All Blog Posts

EU Cookie Law

The General Data Protection Regulation (GDPR) affects how your website may track visitors from the EU.

Updated December 21, 2021.

The ePrivacy Directive (known often as just the “EU cookie law”) is a piece of EU legislation that regulates how your website is allowed to use cookies and process personal data from visitors inside the European Union.

Along with the General Data Protection Regulation (GDPR), the EU cookie law makes up the world’s strictest data privacy regime, which requires you to obtain the explicit consent from end-users before cookies are allowed to be activated on your website.

In this blogpost, learn more about the EU cookie law (ePrivacy Directive), and how Cookiebot consent management platform (CMP) can make your website meet all its requirements automatically.

What does the EU’s ePrivacy Directive say about cookies?

The ePrivacy Directive is often known as the EU cookie law because it was the first piece of legislation to regulate the use of cookies and trackers, as well as to require websites to obtain prior consent from users when employing cookies to process personal data from individuals inside the European Union.

If your website has visitors from inside the EU, the ePrivacy Directive requires you to –

  • Withhold all cookies and trackers until users have given explicit consent to their activation,
  • Give end-users clear and comprehensive information about all cookies and trackers embedded on your domain in plain and easy-to-understand language,
  • Ask end-users for consent to all cookies and trackers in use on your domain in as user-friendly a way as possible,
  • Enable end-users to refuse or withdraw consent as easily as they can give it.

Scan your website for free to see all cookies in use

Try Cookiebot CMP free for 14 days – or forever if you have a small website.

The European cookie law (ePrivacy Directive), with its requirements for obtaining end-user consent, is the reason why you’re required to feature a consent banner on your website that EU visitors can use to either give or refuse consent to the non-necessary cookies that process personal data on your domain (such as search and browser history, IP addresses, etc.).

A GDPR/EU cookie law compliant consent banner from Cookiebot CMP. - Cookiebot
A GDPR/EU cookie law compliant consent banner from Cookiebot CMP.

Together with the EU’s General Data Protection Regulation (GDPR) that came into effect in 2018, the EU cookie law forms the overall data privacy regime in Europe, which has extraterritorial scope, meaning that any website, regardless of where in the world it is located, must comply if it has visitors from within the EU.

Many newer data privacy laws, like Brazil’s LGPD and South Africa’s POPIA, are heavily inspired by the EU’s data privacy regime, particularly the ePrivacy Directive’s cookie requirements.

However, featuring a consent banner on your website, designed to empower users with control over your website’s cookies and the personal data they process, is not only a global legal requirement, but has become a consumer demand with 79% of consumers saying that data privacy is a buying factor for them, according to a 2021 study by Cisco.

That’s why ensuring compliance with the EU’s GDPR and ePrivacy Directive’s cookie consent requirements is today a necessity for any online business that wishes to avoid heavy fines and establish long-lasting customer relations.

Illustration of a toggle switch with stars around it in the style of the European Union flag - Cookiebot
Under the EU cookie law (ePrivacy Directive), cookies can only be used if your website’s visitors give their consent.

The EU cookie law (ePrivacy Directive), quick breakdown

  • The EU cookie law (ePrivacy Directive) came into effect in 2002 and was amended in 2009 (amendment effective since 2011).
  • The EU cookie law (ePrivacy Directive) regulates the processing of personal data in the electronic communications sector and, more specifically, the use of cookies on websites.
  • The EU cookie law (ePrivacy Directive) states that the use of cookies on websites is conditioned upon the prior consent of users: users must first be given clear and comprehensive information about the purposes of processing data (as well as information about storage, retention and access) to be able to give their consent, and they must also be provided with an easy way to refuse.
  • The EU cookie law (ePrivacy Directive) covers any kind of technology that process personal data from users online and uses “cookies” as an umbrella term. However, it also clearly states that the cookies deemed to be strictly necessary for the most basic functions of a website are exempt from the prior consent requirement (such as cookies that manage the contents of a user’s shopping cart on a web shop).
  • The EU cookie law (ePrivacy Directive) also covers the security and confidentiality of networks, e-communications services and unsolicited commercial e-mails (“spam”), among other provisions.
  • The EU cookie law (ePrivacy Directive) is not uniform binding law in the EU (as is the GDPR), but rather a directive that each member state implements through own national legislation that must, however, follow the directive’s provisions.
  • The EU cookie law (ePrivacy Directive) is enforced by each EU member state’s data protection authority according to national implementation. The European Data Protection Board (EDPB), consisting of representatives from all national data protection authorities, is responsible for issuing overall guidelines for interpretation and enforcement of the EU cookie law.
  • Non-compliance with the EU cookie law (ePrivacy Directive) can lead to fines issued by national data protection authorities, the highest of which – under the GDPR – can reach €20 million or 4% of annual global turnover.

