There is a lot of confusion about cookies and what is required by a business that hopes to use them. In this FAQ, we'll be answering some common questions related to the use of cookies to help clarify some of the confusing nuances when it comes to laws, best practices and compliance.

We'll be considering topics like the legal status of cookies, the treatment of cookies in the European Union (EU), methods for obtaining consent to place cookies and standards for creating a Cookie Policy.

Are cookies necessary?

Not all cookies are necessary. Some are used for the benefit of the company operating the website, or for the benefit of third parties. These cookies include those involved in advertising, tracking and analytics.

While advertising and analytics cookies might be "necessary" from a business perspective, this does not mean they are necessary under the law. Remember that there are many ways to advertise online. Not all types of advertising involve cookies or the processing of personal data.

Even some cookies that are used to improve the functioning of a website are not necessary from a legal perspective. These sort of cookies might feel necessary to the operator of a website. But they aren't necessary from the point of view of the user, whose personal data is being processed via the use of such cookies.

Cookies can be necessary either for maintaining a website's functioning or providing a service to the user.

The Article 29 Working Party, a group which was set up to provide guidance on EU data protection law, considered the following types of cookies to be "necessary" under the EU's ePrivacy Directive:

  • User input cookies that keep track of form inputs, the contents of a shopping cart, etc.
  • Authentication cookies to keep people logged in for the duration of their session
  • Multimedia player session cookies, e.g. to remember a user's position within a Flash video
  • Load-balancing session cookies
  • Interface customization cookies to maintain display preferences, etc.
  • Third-party cookies used for sharing content over social media (for logged-in users)

Consent is not required for these sorts of "necessary" cookies.

Are cookies illegal in Europe?

Are cookies illegal in Europe?

No, cookies aren't illegal in Europe. But the use of cookies in the EU is heavily regulated when compared to other places.

The main EU law regulating the use of cookies is known as the ePrivacy Directive or "Cookies Directive." It requires that website and app operators earn consent to set certain cookies.

Not all cookies require consent. You don't need to ask for consent to set cookies which are:

  • Used only for the "transmission of a communication"
  • Strictly necessary (from the user's point of view) to deliver a service

Where a cookie doesn't meet the criteria above, it will require consent. This includes where a cookie is used for analytics.

What is the ePrivacy Directive?

The ePrivacy Directive is an EU law originating from 2002. It's sometimes known as the "Cookies Directive" due to a 2009 amendment that clarified the rules around cookies.

One reason that the ePrivacy Directive is important for online advertising is that it requires website and app operators to obtain consent whenever they wish to:

  • Store information on a person's device, or
  • Access information already stored on that device

This is what cookies are used for, and so as a result, they require consent (with a few exceptions, as discussed above).

The ePrivacy Directive also regulates direct marketing via email, phone, fax, and SMS. It fulfills some of the same functions as anti-spam legislation like CAN-SPAM in the United States. Therefore, it's a very important law for businesses operating in the EU.

The EU is currently (as of September 2019) in the process of creating the ePrivacy Regulation, which will replace the ePrivacy Directive. This will provide new rules on cookies.

What is the Privacy and Electronic Communications Regulations 2003?

What is the Privacy and Electronic Communications Regulations 2003?

The Privacy and Electronic Communications Regulations 2003 (PECR) is the implementing legislation for the ePrivacy Directive in the United Kingdom (UK).

What do we mean by "implementing legislation?"

The ePrivacy Directive is, as the name suggests, a directive, rather than a regulation. The difference is as follows:

  • A regulation takes "direct effect" in the national law of EU countries, without the need to pass further legislation.
  • A directive requires each individual EU country to pass national "implementing legislation" before it becomes law in that country.

This means that the ePrivacy Directive might be interpreted quite differently from one EU country to another. The PECR is the UK's version of the ePrivacy Directive.

For all intents and purposes, the PECR is not all that different from the ePrivacy Directive. But it is amended regularly, and the latest version took effect in January 2019.

This latest PECR amendment banned "cold calling" from certain types of companies and introduced legal liability for directors of companies that breach the rules on marketing.

It's important for any company engaged in electronic marketing in the UK to be familiar with the PECR.

Somewhat confusingly, an important EU regulation called the General Data Protection Regulation (GDPR) also has implementing legislation, despite being a regulation. This is because the final version of the GDPR left EU countries with some discretion over how to interpret certain parts of the law. The UK's implementing legislation for the GDPR is called the Data Protection Act 2018.

Does the GDPR apply to cookies?

Yes, the GDPR applies to cookies. The ePrivacy Directive sets the "ground rules" when it comes to cookies, i.e. that certain cookies require consent. The GDPR sets the standard of consent. It regulates how you must ask for consent.

The standard of consent under the GDPR is very high - higher than under any other major privacy or data protection law, and higher than under the EU's previous data protection law, the Data Protection Directive.

