Last updated on 01 July 2022 by Stephen Titcombe (Legal writer at TermsFeed)
The European Union currently boasts the world's most comprehensive and expansive regulatory framework to date, the General Data Protection Regulation (GDPR). Complementing this law is the e-Privacy Directive (aka the EU Cookies Directive) to ensure the firm establishment of data protection and online privacy in the EU.
However, due to the complexities associated with these frameworks, cookie compliance may be easier said than done. As a result, most website owners are left puzzled, trying to figure out exactly what is required of them in their treatment of cookies and what isn't.
Cookies are small data files created by web browsers and stored on a user's device (e.g., computers and phones) when visiting a website. They constitute an important part of the internet experience as they perform some critical functions, including:
Cookies help make the browsing experience more personal for users, which is generally perceived to be a good thing. Moreover, without certain cookies, you stand the risk of losing valuable and very detailed information about the behavior of site visitors, which may be used to improve your offerings.
Keep in mind, however, that while cookies are primarily harmless, not everybody wants to be tracked by them (as a matter of privacy). This has led to the proliferation of various privacy laws to give users more control where cookies are concerned.
As a result, it is now effectively illegal for any website to store certain cookies without the consent or approval of its users.
Now that we have a basic understanding of what cookies are and how they work, let's take a look at what the EU privacy laws have to say about cookies.
The GDPR is the most robust legal framework in the world right now, and as such, has managed to cover all the bases necessary to address personal data protection and digital privacy in the world today.
The regulation also has a wide coverage as it applies to businesses and websites outside the EU so long as they collect personal data from or track users residing in the EU.
Here's the original text from the GDPR, in Recital 30:
"Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them."
In the Recital above, the GDPR explains that while cookies may not be sufficient to distinguish individuals on their own, they could indirectly contribute to their identification. Consequently, this qualifies cookies as personal information in certain instances and therefore subjects them to the GDPR.
Generally, GDPR cookie compliance can be implemented on websites through cookie banners that give users an option to accept or reject certain cookies depending on their preferences.
The EU Cookies Directive, on the other hand, deals more directly not only with cookies but similar technologies that store or retrieve information on users' devices. Common examples include web beacons, pixel tags, advertising IDs, and so on.
Strictly speaking, the EU Cookies Directive is a bigger authority to the GDPR when it comes to cookie compliance. This is because the Directive addresses key aspects about the confidentiality of electronic communications as well as includes specific rules on cookies and similar technologies, hence its given name, "The EU Cookie Law."
Upon its introduction, the Directive also triggered a widespread adoption of cookie consent pop-ups for websites to obtain initial consent from users before providing them with cookies.
Furthermore, the Cookies Directive requires website owners to inform users about the type, usage, and purpose of cookies they use. This applies to all websites that target EU users, regardless of their location.
Simply put, no, neither the GDPR nor the EU Cookies Directive specifically requires that you list cookies individually on your website.
This decision is likely intentional, as listing individual cookies by name is both a major complication and a burden for websites trying to achieve cookie compliance.
Moreover, listing cookies individually would require you (as a website owner) to conduct endless audits of not only all the cookies you use, but also the cookies used by your third parties. This would be irrational, counterproductive, and most likely unhelpful to users.
Here's its original text on page 18, showing how to provide information about cookies:
"The Regulations are not prescriptive about the sort of information that should be provided, but the text should be sufficiently full and intelligible to allow individuals to clearly understand the potential consequences of allowing the cookies should they wish to do so. This is comparable with the transparency requirements of the first data protection principle. At present, levels of user understanding are likely to be low and so those using cookies will need to make a particular effort to explain the activities of cookies in a way that people will understand. Long tables or detailed lists of all the cookies operating on the site may be the type of information that some users will want to consider. For most users it may be helpful to provide a broader explanation of the way cookies operate and the categories of cookies that you use on your website. A description of the types of things analytical cookies are used for on the site will be more likely to satisfy the requirements than simply listing all the cookies you use with basic references to their function."
Note how the text does not set out what information you must provide or require you to list cookies by name but requires only that your description of cookies be "sufficiently full and intelligible."
Here's a translated excerpt from a cookie guide of the Spanish national authority for data protection that also supports this sentiment:
In sum, the GDPR, the EU cookies directive and other European national authorities require you to clarify what categories of cookies you use, how they work, and why you need them on your website rather than listing cookies individually by name.
If you have third-party platforms integrated into your website, you also need to disclose relevant information that addresses their Cookie Policies and Practices.
The cookie compliance requirements under the GDPR, the EU Cookies Directive, and other prominent authorities are fairly similar, give or take a few slight changes. That said, let's take a look at some common best practices for compliance under these regulations.
The first step you as a website owner must take to comply is to identify the categories of cookies your website uses. This is necessary to help demonstrate transparency as well as to discover which cookies need user consent before they can be implemented and which don't.
Generally, cookies used by most websites fall under (but aren't restricted to) the following categories:
Once you've identified the purpose and categories of cookies used by your website, you need to explicitly inform your users.
Additionally, your description of cookies should not be overly complex but presented in plain and simple language so users can make an informed decision to either accept or reject them.
Here's a good example from Bain & Company that concisely summarizes the categories and purposes of its cookies in simple language. Note how it also includes a link to its Policies:
Consent is perhaps the most important and deeply regulated requirement in every cookie compliance regulation out there.
Briefly, here are some best practices to help your website comply with the consent requirements of the GDPR and the EU Cookies Directive:
Here's a good example from EY that complies accordingly with these stipulations:
A legally-compliant Cookies Policy typically includes the following:
Here's one such example from Amazon:
Additionally, both your Privacy and Cookies Policy must be conspicuously displayed on your website, usually on sign-up forms, website footers, and checkout pages. Finally, your Policies must be clear, transparent, and easy to understand.
The penalties for violating the GDPR and the EU Cookies Directive are one of the highest in the world right now, easily running into millions of dollars.
Although the EU Cookies Directive is not explicit about the penalties for violating its provision (primarily because it's not yet a regulation), the potential fines for non-compliance may be significant for websites that fail to comply. Moreover, the policies regarding what qualifies for punishment may vary depending on where you live, as does the maximum amount of the fine you may receive.
Under the GDPR, however, penalties for violating cookie compliance obligations are pretty substantial. In most cases, cookies are subject to the GDPR when they (in conjunction with other unique identifiers) can potentially identify an individual.
For lower-level cases, breaching the GDPR can result in fines of up to €10 million or 2% of the company's annual worldwide revenue, whichever is greater. The more serious cases can result in a fine of up to €20 million or 4% of the company's annual worldwide revenue, whichever is greater.
For tips and strategies on avoiding violating other aspects of the GDPR and receiving fines, check out our feature article: How to Avoid GDPR Fines.
Understanding your cookie compliance requirement is an essential obligation of every website owner. It's important to get a good grasp of the specific cookie requirements under the EU privacy laws so you don't end up non-compliant or undertaking burdensome and unnecessary tasks in an effort to be compliant.
Here's a quick recap of key things to note when trying to comply with the cookies regulations under the GDPR and the EU Cookies Directive:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
01 July 2022