Scan your website for free to see all cookies and trackers in use

Try Cookiebot CMP free for 14 days – or forever if you have a small website.

Cookiebot CMP by Usercentrics is a plug-and-play solution for websites that automatically manages end-user consents in full compliance with global data privacy laws (like the EU’s GDPR/ePrivacy Directive, California’s CCPA/CPRA, Canada’s PIPEDA and many others).

Built around an industry-leading scanning technology that – automatically and regularly – scans and detects all cookies and trackers in use on your website, Cookiebot CMP ensures full transparency and control for end-users, allowing them to make a quick and easy choice of consent.

Cookiebot CMP helps balance data privacy and data-driven business on your website by managing end-user consents while ensuring high consent rates to build trust with your customers, e.g. offering highly customizable consent interfaces, automatically generated cookie policies and regular renewal of end-user consents.

Additionally, the geotargeting feature of Cookiebot CMP automatically determines where in the world a user is visiting your website from and automatically presents the correct compliance solution, e.g. consent banner for users inside the EU in compliance with the EU’s GDPR/ePrivacy Directive.

Scan your website for free to see if it’s in compliance GDPR/ePrivacy Directive

Try Cookiebot CMP free for 14 days – or forever if you have a small website.

Learn more about the EU’s cookie consent requirements

Learn more about EU cookie policy requirements

Illustration of a women on a laptop sitting in justice scales - Cookiebot
The EU cookie law (ePrivacy Directive) empowers users with choice and control over their personal data.

Let’s take a closer look at the EU cookie law (ePrivacy Directive) and its requirements when it comes to your website’s use of cookies and trackers.

We’ll be looking at what constitutes valid end-user consent and how your website is allowed to use cookies under EU law.

Fact – despite its nickname the EU cookie law (ePrivacy Directive) is not a law, but a directive that each EU member state has implemented through national laws (contrary to the EU’s GDPR that is a regulation and automatically uniform law across all the EU).

The use of cookies, under EU law, is only allowed on condition that the user concerned has given his or her consent, having been provided with clear and comprehensive information (Article 3 of the ePrivacy Directive).

In other words, to ensure full EU cookie compliance you are required to inform users about all cookies on your website and to ask for and obtain the explicit consent from users before using cookies to process their personal data.

But in practice, how does this work? How do you obtain explicit user consents on your website, and what is a valid “explicit” user consent?

Learn more about the EU cookie policy requirements

The EU cookie law (ePrivacy Directive) states clearly that consent is needed before using cookies and processing personal data – but what amounts to a valid consent on your website?

How the EU cookie law’s cookie consent requirements (and the GDPR’s) is interpreted and enforced is defined by the European Data Protection Board (EDPB), and subsequently each EU member state’s data protection authorities (often known as “DPAs”).

Each member state’s data protection authority is in charge of enforcing the ePrivacy Directive nationally, e.g. by issuing guidelines for businesses to follow – but they do so based on the broader guidelines issued by the European Data Protection Board (EDPB), consisting of representatives from each national data protection authority.

The EDPB has defined valid under the EU cookie law and GDPR to be:

  • Freely given
  • Specific
  • Informed
  • Unambiguous

A valid explicit consent is therefore an action on part of the user that is clear and unmistakable – e.g. using the automatic cookie banners from Cookiebot CMP that enable your website’s visitors to easily and quickly choose what categories of cookies they wish to activate and give their personal data to.

A GDPR/EU cookie law compliant consent banner from Cookiebot CMP. - Cookiebot
A Cookiebot CMP consent banner that makes your website compliant with the EU’s GDPR/ePrivacy Directive’s cookie requirements.

This also means that user actions such as scrolling on a website do not meet the requirements for explicit consent, nor are you allowed to have pre-ticked opt-in boxes on your cookie consent banner, under the GDPR/ePrivacy Directive.

Signing up to Cookiebot CMP can automate the entire process of achieving EU cookie compliance on your website.