Article 4 of the GDPR defines consent as:

"any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her"

So, to be valid under the GDPR, consent must be:

  • Freely given
  • Specific
  • Informed
  • Unambiguous
  • Made via a clear affirmative action

This adds up to a requirement that consent for cookies can't be assumed ("opt-out"). Consent must be earned via a mechanism that informs the user about the implications of giving consent and requires them to take affirmative action to indicate that they consent.

A "cookie banner," when correctly executed, can achieve this.

Are cookies considered personal data under the GDPR?

Are cookies considered personal data under the GDPR?

Yes, cookies (or at least, some cookies) are considered personal data under the GDPR.

The GDPR only actually mentions cookies once. But EU law has clearly determined that cookies can be used to identify individuals. Therefore, any cookies that could theoretically be used to identify a person should be treated as personal data.

It might sound a little tenuous to say that cookies could be used to identify a specific person. But cookies can be used to track a person's internet activity, including their purchases, searches, and certain social media activity.

This is highly personal information, and if combined with other data it could easily reveal a person's identity.

A Cookie Policy is a notice providing information about how a website or app uses cookies.

If you're using cookies that track user behavior or collect personal data, you'll need a Cookie Policy, or a Privacy Policy that explains your use of cookies. This rule applies in many countries, even outside of the EU.

For example, under the California Online Privacy Protection Act (CalOPPA), commercial websites accessible in California require a Privacy Policy if they collect "personally identifiable information" (personal data).

Your Cookie Policy (or the "cookies" section of your Privacy Policy) should provide information about:

  • What cookies are
  • How you use cookies
  • Any third-parties whose cookies are set by your website
  • Analytics or remarketing (if you engage in these practices)
  • Any other tracking technologies you use, e.g. web beacons
  • Which types of cookies are used on your website
  • How to give or withdraw consent for cookies

Do I need a separate Cookie Policy?

You don't necessarily need a separate Cookie Policy if your website or app uses cookies, but you must let your users know how you use them.

You can either explain your use of cookies as a section within your Privacy Policy, or you can create a separate Cookie Policy alongside it. You don't necessarily need a separate Cookie Policy, but this is an approach that works for many companies.

The GDPR gives a clear requirement to provide transparent information about the use of cookies. Failure to comply with this requirement can lead to an investigation by a Data Protection Authority such as the Information Commissioner's Office (ICO).

Cookie consent is the expression of a person's permission for a website or app to place cookies on their device.

Cookies can be used to collect information about a person's internet activity. This information can be used to deliver personalized advertising. These are known as "tracking" or "behavioral advertising" cookies.

Such cookies can interfere with a person's privacy. This is why in certain places, such as the European Union (EU), it is necessary to ask for consent before your website places them. But even beyond the EU, this can be necessary.

What is a cookie banner?

A cookie banner is a method that many websites use to request a user's consent for cookies.

Typically, a cookie banner will appear as a small strip of text at the top or bottom of a website. The text informs a website's user that the website uses cookies, and requests consent to store cookies on the user's device.

Cookie banners get rather bad press as, when poorly executed, they can be irritating. A cookie banner can get in a user's way as they attempt to use the website. A cookie banner might inform the user that the website uses cookies, but offer no alternative to accepting cookies.

Here's an example from Fonetti:

Fonetti cookie banner

A good cookie banner will not be too intrusive. It will allow the user to comfortably navigate the website even if they choose to ignore the cookie banner. It will give a brief explanation of how the website uses cookies and will provide a link to the website's Privacy Policy. It will offer the option to either accept or reject cookies.

Here's a good example of a cookie banner from the BBC:

BBC small cookie banner

When opting to reject cookies on the BBC's website, users are taken to a page offering the following options:

BBC cookies personalisation settings page

The backend function of a cookie banner is also important.

A cookie banner that appears to request consent might be functionally pointless for the user if cookies have been set by default. Therefore, part of the purpose of a cookie banner should be to trigger the setting of cookies only when a user's consent has been confirmed.

A cookie banner should be a means by which to facilitate a user's genuine consent to the use of cookies, not a retrospective notification that cookies have already been set.

What is the ICO?

The ICO is the Information Commissioner's Office, which is the UK's Data Protection Authority (DPA). Other DPAs exist in each EU country.

The ICO is responsible for enforcing data protection and privacy law in the UK. This includes the Data Protection Act 2018 (the UK's implementation of the GDPR) and the Privacy and Electronic Communications Regulations 2003 (the UK's implementation of the ePrivacy Directive).

Part of the ICO's job is to regulate the use of cookies. The ICO receives hundreds of complaints per year relating to the use of cookies.

If a person believes that a business (or any other organization or person) has violated data protection or privacy law, they can report that organization to the ICO. The ICO can then investigate the alleged violation and enforce penalties where appropriate.

These penalties vary depending on which law has been violated. But if a company violates the Data Protection Act 2018 (or any other iteration of the GDPR), the maximum penalty is a fine of €20 million or 4 percent of its annual turnover (whichever is greater).

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy