The EU Cookie Law sets rules on how websites and apps set cookies and other trackers. It's part of an important EU law called the ePrivacy Directive.
The law requires website and app operators to get consent for certain types of cookies. The law also states that website and app operators must provide certain information about cookies to their users.
It's particularly important for developers and marketing teams to understand the EU's cookie rules, not just lawyers or compliance departments. This article will explain what the EU Cookie Law says, who it covers, and what you need to do to comply.
Use our Cookie Consent all-in-one solution (Privacy Consent) for cookies management to comply with GDPR & CCPA/CPRA and other privacy laws:
- For GDPR, CCPA/CPRA and other privacy laws
- Apply privacy requirements based on user location
- Get consent prior to third-party scripts loading
- Works for desktop, tables and mobile devices
- Customize the appearance to match your brand style
Create your Cookie Consent banner today to comply with GDPR, CCPA/CPRA and other privacy laws:
Start the Privacy Consent wizard to create the Cookie Consent code by adding your website information.
At Step 2, add in information about your business.
At Step 3, select a plan for the Cookie Consent.
You're done! Your Cookie Consent Banner is ready. Install the Cookie Consent banner on your website:
Display the Cookie Consent banner on your website by copy-paste the installation code in the
</head>section of your website. Instructions how to add in the code for specific platforms (WordPress, Shopify, Wix and more) are available on the Install page.
- 1. What is the EU Cookie Law?
- 2. Who Does the EU Cookie Law Apply to?
- 3. What Does the EU Cookie Law Require?
- 3.1. Which Cookies Require Consent?
- 3.2. Which Cookies Do Not Require Consent?
- 4. How to Get Consent for Cookies
- 5. What Information to Provide About Cookies
- 6. Country-Specific Differences
- 7. Enforcement and Penalties Under the EU Cookie Law
- 8. Cookie Consent Examples
- 9. Conclusion
What is the EU Cookie Law?
The "EU Cookie Law" is part of the EU's ePrivacy Directive.
The ePrivacy Directive covers more than just cookies. It sets rules on email and telephone marketing, spyware and more. When we refer to the "EU Cookie Law," we mean the parts of the ePrivacy Directive concerning cookies.
The ePrivacy Directive is not to be confused with the EU General Data Protection Regulation (GDPR). However, the two laws interact in some important ways.
Every EU country, together with the UK, Iceland, Liechtenstein and Norway (we'll refer to these countries as "Europe" as a shorthand), has implemented the ePrivacy Directive in its national law.
In the UK, for example, there's the Privacy in Electronic Communications Regulations (PECR). France puts the EU Cookie Law in Article 86 of its Data Protection Law. And in Ireland, the law is implemented via the country's ePrivacy Regulations.
While there is some variation between these national laws, the rules on cookies are essentially the same.
Recital 25 of the ePrivacy Directive gives the gist of what the law has to say about cookies:
- Cookies aren't necessarily bad. They can be helpful and legitimate.
- You should offer people a user-friendly way to consent to cookies.
These are the essential rules under the EU Cookie Law. But as we'll see, things get a little more complicated when it comes to applying the law in practice.
The ePrivacy Directive is due to be repealed by a new law called the ePrivacy Regulation. This new law has been subject to major delays, but it should pass within the next couple of years.
Who Does the EU Cookie Law Apply to?
The EU Cookie Law applies to website and app operators. If you run a website or app, you're responsible for ensuring your cookies comply with the rules.
The law applies to companies of all sizes in all sectors, regardless of revenues or number of employees. But does the EU Cookie Law apply to companies based outside of Europe?
If your company has any European presence, it's covered by the EU Cookie Law. If you don't have any European presence, the answer is a little more complicated.
Most European countries have given their data protection regulators the power to investigate non-European companies under the EU Cookie Law. So if someone in France complains about your cookies, you might hear from the French regulator.
Plus, if you're targeting customers in Europe, you're likely covered by the GDPR. As mentioned, the GDPR interacts with the EU Cookie Law in some important ways.
To be safe, you should consider complying with the EU Cookie Law in respect of European users, whether or not you have any presence in Europe.
What Does the EU Cookie Law Require?
The EU Cookie Law requires website and app operators to:
- Get consent for certain types of cookies (and other trackers)
- Provide certain information about their cookies
Here's the relevant part of the law, from a 2009 amendment of Article 5 (3) of the ePrivacy Directive:
The ePrivacy Directive as a whole requires much more than this, but we're focusing on the cookie-related parts.
Which Cookies Require Consent?
As a general rule, the EU Cookie Law requires consent for cookies that are used for the following purposes:
- Social media tracking
It's also important to note that the law also requires consent for some things other than cookies.
The EU Cookie Law requires website and app operators to obtain consent for "the storing of information" and the "gaining of access to information already stored" in a user's "terminal equipment" (device).
