What You Should Know About the EU Cookie Law

What You Should Know About the EU Cookie Law

The ePrivacy Directive (also known as the EU cookie law) is an EU regulation that controls how your website can process personal data and utilize it for European Union visitors. 

Next to the General Data Protection Regulation (GDPR), the EU cookie law is one of the most demanding data privacy regulations by requiring explicit consent from end-users before you can use cookies on your website.  

In this article, we’ll dive a bit deeper into the EU cookie law and how the Adzapier consent management platform (CMP) can make your website compliant with the new regulations. 

Cookies and the EU Cookie Law 

The EU cookie law was the first piece of legislation to regulate the use of cookies and trackers. It requires sites to obtain consent from users first before using cookies and processing personal data for EU users.  

According to the EU Cookie Law, if your website has visitors from within the EU, you must – 

  • Withhold all cookies and trackers until users provide consent 
  • Give end-users easy-to-understand information about all cookies and trackers on your domain 
  • Gain end-user consent to all cookies and trackers in use in a friendly manner 
  • Enable end-users to refuse or withdraw consent in a quick and easy manner 

Combined with the EU’s GDPR, the EU cookie law forms an overarching data privacy umbrella in Europe. This includes any website that has visitors from within the EU, regardless of where the business is located in the world. 

Like Brazil’s LGPD and South Africa’s POPIA, many newer data privacy laws draw inspiration from the EU’s data privacy regime, including the ePrivacy Directive’s requirements for cookies. 

The EU cookie law (ePrivacy Directive) is actually a directive, rather than a law. A directive that each EU member has enforced through national laws. This is a stark difference from GDPR, a uniform regulation enforced across the entire European Union.  

Under EU law, the use of cookies is only allowed on one condition: the user has given their consent, having been provided with clear and comprehensive information. 

How does it work? How do you obtain explicit user consent on your website, and what qualifies as valid, “explicit” user consent? 

Each member state’s data protection authority oversees the enforcement of the EU cookie law at a national level. Still, it does so based on the broader guidelines issued by the European Data Protection Board (EDPB), consisting of representatives from each country. 

Under the EDPB, “valid” is defined to be:  

  • Freely given 
  • Specific 
  • Informed 
  • Unambiguous 

Cookies are mentioned only once in the EU cookie law, but the rules started are crystal clear. 

What About Cookies? 

In the ePrivacy Directive, the use of cookies is clearly defined in Article 66: 

“Third parties may wish to store information on the equipment of a user or gain access to information already stored for several purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses).  

Therefore, it is paramount that users be provided with clear and comprehensive information when engaging in any activity that could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible.” 

Cookies can come in multiple forms. Whether it’s first-party cookies required for the essential function of your site or third-party marketing cookies from ad services or social media integrations, cookies can be categorized in four ways: 

  • Necessary cookies 
  • Preference cookies 
  • Statistics cookies 
  • Marketing cookies 

The ePrivacy Directive’s cookie consent requirements are clear. Any non-first-party cookies must be withheld until the end-user consents.  

When will the ePrivacy Directive be replaced? 

The ePrivacy Directive, with directives as far back as 2009, continues to lose its relevance. New tracking technology emerges, and online behavior changes with it. The switch from the ePrivacy Directive to the stronger ePrivacy Regulation is coming shortly. 

EU Commission legislative talks to replace the ePrivacy Directive with an updated and stronger ePrivacy Regulation have been an ongoing battle for years without a clear solution in sight yet. 

However, in February 2021, the EU Council published a new draft for the ePrivacy Regulation. It moved the process into a negotiation stage between the EU Parliament, Commission, and Council. 

Consent is still an essential part of the new ePrivacy Regulation 2021 draft. Cookies and tracking technologies are part of the scope. The need for end-user consent first won’t be going anywhere. 

Until the new ePrivacy Regulation is live, the ePrivacy Directive and the GDPR still govern data privacy in the EU. 

Final Words 

The ePrivacy Directive, combined with the General Data Protection Regulation (GDPR), regulates how your website can use cookies that process personal data from EU users. 

Within those, you’re required to obtain explicit consent from end-users before cookies are allowed to be activated on your website. That requires you to: 

  • Provide users with comprehensive, easy-to-understand information about all cookies in use 
  • Give users the option to refuse or withdraw consent easily 
  • Obtain user consent to use cookies and trackers that process personal data 

With Adzapier’s Consent Management Platform (CMP), you can automatically gain consent. Our top goal is to maintain confidence and full transparency in privacy and compliance with our publisher partners and their advertisers. 

Like what you’re reading? Share it on social:

Sign up for our weekly newsletter

By clicking “SUBSCRIBE” you agree to Adzapier’s privacy policy and terms & conditions

Keep reading