top of page

What You Should Know About the EU Cookie Law

Updated: May 19, 2023

What You Should Know About the EU Cookie Law

The ePrivacy Directive (also known as the EU cookie law) is a European Union regulation that controls how your website, through cookies and trackers, collects and processes the personal data of EU Citizens. 

After General Data Protection Regulation (GDPR), the EU cookie law is one of the most demanding and stringent data privacy regulations. It requires you, the business owner, to obtain explicit consent from end-users before loading cookies onto their websites. 

This article will dive deeper into EU cookie law why you need a consent management platform for your business websites & Apps in 2023.

Comply with the EU Cookie Law

The EU cookie law was the first legislation to regulate the use of cookies and trackers by businesses to obtain the user's data, the EU citizens, through their consent. Before that, companies only used cookie notices which only informed the user about the usage of cookies but didn't take their due consent for the same. 

According to the EU Cookie Law, if your website has visitors from within the EU, you must –  

  1. Withhold all cookies and trackers until users provide consent 

  2. Give end-users easy-to-understand information about all cookies and trackers on your domain 

  3. Gain end-user consent to all cookies and trackers in use in a friendly manner 

  4. Enable end-users to refuse or withdraw consent in a quick and easy manner  

Quick EU cookie law (ePrivacy Directive) breakdown

  1. The EU cookie law (ePrivacy Directive) was enacted in 2002 and amended effective in 2011.

  2. The EU cookie law (ePrivacy Directive) regulates the collection and processing of personal data through cookies on a website, which eventually comes into the electronic communications sector. 

  3. The EU cookie law (ePrivacy Directive) states that the business must obtain prior consent from the user to use cookies through a cookie banner. Users must get clear and specific information about the purposes of collecting and processing data to be able to share their consent by either accepting it or rejecting it. 

  4. The EU cookie law (ePrivacy Directive) covers all the technology that processes users' data using "cookies," an umbrella term. However, no explicit consent is required for deploying essential cookies (For example, cookies that manage the user's shopping cart content on a webshop). 

  5. The EU cookie law (ePrivacy Directive) covers the confidentiality security of networks and unsolicited commercial e-mails ("spam") and e-communications services, among other provisions. 

  6. The EU cookie law (ePrivacy Directive) is a directive and a not uniform binding regulation in the EU (as is the GDPR). Each member state implements cookie law concerning its national legislation but must follow the provisions of the directives compulsorily. 

  7. Each EU member state enforces the EU cookie law (ePrivacy Directive) with regard to its own national data privacy policy. The European Data Protection Board (EDPB), which consists of representatives of EU member states' national data protection authorities, is responsible for collecting, interpreting, and enforcing the EU cookie law. 

  8. The EU cookie law (ePrivacy Directive) can fine up to €20 million or 4% of annual global turnover, whichever is higher if your business is found to be non-compliant.  

Combined with the EU's GDPR, the EU cookie law forms an overarching data privacy umbrella in Europe. This includes any website with visitors from within the EU, regardless of where the business is located worldwide. 

One thing EU's cookie law is that it doesn't require you to ask for cookie consent for the essential cookies, which are, by default, necessary for the basic functioning of the website. It only asks to take consent for nonessential cookies such as analytical cookies, advertising cookies, and other social media cookies. 

Like Brazil's LGPD and South Africa's POPIA, many newer data privacy laws draw inspiration from the EU's data privacy regime, including the ePrivacy Directive's cookie requirements. 

In-Depth Look at the EU Cookie Law 

The EU cookie law (ePrivacy Directive) is a directive rather than a law. And that's why each respective State of the European Union can exercise this cookie law with regard to their national privacy laws. 

There is a special European data protection board, including each representative of the European Union states. This board is responsible for the Regulation, interpretation and implementation of the cookie law in respective countries of the EU.  

The requirements of every State can differ slightly, but they all must follow the provisions of the Directive strictly. This is a stark difference from GDPR, a uniform regulation enforced across the European Union. 

Under EU law, the use of cookies is only allowed on one condition: the user has given their consent and has been provided with clear and comprehensive information. 

How does it work? How do you obtain explicit user consent on your website, and what qualifies as valid, "explicit" user consent? 

Each member state's data protection authority oversees the enforcement of the EU cookie law at a national level. Still, it does so based on the vast guidelines issued by the European Data Protection Board (EDPB), which consists of representatives from each country. 

Under the EDPB, "valid" is defined to be:

  1. Freely given 

  2. Specific 

  3. Informed 

  4. Unambiguous 

Cookies are mentioned only once in the EU cookie law, but the rules are crystal clear. 

What does CPRA say about Cookies?

Under CPRA, businesses are not required to ask for consent from the user to use cookies unless those cookies are used to collect the personal information of minors, i.e., children between 13-16 years. 

However, as CPRA is based on an opt-out consent model, the business must comply with the user's request to opt out of the sharing or selling personal data to third parties.  

This includes not sharing data for cross-contextual behavioral advertising. Also, they can limit the use of sensitive personal data. 

CPRA: Cookie Compliance Checklist:

  1. Provide a clear and specific link saying, "Do not sell or share my personal data" and "Limit the use of my sensitive personal information." 

  2. Businesses can also rely on preference signals to comply with the above obligations. In such a case, companies must allow consumers to opt out through an opt-out preference signal sent with the consumer's consent. 

