requirement is why the Directive began to be called the “cookie law.” 

However, despite its name, the EU cookie law is not a law yet; it’s a directive. So, just like the Data Protection Directive became the General Data Protection Regulation—known globally as the GDPR—the EU is moving to make the ePrivacy Directive into a regulation. It was supposed to come into force at the end of 2023 but has been delayed. 

Interestingly, while the GDPR does include cookie consent, the ePrivacy Directive is more specific about requirements. Lex specialis—or the specific law—overrides lex generalis—or a general law. Thus, when it comes into effect, the ePrivacy Regulation will override the GDPR in matters of cookie regulation.  

Who Needs to Comply with the EU Cookie Law? 

Where the PEDC originally applied to traditional telecom operators only, the ePrivacy Regulation in its amended form will cover a wider range of electronic communications. Any business that collects and uses consumer data for online communication services, online tracking technologies, or online marketing would have to comply with it.  

Here’s a list of who must comply with the EU cookie law: 

  • Telecommunication companies; 
  • Anyone who owns and runs a website; 
  • Owners of apps that offer electronic communication as a feature; 
  • Messaging service providers (which include WhatsApp, Skype, and Facebook Messenger); 
  • Internet access providers; and, 
  • Natural or legal persons (individuals or businesses) sending direct marketing communications. 

In addition, the ePrivacy Regulation will also encompass machine-to-machine communication as in the case of Internet of Things (IoT) devices. As is the case with the GDPR, this regulation will apply to any business that collects the information of consumers within the EU, even if the business operates outside the area. 

So, if you’re a business in the US with a website that gets visitors from the EU, you need to comply with the EU cookie law. 

Requirements of the EU Cookie Law 

According to the ePrivacy Directive, websites are required to: 

  • Inform users about the purpose of the cookies—the data they are collecting and the purpose of collection—clearly and precisely before any cookies are installed on their device 
  • Allow the users to refuse cookies on their device 
  • Offer the means of refusing cookies before installation as well as at a later point 
  • Not install cookies without explicit permission, including not installing them if the user doesn’t interact with the cookie banner but continues browsing 

The cookie law does have some exemptions. You don’t need consent for: 

  • Strictly necessary cookies that are needed to provide the service requested by the user 
  • Cookies that are needed to carry out communication over the network 
  • Cookies that support security features 

The EU cookie policy is a combination of the GDPR and the ePrivacy Directive working together to protect consumer privacy. According to the GDPR, cookies are a method for processing personal data, which means they are subject to user consent. This consent has to be: 

  • Freely given: You can’t coerce or force the user to agree to have cookies installed. 
  • Informed: You must inform the user what you’re installing, what information you’re collecting, and how you intend to use it. 
  • Specific: You can’t bundle up consent, meaning every purpose should be listed separately, and the user should be able to allow or disallow each one individually. 
  • Unambiguous and affirmative: You cannot infer consent, so it must be delivered by clicking an “agree” button or a similar positive action. 

To get consent, you must have a visible cookie banner and a cookie policy that can be found and understood easily. Once you have consent, it must be retained for audit purposes. 

EU Cookie Law Compliance Checklist 

  • When visitors come to your website for the first time, they should be shown a cookie banner. 
  • They should be informed about the cookies you use and their purpose. 
  • They should be asked to provide explicit consent for the collection of their data by clicking an “Accept” button or deny permission by clicking a “Reject” button. 
  • Users should be asked to opt in for each specific cookie category, and nothing other than strictly necessary cookies should be switched on by default. 
  • All third-party cookies should be blocked until the user grants permission to install them. 
  • If you’re ever checked for compliance, you must have all cookie consent stored as proof. 
  • You need a detailed cookie policy that includes the names of cookie providers, their descriptions, and the duration of the cookies. 
  • The users should be provided with an easy and accessible way of withdrawing consent even if they did initially grant it. 
  • Don’t deny users access to the website if they choose not to give consent. 
  • Don’t assume consent and set cookies if the user continues to scroll through the website without interacting with the cookie banner. 

Not sure how you can use cookies and not violate privacy laws? We can help you understand what you need to be cookie compliant.  

Read more 

What Else Does the EU Cookie Law Cover? 

Despite its popular name, the ePrivacy Directive covers more than just cookies. Directive 2002/58/EC is responsible for the “protection of individuals with regard to the processing of personal data and on the free movement of such data. 

Here are some of the important aspects of data privacy in communications that it talks about. 

Confidentiality of Communications 

According to the directive, confidentiality of communications is a human right. As such, the directive is strictly against any unlawful surveillance or interception of people’s communications within the member states.  

It does allow exceptions for “public security, defence, State security (including the economic well-being of the State when the activities relate to State security matters) and the activities of the State in areas of criminal law.” 

