The ePrivacy Directive (also known as the EU cookie law) is a European Union regulation that controls how your website, through cookies and trackers, collects and processes the personal data of EU Citizens.
After General Data Protection Regulation (GDPR), the EU cookie law is one of the most demanding and stringent data privacy regulations. It requires you, the business owner, to obtain explicit consent from end-users before loading cookies onto their websites.
This article will dive deeper into EU cookie law why you need a consent management platform for your business websites & Apps in 2023.
According to the EU Cookie Law, if your website has visitors from within the EU, you must –
Withhold all cookies and trackers until users provide consent
Give end-users easy-to-understand information about all cookies and trackers on your domain
Gain end-user consent to all cookies and trackers in use in a friendly manner
Enable end-users to refuse or withdraw consent in a quick and easy manner
Quick EU cookie law (ePrivacy Directive) breakdown
The EU cookie law (ePrivacy Directive) was enacted in 2002 and amended effective in 2011.
The EU cookie law (ePrivacy Directive) regulates the collection and processing of personal data through cookies on a website, which eventually comes into the electronic communications sector.
The EU cookie law (ePrivacy Directive) covers all the technology that processes users' data using "cookies," an umbrella term. However, no explicit consent is required for deploying essential cookies (For example, cookies that manage the user's shopping cart content on a webshop).
The EU cookie law (ePrivacy Directive) covers the confidentiality security of networks and unsolicited commercial e-mails ("spam") and e-communications services, among other provisions.
The EU cookie law (ePrivacy Directive) is a directive and a not uniform binding regulation in the EU (as is the GDPR). Each member state implements cookie law concerning its national legislation but must follow the provisions of the directives compulsorily.
The EU cookie law (ePrivacy Directive) can fine up to €20 million or 4% of annual global turnover, whichever is higher if your business is found to be non-compliant.
Combined with the EU's GDPR, the EU cookie law forms an overarching data privacy umbrella in Europe. This includes any website with visitors from within the EU, regardless of where the business is located worldwide.
One thing EU's cookie law is that it doesn't require you to ask for cookie consent for the essential cookies, which are, by default, necessary for the basic functioning of the website. It only asks to take consent for nonessential cookies such as analytical cookies, advertising cookies, and other social media cookies.
Like Brazil's LGPD and South Africa's POPIA, many newer data privacy laws draw inspiration from the EU's data privacy regime, including the ePrivacy Directive's cookie requirements.
The EU cookie law (ePrivacy Directive) is a directive rather than a law. And that's why each respective State of the European Union can exercise this cookie law with regard to their national privacy laws.
There is a special European data protection board, including each representative of the European Union states. This board is responsible for the Regulation, interpretation and implementation of the cookie law in respective countries of the EU.
The requirements of every State can differ slightly, but they all must follow the provisions of the Directive strictly. This is a stark difference from GDPR, a uniform regulation enforced across the European Union.
How does it work? How do you obtain explicit user consent on your website, and what qualifies as valid, "explicit" user consent?
Each member state's data protection authority oversees the enforcement of the EU cookie law at a national level. Still, it does so based on the vast guidelines issued by the European Data Protection Board (EDPB), which consists of representatives from each country.
Under the EDPB, "valid" is defined to be:
Cookies are mentioned only once in the EU cookie law, but the rules are crystal clear.
However, as CPRA is based on an opt-out consent model, the business must comply with the user's request to opt out of the sharing or selling personal data to third parties.
This includes not sharing data for cross-contextual behavioral advertising. Also, they can limit the use of sensitive personal data.
Provide a clear and specific link saying, "Do not sell or share my personal data" and "Limit the use of my sensitive personal information."
Businesses can also rely on preference signals to comply with the above obligations. In such a case, companies must allow consumers to opt out through an opt-out preference signal sent with the consumer's consent.
Even though CPRA doesn't require opt-in consent, you must not load nonessential cookies without notifying the user with a cookie banner.
Under CPRA, businesses must wait for at least 12 months to request the consumer to authorize the sale or sharing of personal information and disclose sensitive personal information.