  3. Even though CPRA doesn't require opt-in consent, you must not load nonessential cookies without notifying the user with a cookie banner. 

  4. Under CPRA, businesses must wait for at least 12 months to request the consumer to authorize the sale or sharing of personal information and disclose sensitive personal information. 

What is GDPR Cookie Consent? 

Under GDPR, a website must take explicit consent from the user through a GDPR-compliant cookie consent banner that gives them the option to accept or reject the use of cookies on the website. 

The General Data Protection Regulation, or GDPR, is the European Union's and the world's first data privacy law enacted in May 2018 to give EU citizens more control over their data and limit businesses' unethical use of personal information for targeting behavioral adverts to EU citizens. 

The GDPR is very clear on what they want to provide to the citizens of the EU and the businesses. They want users to have more control over what they want to share and hold back their data. At the same time, they want to straighten up businesses on their use of the citizens' personal data. 

GDPR: Cookie Compliance Checklist:

Consent Wording: Consent must be informed

Businesses must fully inform the data subject or the individuals of the purpose of data collection and all the vendors or parties involved in processing personal data. 

  1. The name of the data processor collecting and processing personal data; 

  2. The purpose and the legal basis for personal data processing; 

  3. The Data types or categories that will be processed; 

  4. Their rights to access, change, or withdraw personal data. 

Consent Opt-Ins: Consent requires affirmative actions

Organizations cannot include consent by default into contracts or pre-ticked boxes on paper or electronic consent forms. Data subjects must be provided with an opt-in method that allows them to pick and choose the level of consent they want. 

GDPR discourages pre-ticked boxes on paper or electronic consent forms or embedding consent by default into contracts. Under GDPR, businesses must strictly provide opt-in consent where the user has the freedom to either accept, reject, change the data or change the preference of how their data is used. 

Consent Notice: Consent needs to be distinguishable.

Don't repeat the META mistake. Do not assume that you can include consent within your terms and conditions. GDPR has clarified that they want you to separate consent requests from all other matters. Also, make sure it is interactive, accessible, and simple to read and understand. Ensure that you make a systematic process of addressing all the consent requirements. 

Automated Cookie blocking:

Under GDPR, Websites shall not deploy or just block all nonessential cookies until the users give their consent through the cookie consent banner. As GDPR is based on an opt-in consent model, no unnecessary cookies can be deployed until the user has provided their due consent through a GDPR-compliant cookie consent banner. 

What About Third-Party Cookies?

In the ePrivacy Directive, the use of cookies is clearly defined in Article 66:  

"Third parties may store information on the user's devices or gain access to information already stored for several purposes, ranging from the legally allowed (essential cookies) to those involving unwanted interference into the private sphere (such as viruses or spyware).  

Therefore, it is paramount that users must be provided with comprehensive and precise information when engaging in any activity that could result in such storage or gaining access.  

The techniques of conveying information and offering the right to reject should be as user-friendly as possible." 

Cookies can come in multiple forms. Whether it's first-party cookies needed for the essential function of your site or third-party marketing cookies from ad services or social media integrations, cookies can be categorized in four ways: 

  1. Necessary cookies 

  2. Preference cookies 

  3. Statistics cookies 

  4. Marketing cookies 

The ePrivacy Directive's cookie consent requirements are precise. Any non-first-party cookies must be withheld until the end user consents.  

When will the ePrivacy Directive be replaced?

The ePrivacy Directive, with directives as far back as 2009, continues to lose its relevance. New tracking technology emerges, and online behavior changes with it. The switch from the ePrivacy Directive to the stronger ePrivacy Regulation is coming shortly. 

EU Commission legislative talks to replace the ePrivacy Directive with a stronger ePrivacy Regulation have been an ongoing battle for years and have yet to have a clear solution. 

However, in February 2021, the EU Council published a new draft of the ePrivacy Regulation.

It moved the process into a negotiation stage between the EU Parliament, Commission, and Council. 

Consent is still an essential part of the new ePrivacy Regulation 2021 draft. Cookies and tracking technologies are part of the scope. The need for end-user consent first won't be going anywhere. 

Until the new ePrivacy Regulation is live, the ePrivacy Directive and the GDPR still govern data privacy in the EU.  

What it Means for Business

As a website or an online business owner, ensure your business operations, like a website or a mobile app, comply with the cookie law, which will require you to make some changes.  

The risk of noncompliance is enormous and will undoubtedly result in heavy fines and irrecoverable brand damages. Once the user's trust is broken, it is hard for businesses to regain it, ultimately losing their overall brand value. 

If your business comes under the EU's GDPR or California's CPRA, the cost incurred, both monetary and non-monetary, can be devastating. 

Consent management platform - Your business's savior 

The ePrivacy Directive, combined with the General Data Protection Regulation (GDPR), regulates how your website can use cookies that process personal data from EU users. 

Within those, you're required to obtain explicit consent from end-users before cookies are deployed to be activated on your website. That requires you to: 

  1. Provide users with comprehensive, easy-to-understand information about all cookies in use 

  2. Give users the option to refuse or withdraw consent easily 

  3. Obtain user consent to use cookies and trackers that process personal data 

You can automatically gain consent with Adzapier's Consent Management Platform (CMP). Our top goal is to maintain confidence and complete transparency in privacy and compliance with our publisher partners and their advertisers. 

bottom of page