However, there are some strict conditions that must be met for legal interception in these situations. 

Traffic Data Processing 

Under Section 2(b) of the Directive, traffic data is defined as “any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof.”  

To be clear, this is the metadata created during the transmission, not the contents of the transmission. This can include: 

  • Routing information 
  • Timing and duration of the communication 
  • The amount of data transmitted during the communication 
  • Details of the protocol used for the transmission 
  • Physical locations of the sender and recipient 
  • Network identifiers 

According to the Directive, traffic data can only be processed: 

  • To ensure that the communication happens correctly 
  • For billing the user or handling the financial transactions between network providers 

Once these purposes are fulfilled, this data must be either erased or anonymized, unless the users give permission for it to be retained for other purposes, like value-added services or marketing. 

Location Data Other Than Traffic Data 

Tracking the location of users without their consent is a violation of their privacy. As such, if you’re collecting location data from consumers separately from traffic data (or information generated in the process of a transmission), it must be with the user’s consent. Additionally, it must be anonymized to protect their identity. 

This data may only be used for value-added services, such as providing traffic updates or navigation. It should only be accessed by people authorized to view it, whether that’s employees in your organization or third-party value-added service providers. As with consent for any personal data, consumers should be provided with the means to temporarily refuse the processing of their data simply and at no additional cost. They should also be allowed to revoke consent.  

Security Obligations 

If you provide electronic communications services—whether as an internet provider or mobile phone service provider—you must “take appropriate technical and organisational measures to safeguard security of [...] services, if necessary in conjunction with the provider of the public communications network with respect to network security. 

The Directive also defines “adequate” security, stating it must be proportional to the risk faced by the network or service. It should also be state of the art, meaning it should be modern and effective. Finally, it should be cost-effective and reasonably priced. 

In case of a “particular risk of a breach of the security of the network,” you as the provider are also obligated to inform users of the nature of the risk, possible solutions they can implement if you can’t mitigate it completely, and any potential cost implications to them. 

Unsolicited Communications 

In order to prevent spam and unwanted marketing messages, businesses are required to get prior consent from consumers before they can send them automated messages, with exceptions for existing customer relationships.  

These include situations where a consumer provides their contact information when buying a product. That information can be used to send them promotional material for similar products or services. The caveat, of course, is the consumer should be informed of how their personal information will be used and they should have an easy way of opting out at the point of collection. 

Additionally, any marketing message sent should not hide or disguise the sender’s identity and should include a valid address where the recipient can send a request to stop receiving further communications. 

The Directive currently gives member states the freedom to decide whether the consent should be opt-in or opt-out. The former means they must agree explicitly to receiving marketing communications while the latter permits you to send such communications so long as the consumer hasn’t said no.  

However, this might change once the Directive becomes a regulation, and it’s likely that all member states would then follow an opt-in model to align with the GDPR. 

Risks and Penalties for Non-Compliance with the EU Cookie Law 

At the moment, since the ePrivacy Directive is not enforceable, companies cannot be penalized for not complying with the EU cookie law. However, these directives can be transposed into the member countries' laws, which then makes them enforceable. 

For example, in 2022, the data protection authority in France, the Commission Nationale de l'Informatique et des Libertés (CNIL), charged Google and Amazon a combined fine of €210 million for cookie violations under the ePrivacy Directive. 

These companies didn’t provide an easy way for French users to decline tracking via cookies. 

Even when the ePrivacy Regulation comes into force, it is most likely to carry penalties similar to the GDPR. At the time of writing, the fines for GDPR non-compliance are to be “effective, proportionate and dissuasive for each individual case.”  

A business can face higher penalties for “intentional infringement, a failure to take measures to mitigate the damage which occurred, or lack of collaboration with authorities,” among other things. This means the penalty system is a tiered one, depending on the severity of the violation. 

Less serious violations can lead to a fine of €10 million or 2% of the global turnover, whichever is greater. This was how the fines for Google and Amazon were calculated. 

The fines for especially severe violations by a business, on the other hand, are €20 million or 4% of its total global turnover of the preceding fiscal year, whichever is greater.  

Cookie Laws in Other Parts of the World 

As more countries become concerned about their citizens’ data and its privacy, they are creating their own data privacy laws. Even though not all of them specifically mention cookies, the mere fact that these tracked can be considered to process personal data brings them under the scope of the law.  

The UK Cookie Law 

When the UK separated from the EU, it created its own UK GDPR and version of the ePrivacy Directive, the Privacy and Electronic Communications Regulations (PECR). Like the EU cookie law, this governs user data privacy across all forms of electronic communication. 

Also, like the EU cookie policy, this regulation requires businesses to get consent from consumers before they can collect or track their data. 

