The European Union currently boasts the world's most comprehensive and expansive regulatory framework to date, the General Data Protection Regulation (GDPR). Complementing this law is the e-Privacy Directive (aka the EU Cookies Directive) to ensure the firm establishment of data protection and online privacy in the EU.
However, due to the complexities associated with these frameworks, cookie compliance may be easier said than done. As a result, most website owners are left puzzled, trying to figure out exactly what is required of them in their treatment of cookies and what isn't.
- What are cookies?
- Do the GDPR and the EU Cookies Directive require you to list individual cookies by name?
- What are the cookie compliance requirements of the GDPR and the EU Cookies Directive?
- What are the penalties for non-compliance?
Use our Cookie Consent all-in-one solution (Privacy Consent) for cookies management to comply with GDPR & CCPA/CPRA and other privacy laws:
- For GDPR, CCPA/CPRA and other privacy laws
- Apply privacy requirements based on user location
- Get consent prior to third-party scripts loading
- Works for desktop, tables and mobile devices
- Customize the appearance to match your brand style
Create your Cookie Consent banner today to comply with GDPR, CCPA/CPRA and other privacy laws:
Start the Privacy Consent wizard to create the Cookie Consent code by adding your website information.
At Step 2, add in information about your business.
At Step 3, select a plan for the Cookie Consent.
You're done! Your Cookie Consent Banner is ready. Install the Cookie Consent banner on your website:
Display the Cookie Consent banner on your website by copy-paste the installation code in the
</head>section of your website. Instructions how to add in the code for specific platforms (WordPress, Shopify, Wix and more) are available on the Install page.
- 1. Cookies and EU Privacy Laws
- 1.1. What are Cookies?
- 1.2. Cookies and the GDPR
- 1.3. Cookies and the EU Cookies Directive
- 2. Does the GDPR or the EU Cookies Directive Require Individual Cookies to be Listed by Name?
- 3. Cookie Compliance Requirements of the GDPR and the EU Cookies Directive
- 3.1. Identify and Inform Users About Cookies
- 3.2. Obtain User Consent When Needed
- 3.3. Provide a Privacy or Cookies Policy
- 4. Penalties for Non-Compliance
- 5. Summary
Cookies and EU Privacy Laws
What are Cookies?
Cookies are small data files created by web browsers and stored on a user's device (e.g., computers and phones) when visiting a website. They constitute an important part of the internet experience as they perform some critical functions, including:
- Storing user information
- Identifying the geographic location of users
- Providing a more convenient browsing experience
- Tracking browsing habits and preferences to deliver personalized advertising
- Recalling information entered on online forms, login pages, shopping carts, etc.
Cookies help make the browsing experience more personal for users, which is generally perceived to be a good thing. Moreover, without certain cookies, you stand the risk of losing valuable and very detailed information about the behavior of site visitors, which may be used to improve your offerings.
Keep in mind, however, that while cookies are primarily harmless, not everybody wants to be tracked by them (as a matter of privacy). This has led to the proliferation of various privacy laws to give users more control where cookies are concerned.
As a result, it is now effectively illegal for any website to store certain cookies without the consent or approval of its users.
Now that we have a basic understanding of what cookies are and how they work, let's take a look at what the EU privacy laws have to say about cookies.
Cookies and the GDPR
The GDPR is the most robust legal framework in the world right now, and as such, has managed to cover all the bases necessary to address personal data protection and digital privacy in the world today.
The regulation also has a wide coverage as it applies to businesses and websites outside the EU so long as they collect personal data from or track users residing in the EU.
Here's the original text from the GDPR, in Recital 30:
"Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them."
In the Recital above, the GDPR explains that while cookies may not be sufficient to distinguish individuals on their own, they could indirectly contribute to their identification. Consequently, this qualifies cookies as personal information in certain instances and therefore subjects them to the GDPR.
Generally, GDPR cookie compliance can be implemented on websites through cookie banners that give users an option to accept or reject certain cookies depending on their preferences.
Cookies and the EU Cookies Directive
The EU Cookies Directive, on the other hand, deals more directly not only with cookies but similar technologies that store or retrieve information on users' devices. Common examples include web beacons, pixel tags, advertising IDs, and so on.
Strictly speaking, the EU Cookies Directive is a bigger authority to the GDPR when it comes to cookie compliance. This is because the Directive addresses key aspects about the confidentiality of electronic communications as well as includes specific rules on cookies and similar technologies, hence its given name, "The EU Cookie Law."
Upon its introduction, the Directive also triggered a widespread adoption of cookie consent pop-ups for websites to obtain initial consent from users before providing them with cookies.
Furthermore, the Cookies Directive requires website owners to inform users about the type, usage, and purpose of cookies they use. This applies to all websites that target EU users, regardless of their location.
Does the GDPR or the EU Cookies Directive Require Individual Cookies to be Listed by Name?
Simply put, no, neither the GDPR nor the EU Cookies Directive specifically requires that you list cookies individually on your website.
This decision is likely intentional, as listing individual cookies by name is both a major complication and a burden for websites trying to achieve cookie compliance.
Moreover, listing cookies individually would require you (as a website owner) to conduct endless audits of not only all the cookies you use, but also the cookies used by your third parties. This would be irrational, counterproductive, and most likely unhelpful to users.