There are plenty of things that can access or store information on a user's device besides cookies, such as:
The law applies to these technologies, too (but we'll use "cookies" as a catch-all).
Which Cookies Do Not Require Consent?
As mentioned, not all cookies require consent. Let's look again at what the law says:
So, the following types of cookies are exempt from the consent requirement:
- Cookies used "for the sole purpose of carrying out the transmission of a communication..."
- Cookies that are "strictly necessary (for providing a) service explicitly requested by the user..."
The European Data Protection Board (EDPB) adopted an opinion which lists cookies that might fall into these two exempt categories. Such cookies include:
- User input cookies
- Authentication cookies
- Multimedia player cookies
- Load-balancing cookies
- User interface customisation cookies
- Certain security cookies, if they are used to authenticate users for a service they have requested
You can normally set the above types of cookies without consent, but they should generally only persist for a single session (except security cookies, which might last longer than a session but should not persist for longer than needed).
Some regulators and national laws interpret the law slightly more liberally, allowing website operators to set certain first-party analytics cookies without consent if they are used to "aggregate statistical purposes". But this varies from country to country.
How to Get Consent for Cookies
To get consent for cookies, you must follow the GDPR.
The GDPR doesn't provide a set of steps or methods for obtaining cookie consent, but it does provide a definition of "consent." Your cookie consent solution must comply with this definition.
So let's take a look at the GDPR's main definition of consent, at Article 4:
This part of the GDPR, from Article 7, is also relevant:
So to summarize these provisions, we can see that GDPR-valid "consent" has the following six characteristics:
- Freely given
- Given via a clear, affirmative action
- Easy to withdraw
You can clearly apply this consent definition to a cookie consent solution, such as a cookie banner:
- Specific: Don't "bundle" cookie consent with consent for other activities.
- Informed: Give users the right information about cookies.
- Unambiguous: Make it clear what you're asking consent for.
- Given via a clear, affirmative action: Don't use pre-ticked boxes or assume that inaction means consent.
- Easy to withdraw: Provide a way for your users to easily withdraw their consent if they change their minds.
In practice, this means your cookie banner must, for example:
- Provide "accept" and "refuse" options that are both accessible with one click
- Offer the "refuse" option up front, not buried in a menu
- Use buttons of the same size and color for "accept" and "refuse"
We'll look at some real-world cookie consent examples later in the article.
What Information to Provide About Cookies
Again, when providing information about cookies, you should follow the GDPR.
Bear in mind that you should provide cookies information before you set any cookies on your user's device. But you also need to provide "comprehensive" information. Getting the balance right can be tricky.
Here's how the UK's data regulator, the Information Commissioner's Office (ICO) describes the information you have to provide about your cookies:
So according to the ICO, you should tell users:
- What cookies you use
- Why you use those cookies
- Any other companies with whom you share cookie data
- How long cookies will remain on your users' devices
(A reminder that this applies to all types of trackers, not just cookies).
While your cookie information has to be "comprehensive," try not to overwhelm your users.
There are two places you can provide cookie information:
- On your cookie consent solution (e.g. cookie banner)
We'll look at some real-world examples of how to provide cookies information in the "Cookie Consent Examples" section below.
While the above requirements are the minimum requirements that all EU member countries must follow, a number of countries have adopted custom measurements to ensure and enhance online privacy.
Here's a list of EU countries with their specific requirements:
|Additional Requirements and Instructions
Users must be informed of:
The following must be provided:
Website operators are allowed to rely on implied consent when the notice about cookies is clearly visible, clearly states that further browsing constitutes consent, and that the notice remains visible until the user continues to browse the site.
The first time a visitor visits a website, he must be given notice that includes:
Consent may be obtained via browser or other app settings. A 2-step process is required.
Step 1: Place a Cookie Banner
Step 2: Cookie Notice
A website must have a separate page that contains information on:
This page must be linked to in the cookie banner.
Cookies can only be placed if clear, comprehensive notice and information has been provided to the user, and clear consent obtained.
If consent is obtained electronically, the operator of the website must ensure the following:
Within your Cookies Policy and/or cookie banner, state the expiration time of any cookies that collect personal information, such as 1 year, 5 years, etc.
Get consent by affirmative action such as checking a box.
Informed consent must be obtained before placing non-essential cookies.
Consent must be obtained for third party cookies.
First party cookies can be placed subject to either consent or legitimate interests where appropriate.
Consent must be obtained before placing cookies aside from strictly necessary ones or communication ones. Consent must be to the GDPR standard of "freely given, specific, informed and unambiguous."
Consent cookies should have a maximum retention period of 6 months.