US Cookie Laws 

Although the US doesn’t have a federal cookie law, it does have state laws—like the California Consumer Privacy Act (CCPA)—that regulate cookies and their use.  

The CCPA doesn’t specifically ask for a cookie banner. However, it does require notice before or during the collection of data. It also requires websites to have a “Do Not Sell or Share” opt-out link for users who don’t want their personal information being sold to third parties. 

Brazil’s General Personal Data Protection Law (LGPD) 

Since Brazil’s LGPD defines personal data as anything related to a “natural person,” it does cover cookies and other such trackers. This law also requires consent to be free, informed, and affirmative, and given for a specific purpose.  

Like the GDPR, it applies to any business that processes the personal data of individuals located in Brazil, even if it’s based elsewhere. It also requires a cookie banner for a website to be compliant. 

South Africa’s Protection of Personal Information Act (POPIA) 

While it doesn’t specifically mention them, South Africa’s POPIA does define “personal identifiers,” and this definition can be interpreted to cover cookies. Again, this law requires consumers to opt in for data collection, and consent must be informed, specific and not forced, which means it requires a cookie banner for compliance. 

Learn about other cookie laws around the world in our ultimate guide. 

Read more

Types of Internet Cookies and What They’re Used For 

We’ve talked a lot about the EU cookie law and other laws that cover them, but what exactly are cookies? 

Cookies are small files responsible for certain functionalities of a website. They help the user enjoy certain features, personalize their experience, and yes, track their behavior. 

How do cookies help create a better user experience?  

They can keep you logged in while you navigate through the various pages. They can be used to “remember” any items you place in the shopping cart while you continue browsing. They can also customize the appearance of the site based on your preferences. 

However, they can also be used to monitor your activities and preferences to generate targeted ads or track your journey from website to website. This information is unique to you and is considered personal. 

Let’s look at the different types of cookies you might encounter on a website or use on your own. 

Cookies Classified by Their Source 

Cookies can be set by the website the consumer is visiting or the website’s partners. If the source of the cookies is the website, they’re called first-party cookies. On the other hand, if they were installed by someone other than the website, they’re called third-party cookies.  

In case you were wondering why a third party might install cookies on a website, certain features like a live chat, social media buttons, or even Google Maps are some common features that a website might have but not own.  

They may also be for showing them targeted ads. These third-party cookies are also called tracking cookies because they monitor a user’s activity over the internet. 

Cookies Classified by Their Expiration Period 

Session cookies: A session is the duration of browsing that starts when you open a website or web app and ends when you navigate away from it. Such cookies help users get a better experience when browsing but expire when the user ends the session.  

Have you ever shopped on a site that saves your shopping cart as long as you’re browsing but deletes the contents as soon as you leave? That was enabled by session cookies. 

Persistent cookies: These are also called permanent cookies because they stay on the user’s device for a long time. However, they do have an expiration date, which can be a few minutes to a few years. At the end of the designated time, they get deleted from the browser. 

You might have seen these cookies in action on websites where you’ve asked to stay logged in for a certain period of time. 

Cookies Classified by Their Purpose 

Strictly necessary cookies: These are also called essential cookies because they are essential for the proper functioning of the website. These cookies are exempt from cookie consent regulations because a business would not be able to deliver their service to the consumer if these cookies weren’t allowed. 

Performance/analytics cookies: If a website wants to deliver a better experience to users based on their browsing habits, it uses performance cookies to gather anonymous data. These cookies track consumers to see how they use the website, what types of pages they visit, and where they experience friction. This information can then be used to improve the website so the viewers can have a smoother and more enjoyable browsing experience. 

Functional/personalization cookies: Like essential cookies, functional cookies are used to deliver certain features and functionalities.  

These cookies might remember the login information of the user on their browser, so they are always logged in. They might also be used to remember their language preferences or region.  

However, these aren’t essential functions that might prevent the website from delivering its service if they weren’t present. 

Advertising cookies: You can guess the purpose of these cookies from their name. These targeting cookies or tracking cookies track the browsing behavior and interests to create a profile of the user. This information can then be used to show them targeted ads when they visit other websites. These are usually third-party cookies installed by advertising networks and are persistent.  

Managing Cookie Consent to Comply with the EU Cookie Law 

Are you struggling to identify what you need to be compliant with the ePrivacy Directive and other cookie consent laws around the world? We’ve created a cookie consent FAQ document that answers any questions you may have about staying on the right side of the law while using cookies.

Download the FREE guide here

Cookie Consent Management FAQ

Download our guide to learn the answers to questions like how to set up a cookie consent program, what to include in a cookie policy, and more!

Download Now
Cookie Consent FAQs
Share this article