Here's its original text on page 18, showing how to provide information about cookies:
"The Regulations are not prescriptive about the sort of information that should be provided, but the text should be sufficiently full and intelligible to allow individuals to clearly understand the potential consequences of allowing the cookies should they wish to do so. This is comparable with the transparency requirements of the first data protection principle. At present, levels of user understanding are likely to be low and so those using cookies will need to make a particular effort to explain the activities of cookies in a way that people will understand. Long tables or detailed lists of all the cookies operating on the site may be the type of information that some users will want to consider. For most users it may be helpful to provide a broader explanation of the way cookies operate and the categories of cookies that you use on your website. A description of the types of things analytical cookies are used for on the site will be more likely to satisfy the requirements than simply listing all the cookies you use with basic references to their function."
Note how the text does not set out what information you must provide or require you to list cookies by name but requires only that your description of cookies be "sufficiently full and intelligible."
Here's a translated excerpt from a cookie guide of the Spanish national authority for data protection that also supports this sentiment:
In sum, the GDPR, the EU cookies directive and other European national authorities require you to clarify what categories of cookies you use, how they work, and why you need them on your website rather than listing cookies individually by name.
If you have third-party platforms integrated into your website, you also need to disclose relevant information that addresses their Cookie Policies and Practices.
Cookie Compliance Requirements of the GDPR and the EU Cookies Directive
The cookie compliance requirements under the GDPR, the EU Cookies Directive, and other prominent authorities are fairly similar, give or take a few slight changes. That said, let's take a look at some common best practices for compliance under these regulations.
Identify and Inform Users About Cookies
The first step you as a website owner must take to comply is to identify the categories of cookies your website uses. This is necessary to help demonstrate transparency as well as to discover which cookies need user consent before they can be implemented and which don't.
Generally, cookies used by most websites fall under (but aren't restricted to) the following categories:
Once you've identified the purpose and categories of cookies used by your website, you need to explicitly inform your users.
Additionally, your description of cookies should not be overly complex but presented in plain and simple language so users can make an informed decision to either accept or reject them.
Here's a good example from Bain & Company that concisely summarizes the categories and purposes of its cookies in simple language. Note how it also includes a link to its Policies:
Obtain User Consent When Needed
Consent is perhaps the most important and deeply regulated requirement in every cookie compliance regulation out there.
Briefly, here are some best practices to help your website comply with the consent requirements of the GDPR and the EU Cookies Directive:
- Obtain informed consent before implementing all cookies, with the only exception being strictly necessary cookies.
- Give users the option to opt-in or opt-out of receiving cookies by having them click a button or tick an unchecked box. Implied consent and pre-ticked boxes do not satisfy the opt-in and opt-out requirements of the law.
- Allow users to customize their cookie preferences, i.e., to accept the desired cookies while blocking others.
- Give users the ability to easily withdraw their consent whenever they wish.
- Finally, retain evidence of consent obtained from users.
Here's a good example from EY that complies accordingly with these stipulations:
Provide a Privacy or Cookies Policy
A legally-compliant Cookies Policy typically includes the following:
- The categories of cookies you use
- Their various uses and purposes
- How users can control their information
- Third-party cookies and a link to their Privacy or Cookies Policy
Here's one such example from Amazon:
Additionally, both your Privacy and Cookies Policy must be conspicuously displayed on your website, usually on sign-up forms, website footers, and checkout pages. Finally, your Policies must be clear, transparent, and easy to understand.
Penalties for Non-Compliance
The penalties for violating the GDPR and the EU Cookies Directive are one of the highest in the world right now, easily running into millions of dollars.
Although the EU Cookies Directive is not explicit about the penalties for violating its provision (primarily because it's not yet a regulation), the potential fines for non-compliance may be significant for websites that fail to comply. Moreover, the policies regarding what qualifies for punishment may vary depending on where you live, as does the maximum amount of the fine you may receive.
Under the GDPR, however, penalties for violating cookie compliance obligations are pretty substantial. In most cases, cookies are subject to the GDPR when they (in conjunction with other unique identifiers) can potentially identify an individual.
For lower-level cases, breaching the GDPR can result in fines of up to €10 million or 2% of the company's annual worldwide revenue, whichever is greater. The more serious cases can result in a fine of up to €20 million or 4% of the company's annual worldwide revenue, whichever is greater.
For tips and strategies on avoiding violating other aspects of the GDPR and receiving fines, check out our feature article: How to Avoid GDPR Fines.
Understanding your cookie compliance requirement is an essential obligation of every website owner. It's important to get a good grasp of the specific cookie requirements under the EU privacy laws so you don't end up non-compliant or undertaking burdensome and unnecessary tasks in an effort to be compliant.
Here's a quick recap of key things to note when trying to comply with the cookies regulations under the GDPR and the EU Cookies Directive:
- Listing cookies individually by name is not required under both regulations, as long as you properly explain the categories of cookies used, as well as their uses and purposes.
- Providing detailed and specific information about cookies is good practice and helps you be compliant.
- Documenting proof of consent can help protect you from legal liabilities.
- Withdrawing consent should be as easy as it was for users to give them in the first place.