Updated November 1, 2019.
Europe is the leading tech watchdog in the world. The EU cookie law, the GDPR and the coming ePrivacy Regulation are groundbreaking defenses in the right to online privacy.
In this article, we look at the ePrivacy Directive - also known by the name "EU cookie law".
The EU cookie law, known also by its official name the ePrivacy Directive, is a vital piece of legislation to ensure data privacy in the European union, an effort to secure EU citizens' privacy online.
It was passed in 2002 by the EU, amended in 2009, and has had ambiguous effects on the user experience of managing cookies and tracking, with different and sometimes inadequate legal implementation on the national level.
One of the main reasons for this, is that a directive is not a law, although the 2002 directive has obtained that nickname.
We will get into the details of this in a minute.
The EU cookie law’s main purpose is to enforce and secure the right to privacy through data protection, as pronounced in the EU Charter of Fundamental Rights (Article 8), which states that:
“Everyone has the right to the protection of personal data”, and that “such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned”.
It further specifies that “everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.”
In other, shorter words: the EU cookie law is a cookie consent directive. It protects data privacy in the EU.
Take a minute to inform yourself of your fundamental rights in the European Union.
It was intended as the user’s defense against the world wild web of online tracking, personal profiling, unsolicited marketing tactics, and nonconsensual harvesting of data by third parties.
Its main objective was to protect “the right to private life, the confidentiality of communications and the protection of personal data in the electronic communications sector”, as the directive reads.
According to the New York Times, Europe is now the leading tech watchdog in the world. This is undoubtedly a result of both the EU cookie law in place, and the newer and broader General Data Protection Regulation (GDPR).
The coming ePrivacy Regulation, which we’ll look at in a minute, will be sure to strengthen this position.
The EU cookie law is, basically, all about what other people (i.e. websites, companies and service providers) are allowed to do with your digital data, what they can do with and what they can’t do without your consent, for what purposes, and in what ways.
Read the 2009 ePrivacy Directive here.
All the cookie consent banners and cookie pop-up windows that you encounter, as you make your way through the web today, are reflections of those fundamental European rights to privacy.
Unfortunately, a lot of them are inadequate reflections, and even misleading.
The ePrivacy Directive states that no cookies and trackers must be placed before prior consent from the user, besides those strictly necessary for the basic function of a website, i.e. that a website has to hold back all cookies, regardless of whether they contain personal data or not, until a user consents.
This has resulted in the aptly named condition known as consent fatigue. Their data is still being harvested and sold in the trillion-dollar economy beneath the visible internet, but now users have to click “o.k.” every time they visit a website, with no real choice of consent.
The EU cookie law deals with:
To be frank, the EU cookie law doesn’t just deal with cookies, but also with how user privacy is enforced on a larger scale on the Internet. An example of this is the prohibition of the use of e-mail addresses for marketing purposes without prior consent.
Nonetheless, the EU cookie law, and now also the GDPR, intends to give the power of transparency to the users, as they are able to demand access to, insight, rectification and erasure of the data already collected on them.
The coming ePrivacy Regulation is meant to solve these issues.
Important to note is that the nicknamed EU cookie law is not a law – it’s a directive.
The European Union can make legal decisions in a number of ways, but most notably, in this context of online user privacy, it can act legally in the form of so-called regulations and directives.
Regulations are EU laws that apply automatically and uniformly to all EU countries without the need for interpretation and implementation on a national level. Whatever is passed into law under a regulation will be binding and immediately enforceable in the whole of Europe.
Directives, on the other hand, are EU legal acts that every country must adopt and implement in their own ways on a national level. In the case of the EU cookie law, each member state has had to implement into national law the articles of data protection and right to privacy that the directive mandates. In short, each EU country has since 2002 had to pass laws in their own legislative bodies so as to accommodate and comply with the EU cookie law.
The ePrivacy Regulation of will expand and elaborate on the previous 2002 directive.
The ePrivacy Directive has existed for more than a decade (it’s old) and might now be somewhat outdated. There are new technological advances that it doesn’t fully cover; the cookie consent provisions have been criticized for being inadequately interpreted; and concerns have been raised that the national implementations have created an unlevel playing field with overlapping and fragmented legal realities.
