
2 Major Obstacles Privacy Newbies Face (and How to Overcome Them)
Martial artists use a colored belt system to denote their expertise....
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Updated: February 7, 2025
Published: February 5, 2024
We’ve all heard of the GDPR (General Data Protection Regulation), but did you know about the EU Cookie Law? It’s almost certainly impacted your internet browsing experience—in the EU, this law is responsible for the cookie consent banners that pop up when you visit websites.
The EU Cookie Law is the common name for the ePrivacy Directive, officially known as the Privacy and Electronic Communications Directive (PECD), which will soon be replaced by the ePrivacy Regulation.
Does that sound confusing? Let’s start from the beginning.
The EU has some of the most stringent consumer data protection laws, and it’s been this way since before the dawn of the digital era. Even during the times of traditional wired telecommunication, “listening, tapping, storage […] without the consent of the users concerned” (Article 5.1) was prohibited by the PECD.
Service providers were also expected to “take appropriate technical and organisational measures to safeguard security of its services” (Article 4.1).
In 2002, the PECD was updated to also cover digital communications and became known as the ePrivacy Directive (Directive 2002/58/EC). Like the GDPR, this regulation focused on data minimization, traffic data, spam, and—of course—cookies.
The Directive was updated in 2009 to include the reporting of personal data breaches. This amendment also included the requirement of user consent before businesses could store information on their devices or access this information.
In short, if you want to install first- or third-party cookies on user devices, you need their permission before you can do so. This requirement is why the Directive began to be called the “cookie law.”
However, despite its name, the EU cookie law is not a law yet; it’s a directive. So, just like the Data Protection Directive became the General Data Protection Regulation—known globally as the GDPR—the EU is moving to make the ePrivacy Directive into a regulation. It was supposed to come into force at the end of 2023 but has been delayed.
Interestingly, while the GDPR does include cookie consent, the ePrivacy Directive is more specific about requirements. Lex specialis—or the specific law—overrides lex generalis—or a general law. Thus, when it comes into effect, the ePrivacy Regulation will override the GDPR in matters of cookie regulation.
Where the PEDC originally applied to traditional telecom operators only, the ePrivacy Regulation in its amended form will cover a wider range of electronic communications. Any business that collects and uses consumer data for online communication services, online tracking technologies, or online marketing would have to comply with it.
Here’s a list of who must comply with the EU cookie law:
In addition, the ePrivacy Regulation will also encompass machine-to-machine communication as in the case of Internet of Things (IoT) devices. As is the case with the GDPR, this regulation will apply to any business that collects the information of consumers within the EU, even if the business operates outside the area.
So, if you’re a business in the US with a website that gets visitors from the EU, you need to comply with the EU cookie law.
According to the ePrivacy Directive, websites are required to:
The cookie law does have some exemptions. You don’t need consent for:
The EU cookie policy is a combination of the GDPR and the ePrivacy Directive working together to protect consumer privacy. According to the GDPR, cookies are a method for processing personal data, which means they are subject to user consent. This consent has to be:
To get consent, you must have a visible cookie banner and a cookie policy that can be found and understood easily. Once you have consent, it must be retained for audit purposes.
Not sure how you can use cookies and not violate privacy laws? We can help you understand what you need to be cookie compliant. |
Despite its popular name, the ePrivacy Directive covers more than just cookies. Directive 2002/58/EC is responsible for the “protection of individuals with regard to the processing of personal data and on the free movement of such data.”
Here are some of the important aspects of data privacy in communications that it talks about.
According to the directive, confidentiality of communications is a human right. As such, the directive is strictly against any unlawful surveillance or interception of people’s communications within the member states.
It does allow exceptions for “public security, defence, State security (including the economic well-being of the State when the activities relate to State security matters) and the activities of the State in areas of criminal law.”
However, there are some strict conditions that must be met for legal interception in these situations.
Under Section 2(b) of the Directive, traffic data is defined as “any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof.”
