EU Cookies Directive

EU Cookies Directive

The EU e-Privacy Directive is a part of the European Union's strive to enhance online privacy for its citizens.

The Cookies Directive was adopted as an amendment to the e-Privacy Directive in May of 2011 by all countries in the EU.

Websites that are either owned by EU businesses or directed towards EU citizens must inform visitors that cookies are in use, how these cookies are used, and obtain consent before cookies can be used.

You can do that through a Cookies Policy or a Privacy Policy.

You must give users of your website/mobile app the right to refuse the use of cookies. This can mean that users can't use your website/mobile app to its full functionality, but users must be able to refuse.

Websites are able to satisfy this requirement by using pop-up windows or notifications in the top headers that either included information about cookies or provided a link to where this information was located on the website (i.e. to a separate Cookies Policy or to the website's existing Privacy Policy with a Cookies-specific section.)

Check out our free tools for website owners:

  • Cookie Consent - a free cookie consent solution to comply with GDPR + ePrivacy Directive.
  • CCPA Opt-Out - a free CCPA opt-out solution to allow visitors to opt-out from personalized ads and comply with GDPR.
  • I Agree Checkbox - a free solution to enforce your legal agreements.

Generate legal agreements for your website or app in minutes with TermsFeed: Privacy Policy, Terms & Conditions, Cookies Policy and more.

Below are two examples of ways that websites could satisfy the EU Cookies Directive with informative pop-ups and header banners.

Here's how the BBC notifies users about cookies:

BBC Notification: Cookies on website

Here's how the ICO website does it:

ICO Notification: Cookies are in use on website

Methods of opting out of cookie usage must also be put in place and made known to your website visitors.

Requirements by the EU Cookies law

The following are minimum requirements that all businesses within the EU must follow.

Country-specific differences in requirements above and beyond these minimums are discussed after this section, at Country-specific differences.

1. Users must be informed that cookies are being used on your website, including:

  • What cookies are used
  • Why they are used
  • How they are used

You can provide a notice, such as a banner, that makes it clear to users that your website or mobile app is using cookies.

This notice:

  • Must be written in clear language that's easy to understand and placed somewhere easy to notice on the website or mobile app, and
  • Must provide a link where the detailed Cookies Policy is located on your website or a link to your Privacy Policy where a "Cookies" section is added, if you don't use a separate Cookies Policy agreement for this purpose.

Below is an example from the Thomas Cook website with a huge banner that provides adequate notice, links to its Cookie Policy and has a clear button for accepting cookies.

Thomas Cook Cookies Notification in the Header

2. Prior informed, specific, and voluntary consent must be obtained before cookies are placed on a user's computer equipment and before information about a user's computer equipment is accessed.When obtaining consent, there are two methods that are allowable here:

  • Affirmative action/explicit consent

    Clear and explicit affirmative consent can be obtained by placing a check box or a clickable button in the notice and requiring a user to click in order to consent.

    The example below shows a button that is labeled with "I Agree" and will work to obtain affirmative consent.

  • WeTransfer: I agree button

  • Further browsing/implied consent

    Implied consent will qualify as enough consent to make cookies placement valid so long as the following conditions are met:

    1. There must be a notice that cookies are being used, and it must be displayed in a clearly visible and unmissable way on the homepage so that upon first visiting the site or using the mobile app, a user will see it
    2. This notice must make it very clear to the user that by continuing to browse the website, consent to place cookies on their device will be implied
    3. This notice must remain visible until the user actually continues browsing the website

    Below is an example of how implied consent can be obtained by using banner ads that make it known that continuing to browse will be taken as consent.

  • Notification box: By continuing with website, you agree to

The following types of cookies can be used without first obtaining consent from the user:

  1. Cookies that are used solely for the purpose of transmitting a communication, and
  2. Cookies that are absolutely necessary for a website to provide the service that the user is requesting.

Examples of cookies under these exceptions include:

  1. Authentication Cookies that identify a user for the duration of the session once that user logs in to a website and uses the site.

    Below is an example of a user login box that would place an authentication cookie on a user's computer when the "Remember Me" box is checked so that the user will actually be remembered the next time he reaches this page and this login box:

  2. SalesForce Login with Remember Me

  3. Multimedia Content Player Cookies that store technical data for the duration of a session where video or audio content is played on a website.

    Here's how SoundCloud always links to its Cookies Policy from all embeds:

  4. Cookies Policy from SoundCloud Embed

  5. User Input Cookies that help keep track of data a user puts in to a website during a session, including information for filling out forms, or for items added to an e-commerce site shopping cart.

Country-specific differences

While the above requirements are the minimum requirements that all EU member countries must follow, a number of countries have adopted custom measurements to ensure and enhance online privacy.

Here's the full list of EU countries with additional requirements:

Country Additional Requirements and Instructions
Austria

Users must be informed of:

  • The legal basis for processing data, and
  • The duration of the storage

Implied consent to use cookies is allowed under amendments to the Telecommunications Act when browser or app settings infer consent.