The ePrivacy Regulation sees to mend these issues and take the European privacy protection to a technologically updated, as well as internationally uniform place, as it lifts the ePrivacy Directive to a higher level of European law. In other words: to update, clarify and modernize the 2002 directive into a version that would, like the GDPR, be binding, uniform law in all EU countries.
It is difficult to say exactly when the ePrivacy Regulation will be finalized, but there is a chance it will happen in 2020.
If you’re confused about the difference between the EU cookie law and the newer GDPR, it’s no wonder. Perhaps you thought that the EU cookie law was the GDPR. Here are the differences:
The EU cookie law, or ePrivacy Directive, is an older legal act, passed in 2002 and updated in 2009. which deals mainly with cookies, data retention, and unsolicited e-mailing. It is, as mentioned before, a directive, not a regulation.
The GDPR, or General Data Protection Regulation, is much newer and is a regulation, meaning it is binding in all EU member states as of May 2018. It has a much larger scope than the ePrivacy Directive, since it focuses on data protection regardless of the type of data (i.e. not only digital user information), and how companies and organizations have to secure transparency and document user consent. In fact, the GDPR only mentions the word “cookie” once.
A cookie is between a website and its users, so to speak. It’s a small data file that a website places on its users’ devices (computer, phone and tablet), which enables it to recognize them and know things about them.
First or third, session or persistent, necessary or marketing?
But it’s not as simple as that. In fact, there is a wide variety of cookies that operate differently for different purposes, and it’s important to know which ones to look out for:
First-party cookies are those placed on a user’s computer by the website that he or she has visited.
Third-party cookies are those cookies belonging to a third party with access to the first-party site.
The latter could, for example, be cookies belonging to a social media platform, which track and monitor users’ behavior on a website, their access enabled e.g. by the implementation of a “share button” or a “commentary” on the first-party website.
In other words, if you have a Facebook share-button on your website, Facebook will also have cookies on your website.
What complicates privacy matters here, is the fact that a website owner is legally responsible for what happens on their website, including the protection of all user data from its potential harvest by third-parties for the nonconsensual use in profiling and targeted advertisement.
Cookiebot is a tool for transparency – prior consent is enabled as an on/off switch on all cookies and tracking, first or third-party, and gives full control to the website owner and the end user through a cookie banner that manages their cookie consent.
Session cookies are temporary cookies that are only stored on a user’s device for the duration of their stay on a given website, their session. The minute they click away, these cookies expire. These are typically used for functions like keeping the items in your shopping cart, while you click around on a website’s subpages.
Persistent cookies, on the contrary, are cookies that linger on the user’s browser for much longer than merely a session, sometimes even for years. These are often “necessary cookies” and “preference cookies” that handle stuff like user log-in or language settings on a website, but they might also be “analytics cookies”, “advertisement cookies”, and “social media cookies” that enable actions such as personal profiling and targeted online marketing.
Another type of online tracking altogether is a so-called web beacon.
These are one of several tracking technologies besides cookies that also include browser fingerprinting (the uniqueness of your device, such as settings and configurations) and ultrasound beacons (high-pitched sounds emitted from a device in use with the purpose of mapping out connected devices, such as phones and tablets).
A web beacon (known also as “pixel tags” or “clear GIFs”) is a transparent pixel – yes that’s right, one pixel, i.e. tiny and invisible to the naked eye. Web beacons are markers on the virtual gates you pass through, as you click your way through the Internet.
It tells its operators about your journey to the site, how you got there, and whether it was through a link in a newsletter or a social media commercial.
Hidden in a pixel, a tracking beacon
This tracking is used by websites to understand the impact of its marketing strategies. But this data can also be combined with users’ personal account information to build comprehensive profiles on individuals.
It might be benign in nature but offers the possibility of third-party tracking for comprehensive profiling that might violate privacy laws, such as the EU cookie law.
For a knowledgeable and stimulating in-depth, check out The Privacy Project, a New York Times interactive essay collection on data privacy
So... a lot of rules, directives, regulations and different cookies. It can get complicated.
The main things to keep in mind as a website owner, are these:
If you choose Cookiebot as a solution, all of the above is made available to you in a simple software implementation. Click here to try for free.