Logo Logo

The General Data Protection Regulation (GDPR) affects how your website may track visitors from the EU.

Try our free compliance test to check if your website’s use of cookies and online tracking is GDPR/ePR compliant.

The EU cookie law - a fundamental right to privacy in the 21st century

Updated February 15, 2020.

Europe is the leading tech watchdog in the world. The EU cookie law, the GDPR and the coming ePrivacy Regulation are groundbreaking defenses in the right to online privacy.

In this article, we look at the ePrivacy Directive - also known by the name "EU cookie law".

What is the EU cookie law?

The EU cookie law, known also by its official name the ePrivacy Directive, is a vital piece of legislation to ensure data privacy in the European union, an effort to secure EU citizens' privacy online.

It was passed in 2002 by the EU, amended in 2009, and has had ambiguous effects on the user experience of managing cookies and tracking, with different and sometimes inadequate legal implementation on the national level.

One of the main reasons for this, is that a directive is not a law, although the 2002 directive has obtained that nickname.

We will get into the details of this in a minute.

In doubt whether your website is GDPR compliant? Test for free with Cookiebot consent management platform (CMP).

Try Cookiebot CMP free for 30 days... or forever if you have a small website.

The origins of the EU cookie law

The EU cookie law’s main purpose is to enforce and secure the right to privacy through data protection, as pronounced in the EU Charter of Fundamental Rights (Article 8), which states that:

“Everyone has the right to the protection of personal data”, and that “such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned”.

It further specifies that "teveryone has the right of access to data which has been collected concerning him or her, and the right to have it rectified."

In other, shorter words: the EU cookie law is a cookie consent directive. It protects data privacy in the EU.

Take a minute to inform yourself of your fundamental rights in the European Union.

Intent and purpose

It was intended as the user’s defense against the world wild web of online tracking, personal profiling, unsolicited marketing tactics, and nonconsensual harvesting of data by third parties.

Its main objective was to protect "the right to private life, the confidentiality of communications and the protection of personal data in the electronic communications sector", as the directive reads.

According to the New York Times, Europe is now the leading tech watchdog in the world. This is undoubtedly a result of both the EU cookie law in place, and the newer and broader General Data Protection Regulation (GDPR).

The coming ePrivacy Regulation, which we’ll look at in a minute, will be sure to strengthen this position.

What does the EU cookie law mean?

The EU cookie law is, basically, all about what other people (i.e. websites, companies and service providers) are allowed to do with your digital data, what they can do with and what they can’t do without your consent, for what purposes, and in what ways.

Read the 2009 ePrivacy Directive here.

Cookie law info and cookie consent

All the cookie consent banners and cookie pop-up windows that you encounter, as you make your way through the web today, are reflections of those fundamental European rights to privacy.

Unfortunately, a lot of them are inadequate reflections, and even misleading.

The ePrivacy Directive states that no cookies and trackers must be placed before prior consent from the user, besides those strictly necessary for the basic function of a website, i.e. that a website has to hold back all cookies, regardless of whether they contain personal data or not, until a user consents.

Yet a lot of the banners and notices that most people are familiar with simply state that their website “use cookies to enhance user experience” and leave they users with the sole option of clicking “o.k.”

Find out how to get a great, compliant cookie notice here.

This has resulted in the aptly named condition known as consent fatigue. Their data is still being harvested and sold in the trillion-dollar economy beneath the visible internet, but now users have to click “o.k.” every time they visit a website, with no real choice of consent.

The EU cookie law deals with:

To be frank, the EU cookie law doesn’t just deal with cookies, but also with how user privacy is enforced on a larger scale on the Internet. An example of this is the prohibition of the use of e-mail addresses for marketing purposes without prior consent.

Nonetheless, the EU cookie law, and now also the GDPR, intends to give the power of transparency to the users, as they are able to demand access to, insight, rectification and erasure of the data already collected on them.

The coming ePrivacy Regulation is meant to solve these issues.

EU cookie law (ePrivacy Directive)

Important to note is that the nicknamed EU cookie law is not a law – it’s a directive.