The General Data Protection Regulation, or GDPR, is the European Union's and the world's first data privacy law enacted in May 2018 to give EU citizens more control over their data and limit businesses' unethical use of personal information for targeting behavioral adverts to EU citizens.
The GDPR is very clear on what they want to provide to the citizens of the EU and the businesses. They want users to have more control over what they want to share and hold back their data. At the same time, they want to straighten up businesses on their use of the citizens' personal data.
Consent Wording: Consent must be informed
Businesses must fully inform the data subject or the individuals of the purpose of data collection and all the vendors or parties involved in processing personal data.
The name of the data processor collecting and processing personal data;
The purpose and the legal basis for personal data processing;
The Data types or categories that will be processed;
Their rights to access, change, or withdraw personal data.
Organizations cannot include consent by default into contracts or pre-ticked boxes on paper or electronic consent forms. Data subjects must be provided with an opt-in method that allows them to pick and choose the level of consent they want.
GDPR discourages pre-ticked boxes on paper or electronic consent forms or embedding consent by default into contracts. Under GDPR, businesses must strictly provide opt-in consent where the user has the freedom to either accept, reject, change the data or change the preference of how their data is used.
Don't repeat the META mistake. Do not assume that you can include consent within your terms and conditions. GDPR has clarified that they want you to separate consent requests from all other matters. Also, make sure it is interactive, accessible, and simple to read and understand. Ensure that you make a systematic process of addressing all the consent requirements.
Under GDPR, Websites shall not deploy or just block all nonessential cookies until the users give their consent through the cookie consent banner. As GDPR is based on an opt-in consent model, no unnecessary cookies can be deployed until the user has provided their due consent through a GDPR-compliant cookie consent banner.
"Third parties may store information on the user's devices or gain access to information already stored for several purposes, ranging from the legally allowed (essential cookies) to those involving unwanted interference into the private sphere (such as viruses or spyware).
Therefore, it is paramount that users must be provided with comprehensive and precise information when engaging in any activity that could result in such storage or gaining access.
The techniques of conveying information and offering the right to reject should be as user-friendly as possible."
Cookies can come in multiple forms. Whether it's first-party cookies needed for the essential function of your site or third-party marketing cookies from ad services or social media integrations, cookies can be categorized in four ways:
The ePrivacy Directive's cookie consent requirements are precise. Any non-first-party cookies must be withheld until the end user consents.
The ePrivacy Directive, with directives as far back as 2009, continues to lose its relevance. New tracking technology emerges, and online behavior changes with it. The switch from the ePrivacy Directive to the stronger ePrivacy Regulation is coming shortly.
EU Commission legislative talks to replace the ePrivacy Directive with a stronger ePrivacy Regulation have been an ongoing battle for years and have yet to have a clear solution.
However, in February 2021, the EU Council published a new draft of the ePrivacy Regulation. It moved the process into a negotiation stage between the EU Parliament, Commission, and Council.
Consent is still an essential part of the new ePrivacy Regulation 2021 draft. Cookies and tracking technologies are part of the scope. The need for end-user consent first won't be going anywhere.
Until the new ePrivacy Regulation is live, the ePrivacy Directive and the GDPR still govern data privacy in the EU.
As a website or an online business owner, ensure your business operations, like a website or a mobile app, comply with the cookie law, which will require you to make some changes.
The risk of noncompliance is enormous and will undoubtedly result in heavy fines and irrecoverable brand damages. Once the user's trust is broken, it is hard for businesses to regain it, ultimately losing their overall brand value.
If your business comes under the EU's GDPR or California's CPRA, the cost incurred, both monetary and non-monetary, can be devastating.
Within those, you're required to obtain explicit consent from end-users before cookies are deployed to be activated on your website. That requires you to:
Provide users with comprehensive, easy-to-understand information about all cookies in use
Give users the option to refuse or withdraw consent easily
You can automatically gain consent with Adzapier's Consent Management Platform (CMP). Our top goal is to maintain confidence and complete transparency in privacy and compliance with our publisher partners and their advertisers.
Any information obtained from the Adzapier website, services, platform, tools, or comments, whether oral or written, does not constitute legal or regulatory advice. If legal assistance is required, users should seek legal advice from an attorney, a lawyer, or a law firm.