To be clear, this is the metadata created during the transmission, not the contents of the transmission. This can include:
According to the Directive, traffic data can only be processed:
Once these purposes are fulfilled, this data must be either erased or anonymized, unless the users give permission for it to be retained for other purposes, like value-added services or marketing.
Tracking the location of users without their consent is a violation of their privacy. As such, if you’re collecting location data from consumers separately from traffic data (or information generated in the process of a transmission), it must be with the user’s consent. Additionally, it must be anonymized to protect their identity.
This data may only be used for value-added services, such as providing traffic updates or navigation. It should only be accessed by people authorized to view it, whether that’s employees in your organization or third-party value-added service providers. As with consent for any personal data, consumers should be provided with the means to temporarily refuse the processing of their data simply and at no additional cost. They should also be allowed to revoke consent.
If you provide electronic communications services—whether as an internet provider or mobile phone service provider—you must “take appropriate technical and organisational measures to safeguard security of [...] services, if necessary in conjunction with the provider of the public communications network with respect to network security.”
The Directive also defines “adequate” security, stating it must be proportional to the risk faced by the network or service. It should also be state of the art, meaning it should be modern and effective. Finally, it should be cost-effective and reasonably priced.
In case of a “particular risk of a breach of the security of the network,” you as the provider are also obligated to inform users of the nature of the risk, possible solutions they can implement if you can’t mitigate it completely, and any potential cost implications to them.
In order to prevent spam and unwanted marketing messages, businesses are required to get prior consent from consumers before they can send them automated messages, with exceptions for existing customer relationships.
These include situations where a consumer provides their contact information when buying a product. That information can be used to send them promotional material for similar products or services. The caveat, of course, is the consumer should be informed of how their personal information will be used and they should have an easy way of opting out at the point of collection.
Additionally, any marketing message sent should not hide or disguise the sender’s identity and should include a valid address where the recipient can send a request to stop receiving further communications.
The Directive currently gives member states the freedom to decide whether the consent should be opt-in or opt-out. The former means they must agree explicitly to receiving marketing communications while the latter permits you to send such communications so long as the consumer hasn’t said no.
However, this might change once the Directive becomes a regulation, and it’s likely that all member states would then follow an opt-in model to align with the GDPR.
At the moment, since the ePrivacy Directive is not enforceable, companies cannot be penalized for not complying with the EU cookie law. However, these directives can be transposed into the member countries' laws, which then makes them enforceable.
For example, in 2022, the data protection authority in France, the Commission Nationale de l'Informatique et des Libertés (CNIL), charged Google and Amazon a combined fine of €210 million for cookie violations under the ePrivacy Directive.
These companies didn’t provide an easy way for French users to decline tracking via cookies.
Even when the ePrivacy Regulation comes into force, it is most likely to carry penalties similar to the GDPR. At the time of writing, the fines for GDPR non-compliance are to be “effective, proportionate and dissuasive for each individual case.”
A business can face higher penalties for “intentional infringement, a failure to take measures to mitigate the damage which occurred, or lack of collaboration with authorities,” among other things. This means the penalty system is a tiered one, depending on the severity of the violation.
Less serious violations can lead to a fine of €10 million or 2% of the global turnover, whichever is greater. This was how the fines for Google and Amazon were calculated.
The fines for especially severe violations by a business, on the other hand, are €20 million or 4% of its total global turnover of the preceding fiscal year, whichever is greater.
As more countries become concerned about their citizens’ data and its privacy, they are creating their own data privacy laws. Even though not all of them specifically mention cookies, the mere fact that these tracked can be considered to process personal data brings them under the scope of the law.
When the UK separated from the EU, it created its own UK GDPR and version of the ePrivacy Directive, the Privacy and Electronic Communications Regulations (PECR). Like the EU cookie law, this governs user data privacy across all forms of electronic communication.
Also, like the EU cookie policy, this regulation requires businesses to get consent from consumers before they can collect or track their data.
Although the US doesn’t have a federal cookie law, it does have state laws—like the California Consumer Privacy Act (CCPA)—that regulate cookies and their use.