The European Union can make legal decisions in a number of ways, but most notably, in this context of online user privacy, it can act legally in the form of so-called regulations and directives.

Regulations sare EU laws that apply automatically and uniformly to all EU countries without the need for interpretation and implementation on a national level. Whatever is passed into law under a regulation will be binding and immediately enforceable in the whole of Europe.

Directives, on the other hand, are EU legal acts that every country must adopt and implement in their own ways on a national level. In the case of the EU cookie law, each member state has had to implement into national law the articles of data protection and right to privacy that the directive mandates. In short, each EU country has since 2002 had to pass laws in their own legislative bodies so as to accommodate and comply with the EU cookie law.

Europe is the leading tech watchdog with the GDPR and ePR

The ePrivacy Regulation of will expand and elaborate on the previous 2002 directive.

The ePrivacy Directive has existed for more than a decade (it’s old) and might now be somewhat outdated. There are new technological advances that it doesn’t fully cover; the cookie consent provisions have been criticized for being inadequately interpreted; and concerns have been raised that the national implementations have created an unlevel playing field with overlapping and fragmented legal realities.

The ePrivacy Regulation sees to mend these issues and take the European privacy protection to a technologically updated, as well as internationally uniform place, as it lifts the ePrivacy Directive to a higher level of European law. In other words: to update, clarify and modernize the 2002 directive into a version that would, like the GDPR, be binding, uniform law in all EU countries.

On February 10, 2021, the EU Council agreed on a draft text and the ePrivacy Regulation will now go into trialogue negotiations with between the EU Parliament, the EU Council and the EU Commission.

Learn more about the new draft ePrivacy Regulation 2021

EU cookie law vs GDPR

If you’re confused about the difference between the EU cookie law and the newer GDPR, it’s no wonder. Perhaps you thought that the EU cookie law was the GDPR. Here are the differences:

The EU cookie law, or ePrivacy Directive, is an older legal act, passed in 2002 and updated in 2009. which deals mainly with cookies, data retention, and unsolicited e-mailing. It is, as mentioned before, a directive, not a regulation.

The GDPR, or General Data Protection Regulation, is much newer and is a regulation, meaning it is binding in all EU member states as of May 2018. It has a much larger scope than the ePrivacy Directive, since it focuses on data protection regardless of the type of data (i.e. not only digital user information), and how companies and organizations have to secure transparency and document user consent. In fact, the GDPR only mentions the word “cookie” once.

Inform yourself on the GDPR and read the GDPR law tex.

The many flavors of cookies - the varieties of online tracking

The ePrivacy Directive has been nicknamed the EU cookie law because it deals with, among other things… cookies. Why? Because cookies are everywhere online. If you have a website, you have cookies. If you’ve visited a website, you’ve dealt with cookies – whether you know it or not.

A cookie is between a website and its users, so to speak. It’s a small data file that a website places on its users’ devices (computer, phone and tablet), which enables it to recognize them and know things about them.

There are many types of cookies and tracking online

First or third, session or persistent, necessary or marketing?

Different cookies

But it’s not as simple as that. In fact, there is a wide variety of cookies that operate differently for different purposes, and it’s important to know which ones to look out for:

First-party cookies are those placed on a user’s computer by the website that he or she has visited.

Third-party cookies are those cookies belonging to a third party with access to the first-party site.

The latter could, for example, be cookies belonging to a social media platform, which track and monitor users’ behavior on a website, their access enabled e.g. by the implementation of a “share button” or a “commentary” on the first-party website.

In other words, if you have a Facebook share-button on your website, Facebook will also have cookies on your website.

What complicates privacy matters here, is the fact that a website owner is legally responsible for what happens on their website, including the protection of all user data from its potential harvest by third-parties for the nonconsensual use in profiling and targeted advertisement.

Cookie management through cookie banners

Cookiebot CMP is a tool for transparency – prior consent is enabled as an on/off switch on all cookies and tracking, first or third-party, and gives full control to the website owner and the end user through a cookie banner that manages their cookie consent.