When a user accesses a website, a banner must immediately appear that contains cookies notice, including:
Consent is not required for technical cookies, but consent is the only way to legally use profiling cookies.
|Consent can only be obtained by a strict opt-in method. No implied consent is allowed.
The State Data Protection Inspectorate has provided the following ways for consent to be obtained:
Information about cookies, consent, and the offering of the right to refuse consent to cookies being used must be provided in a way that is as user-friendly as possible.
Consent must be obtained before placing any cookies aside from strictly necessary cookies.
GDPR-compliant levels of informed consent must be obtained.
Cookie walls, pre-ticked checkboxes and assuming consent by scrolling are not allowed as valid consent-obtaining methods.
GDPR-compliant consent must be obtained for non-essential cookies.
Allow users to access your site even if they decline consent for cookies.
Consent may be obtained via browser or other app settings as long as somewhere on the website there is clear and user-friendly information about:
|A GDPR-compliant level of consent should be obtained for non-essential cookies.
Users must be given clear, comprehensive information about cookies usage. This information must satisfy Romanian data protection rules that require transparency information about how individual personal data is processed by a website.
Consent should be GDPR compliant for non-essential cookies.
|Freely-given, informed opt-in consent must be obtained for non-essential cookies.
GDPR-compliant consent must be obtained before non-essential cookies are used.
Before giving consent, users must be presented with information about who will be processing the data obtained from the cookies, and what the purpose of the processing is.
This can be obtained by providing an informative cookie consent notice, and/or with a Cookies Policy.
A user must take a conscious and positive action in order for consent to be obtained or implied, and a user must be informed of what action/s will amount to appropriate consent.
Common and preferred methods include standard "click to accept" boxes in agreements.
Users must be given access to transparent information such as what cookies are used, who will use them, and why. Having a Cookies Policy will satisfy this requirement.
|Active, informed consent must be obtained, and records of this stored for 5 years. Users must be able to easily withdraw consent at any time.
You must obtain active and clearly given consent for all non-essential cookies.
You must also inform people about what cookies do and why you are using the ones you use.
Enforcement and Penalties Under the EU Cookie Law
The EU Cookie Law is enforced by Europe's Data Protection Authorities (DPAs). DPAs can take action under the EU Cookie Law (or the broader ePrivacy Directive) proactively or in response to a complaint from someone in their jurisdiction.
The EDPB, which consists of all EU DPAs, even set up a "Cookie Banner Taskforce" in response to the hundreds of complaints about non-compliant cookie consent solutions.
And unlike under the GDPR, most DPAs can directly investigate cookies complaints, even when the non-compliant company has its "main establishment" (main base of EU operations) outside of their jurisdiction.
This is why we see the French DPA, known as the "CNIL," regularly enforces EU cookies rules against companies based in Ireland, such as Google, Meta and Tiktok. In GDPR cases, France would need to refer these complaints to Ireland.
Fines under the EU Cookie Law vary from country to country.
For example, France enforces cookie violations under the French Data Protection Law. Under this law, violations of the EU Cookie Law are punished at the same level as violations of the GDPR.
The maximum fine is the higher of either:
- €20 million (approximately $22 million), or
- 4% of global worldwide turnover for the previous year
Other countries have different systems. In the UK, for example, the maximum fine is £500,000 (around $616,000). However, the UK is considering changing its rules soon, to bring these penalties up to GDPR level.
And remember that cookie data can count as personal data under the GDPR, so violating the rules on cookies can also mean violating the GDPR.
Cookie Consent Examples
Now let's look at some real-life examples of cookie consent.
Here's a good example of a simple cookie consent banner to get us started, from the European Central Bank:
Here's another example, from Lego:
This example offers two main choices, "Just Necessary" and "Accept All." If you want to customize which cookies Lego sets, you can choose "Cookie Settings." The cookie banner provides more detailed information than our first example.
There are a few things worth noting about this cookie banner.
First, the "Just Necessary" option might be a little unclear to some users. However, it reflects the fact that Lego will still set some "necessary" (or "essential") cookies regardless of whether the user consents.
Second, the cookie banner is relatively large. Users can't actually view the page behind the banner unless they choose an option. This might not meet the "freely given" element of consent as the user may click without thinking just to get rid of the banner.
Let's look at one more example, from law firm DWF:
This example would appear to meet the GDPR's consent standards.
For more examples of how to implement a cookie banner, see our article Cookie Consent Examples.
The EU Cookie Law is part of the EU's ePrivacy Directive. Each EU country (plus the UK, Iceland, Lichtenstein, and Norway) implements the law slightly differently.
The EU Cookie Law applies to website and app operators.
To comply, you must get consent for non-essential cookies, for example via a cookie banner. Your consent request must meet the standards set out in the GDPR.
Enforcement of the EU Cookie Law works differently in different countries, but penalties can be as high as €20 million or 4% of annual worldwide turnover.