The CCPA doesn’t specifically ask for a cookie banner. However, it does require notice before or during the collection of data. It also requires websites to have a “Do Not Sell or Share” opt-out link for users who don’t want their personal information being sold to third parties.
Since Brazil’s LGPD defines personal data as anything related to a “natural person,” it does cover cookies and other such trackers. This law also requires consent to be free, informed, and affirmative, and given for a specific purpose.
Like the GDPR, it applies to any business that processes the personal data of individuals located in Brazil, even if it’s based elsewhere. It also requires a cookie banner for a website to be compliant.
While it doesn’t specifically mention them, South Africa’s POPIA does define “personal identifiers,” and this definition can be interpreted to cover cookies. Again, this law requires consumers to opt in for data collection, and consent must be informed, specific and not forced, which means it requires a cookie banner for compliance.
Learn about other cookie laws around the world in our ultimate guide. |
We’ve talked a lot about the EU cookie law and other laws that cover them, but what exactly are cookies?
Cookies are small files responsible for certain functionalities of a website. They help the user enjoy certain features, personalize their experience, and yes, track their behavior.
How do cookies help create a better user experience?
They can keep you logged in while you navigate through the various pages. They can be used to “remember” any items you place in the shopping cart while you continue browsing. They can also customize the appearance of the site based on your preferences.
However, they can also be used to monitor your activities and preferences to generate targeted ads or track your journey from website to website. This information is unique to you and is considered personal.
Let’s look at the different types of cookies you might encounter on a website or use on your own.
Cookies can be set by the website the consumer is visiting or the website’s partners. If the source of the cookies is the website, they’re called first-party cookies. On the other hand, if they were installed by someone other than the website, they’re called third-party cookies.
In case you were wondering why a third party might install cookies on a website, certain features like a live chat, social media buttons, or even Google Maps are some common features that a website might have but not own.
They may also be for showing them targeted ads. These third-party cookies are also called tracking cookies because they monitor a user’s activity over the internet.
Session cookies: A session is the duration of browsing that starts when you open a website or web app and ends when you navigate away from it. Such cookies help users get a better experience when browsing but expire when the user ends the session.
Have you ever shopped on a site that saves your shopping cart as long as you’re browsing but deletes the contents as soon as you leave? That was enabled by session cookies.
Persistent cookies: These are also called permanent cookies because they stay on the user’s device for a long time. However, they do have an expiration date, which can be a few minutes to a few years. At the end of the designated time, they get deleted from the browser.
You might have seen these cookies in action on websites where you’ve asked to stay logged in for a certain period of time.
Strictly necessary cookies: These are also called essential cookies because they are essential for the proper functioning of the website. These cookies are exempt from cookie consent regulations because a business would not be able to deliver their service to the consumer if these cookies weren’t allowed.
Performance/analytics cookies: If a website wants to deliver a better experience to users based on their browsing habits, it uses performance cookies to gather anonymous data. These cookies track consumers to see how they use the website, what types of pages they visit, and where they experience friction. This information can then be used to improve the website so the viewers can have a smoother and more enjoyable browsing experience.
Functional/personalization cookies: Like essential cookies, functional cookies are used to deliver certain features and functionalities.
These cookies might remember the login information of the user on their browser, so they are always logged in. They might also be used to remember their language preferences or region.
However, these aren’t essential functions that might prevent the website from delivering its service if they weren’t present.
Advertising cookies: You can guess the purpose of these cookies from their name. These targeting cookies or tracking cookies track the browsing behavior and interests to create a profile of the user. This information can then be used to show them targeted ads when they visit other websites. These are usually third-party cookies installed by advertising networks and are persistent.
Are you struggling to identify what you need to be compliant with the ePrivacy Directive and other cookie consent laws around the world? We’ve created a cookie consent FAQ document that answers any questions you may have about staying on the right side of the law while using cookies.
Download our guide to learn the answers to questions like how to set up a cookie consent program, what to include in a cookie policy, and more!
Download Now
Osano Staff is pseudonym used by team members when authorship may not be relevant. Osanians are a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.