Belgium Website operators are allowed to rely on implied consent when that implied consent is "freely given, unambiguous, specific and informed."
Bulgaria
  • A mechanism for refusing consent must be provided to users.
  • All collected data must be destroyed after the expiration of a specified period of time.
Denmark

The first time a visitor visits a website, he must be given notice that includes:

  • Information on cookies usage by that website and potentially by any third parties,
  • A consent request message that provides a link to a detailed cookie policy and information on how to decline the website's use of cookies.This message can contain language that instructs a user that by continuing to use the site and not actively declining the use of cookies, implied consent will be obtained.

The Cookie Policy must be easily accessible and visible, such as by placing a link at the top or bottom of a website alongside the Terms and Conditions or Privacy Policy links.

Finland Consent may be obtained via browser or other app settings.
France

Consent may be obtained via browser or other app settings. A 2-step process is required.

Step 1: Place a Cookie Banner

  • The cookie banner must remain on the web page until a user clicks elsewhere on a site and must provide the following information:
  • The purpose of the cookies that the website seeks to place,
  • A way for a user to decline or object to the use of cookies,
  • A link provided to where these settings can be modified to reflect a decline or objection, and
  • Information that states that if the user continues to navigate the site without actively declining or objecting the use of cookies, consent will be implied.

Step 2: Cookie Notice

A website must have a separate page that contains information on:

  • The use of cookies on the website and the purpose the cookies serve, and
  • A way for a user to reject these cookies.

This page must be linked to in the cookie banner.

Germany

If consent is obtained electronically, the operator of the website must ensure the following:

  • That consent was clearly and actively given after being informed of the right to revoke consent at any time,
  • That a record of this consent is kept,
  • That users are able to access and view their consent status at any time, and
  • That users can revoke consent at any time.
Greece Consent may be obtained via browser or other app settings.
Hungary

Consent may be obtained via browser or other app settings.

Consent is allowed to be obtained after cookies have been placed on a user's device.

Iceland Consent may be obtained via browser or other app settings.
Ireland

Regulations are rather vague here when it comes to how information about cookies is shared with visitors to a website, and how consent should be obtained and say that this should all be as user-friendly as possible.

While consent may be obtained via browser or other app settings, a Guidance Note by the Data Protection Office states that settings that are currently available as standard on website browsers are not sufficient to be used to obtain consent.

Italy

When a user accesses a website, a banner must immediately appear that contains cookies notice, including:

  • A link to the full text of the Cookies Policy that includes:

    • information on specific types of cookies used, and
    • whether the site uses third-party cookies,
  • A link to an area where a user is able to select which specific cookies he or she wishes to allow or disallow.
  • Notice that if the user continues to use the website, consent to the use of cookies will be adequately implied.

If any technologies that allow profiling, such as analyzing purchase behavior or user choices to identify the unique personality traits of a user are used, notification must be given to the Italian Data Protection Authority.

Latvia Consent can only be obtained by a strict opt-in method. No implied consent is allowed.
Lithuania

The State Data Protection Inspectorate has provided the following ways for consent to be obtained:

  • Pop-ups
  • Information at the top of the main webpage/homepage
  • Individual cookie consent in a registration section of the webpage.
Luxembourg

Information about cookies, consent, and the offering of the right to refuse consent to cookies being used must be provided in a way that is as user-friendly as possible.

Consent may be obtained via browser or other app settings.

Malta While consent may be obtained via browser or other app settings, the local DPA recommends against relying on this method as the method of establishing consent.
Netherlands

Identities of any and all third-party ad networks on a website must be disclosed to users of the site. Clicking on a link to obtain more information about the cookies in use on a site does not count as obtaining consent.

Cookie policies must be site-specific and not generic.

Norway

Consent may be obtained via browser or other app settings as long as somewhere on the website there is clear and user-friendly information about:

  • What kinds of cookies are being used,
  • What other similar technologies, if any, are being used,
  • What user information will be processed,
  • Who is processing this information, and
  • Why this information is being processed.
Poland Consent may be obtained via browser or other app settings.
Romania

Users must be given clear, comprehensive information about cookies usage. This information must satisfy Romanian data protection rules that require transparency information about how individual personal data is processed by a website.

Consent may be obtained via browser or other app settings.

Slovakia Consent may be obtained via browser or other app settings.
Slovenia Consent may be obtained via browser or other app settings.
Spain

A user must take a conscious and positive action in order for consent to be obtained or implied, and a user must be informed of what action/s will amount to appropriate consent.

Common and preferred methods include standard "click to accept" boxes in agreements.

Separate Cookies policies are suggested, separating this information from Terms and Conditions and Privacy Policies.

Sweden Consent may be obtained via browser or other app settings, but this may change in the future.
United Kingdom

Consent may be obtained via browser or other app settings, however the ICO has indicated that current standard browser settings options are not sufficient for obtaining this consent.

Explicit and active consent are highly favored and recommended.

Website owners and operators are expected to conduct cookie audits on their websites and determine appropriate cookie consent strategies meant to protect privacy of users.

Sara P.

Sara P.

Law school graduate, B.A. in English/Writing. In-house writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.