Session cookies are temporary cookies that are only stored on a user’s device for the duration of their stay on a given website, their session. The minute they click away, these cookies expire. These are typically used for functions like keeping the items in your shopping cart, while you click around on a website’s subpages.

Persistent cookies, on the contrary, are cookies that linger on the user’s browser for much longer than merely a session, sometimes even for years. These are often “necessary cookies” and “preference cookies”, that handle stuff like user log-in or language settings on a website, but they might also be “analytics cookies”, “advertisement cookies”, and “social media cookies” that enable actions such as personal profiling and targeted online marketing.

Other ways of tracking

Web beacons

Another type of online tracking altogether is a so-called web beacon.

These are one of several tracking technologies besides cookies that also include browser fingerprinting (the uniqueness of your device, such as settings and configurations) and ultrasound beacons (high-pitched sounds emitted from a device in use with the purpose of mapping out connected devices, such as phones and tablets).

Learn more about the different tracking technologies besides cookies here.

A web beacon (known also as “pixel tags” or “clear GIFs”) is a transparent pixel – yes that’s right, one pixel, i.e. tiny and invisible to the naked eye. Web beacons are markers on the virtual gates you pass through, as you click your way through the Internet.

It tells its operators about your journey to the site, how you got there, and whether it was through a link in a newsletter or a social media commercial.

Ultrasound beacons track in different ways than cookies

Hidden in a pixel, a tracking beacon

This tracking is used by websites to understand the impact of its marketing strategies. But this data can also be combined with users’ personal account information to build comprehensive profiles on individuals.

It might be benign in nature but offers the possibility of third-party tracking for comprehensive profiling that might violate privacy laws, such as the EU cookie law.

For a knowledgeable and stimulating in-depth, check out The Privacy Project, a New York Times interactive essay collection on data privacy.

Summary: how to comply with the EU cookie law

So... a lot of rules, directives, regulations and different cookies. It can get complicated.

The main things to keep in mind as a website owner, are these:

If you choose Cookiebot CMP as a solution, all of the above is made available to you in a simple software implementation. Click here to try for free.


What is the EU cookie law?

The ePrivacy Directive (nicknamed the EU cookie law) is a European directive that governs the use of data in the electronic communications sector in the EU. The EU cookie law regulates the use of data by websites, companies and service providers, how they are allowed to handle it, use it and for what purpose they are allowed to share it.

Test for free to see if you website is compliant with the GDPR and ePrivacy Directive

What is the GDPR?

The General Data Protection Regulation (GDPR) is an EU law governing the processing of personal data in all EU member states. The GDPR is requires websites, companies and organizations to ask for and obtain the explicit consent from users before processing any personal data, such as through cookies and trackers on a website.

Learn more about GDPR and cookie consent

What is valid cookie consent on websites?

A valid consent from end-users to have their personal data processed by cookies and trackers on a website has to be an informed, clear and affirmative and unambiguous indication of their wishes. This means that websites are not allowed to activate non-necessary cookies that process personal data until after users have given their explicit consent.

Learn more about valid consent on websites in the EU

How can my website become compliant?

Using a consent management platform that can scan your website to detect all cookies and trackers, and then hand over real control to the end-user, enabling them to give their explicit consent through a granular cookie banner ensures full GDPR and ePrivacy compliance for your website.

Try Cookiebot CMP free for 30 days for full GDPR compliance


The ePrivacy Directive

The General Data Protection Regulation (GDPR)

The proposal for the ePrivacy Regulation 2021

The European Commission on EU data protection rules

The European Commission on the different types of EU law

The NY Times on the existing EU cookie laws

European Data Protection Supervisor

Charter of Fundamental Rights of the European Union

Review of the ePrivacy Directive by the European Parliament Think Tank

The Privacy Project, a NY Times interactive essay collection on data privacy

Cookiebot™ & Usercentrics 

Usercentrics & Cookiebot™ unite

Make your website’s use of cookies and online tracking compliant today

Try for free