See the latest EDPB guidelines for valid cookie consent in the EU

Illustration of a finger pointing to a pile of books - Cookiebot
In the EU cookie law (ePrivacy Directive), cookies are mentioned only once. However, clear rules apply to their use.

In the ePrivacy Directive, cookies are mentioned in Article 66 in a clear and decisive way –

Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible – (Article 66 of the ePrivacy Directive).

Cookies on your website come in many different variations – from first-party cookies, necessary for the basic function of your website (and therefore exempt from the ePrivacy Directive’s cookie consent requirements), to third-party marketing cookies, embedded on your domain by external companies through the use of advertisement services or social media integrations.

Cookies can be categorized in four ways –

  • Necessary cookies
  • Preference cookies
  • Statistics cookies
  • Marketing cookies

The EU cookie directive’s cookie consent requirements make it clear that any cookies that are not strictly necessary for the core services and functions of your domain must be withheld prior to end-user consent.

Maybe you’ve heard that Google is phasing out third-party cookies from their Chrome browser in 2022?

Well, cookies are actually an umbrella term for a wide range of tracking technologies that keep developing, so even though third-party cookies might soon be past, new tracking technologies (such as FLoCs) will still be processing personal data from end-users visiting your website in the future – and consent will still be required.

Cookiebot CMP helps your website automate all EU cookie consent requirements by deep-scanning your website to detect all tracking technologies, and then withholding any personal data processing until the end-user has given their choice of consent through highly customizable cookie banners that ensure the right balance between data privacy and data-driven business.

Learn more about Google phasing out third-party cookies

Get started with Google Consent Mode

Try Cookiebot CMP free for 14 days – or forever if you have a small website.

When will the ePrivacy Regulation replace the ePrivacy Directive?

The ePrivacy Directive is getting older every day, as its latest amendment dates back to 2009. Tracking technologies keep developing, and so do new ways in which end-users communicate and spend their time online.

Illustration of a judge walking holding a European Union flag - Cookiebot
The ePrivacy Directive is scheduled to be updated with a stronger ePrivacy Regulation in the near future.

Legislative talks in the EU Commission to replace the ePrivacy Directive with an updated and stronger ePrivacy Regulation have been ongoing for years without a clear result yet.

In February 2021, however, the EU Council published a finalized text for the new ePrivacy Regulation and moved the process into so-called trialogue negotiations between the EU Parliament, EU Commission, and the EU Council.

In short, consent is still a key part of the new draft ePrivacy Regulation 2021, and cookies and tracking technologies are also still in the legislative scope – i.e. consent will be needed from end-users to process any kind of personal data via electronic communication systems.

Until the new ePrivacy Regulation has been passed and taken effect, the ePrivacy Directive and the GDPR still make up the current data privacy regime in the EU.

Learn more about the upcoming ePrivacy Regulation and cookies

Try Cookiebot CMP free for 14 days – or forever if you have a small website.

So, the ePrivacy Directive (or just “EU cookie law”) – together with the General Data Protection Regulation (GDPR) – determines the rules for how your website is allowed to use cookies that process personal data from end-users inside the EU.

The rules require that you must obtain the explicit consent from end-users before cookies are allowed to be activated on your website.

This means that you must –

  • Provide end-users with clear and comprehensive information about all cookies in use,
  • Obtain end-user consent to use cookies and trackers that process personal data,
  • Give end-users the option of refusing or withdrawing consent as easily as giving consent.

Cookiebot CMP is a plug-and-play cookie solution that is implemented on your website with just a few lines of JavaScript.

Once up and running, Cookiebot CMP automatically scans, detects, and controls all cookies and trackers in full compliance with the EU’s GDPR and ePrivacy Directive’s cookie consent requirements.

Cookiebot CMP is a leading e-privacy market solution by Usercentrics that helps balance data privacy and data-driven business on your website by managing end-user consents while ensuring high consent rates to build trust with your customers.

Try Cookiebot CMP free for 14 days – or forever if you have a small website.

FAQ

What is the EU cookie law?

The EU cookie law (or ePrivacy Directive) is a piece of European legislation that regulates the use of personal data in the electronic communications sector, specifically the use of cookies and trackers on websites. Together with the GDPR, the European cookie law forms the EU’s data privacy regime, one of the strictest in the world, which requires explicit consent from end-users before websites are allowed to use cookies that process personal data.

Scan your website for free to see all cookies in use

What are the requirements of the EU cookie law?

If you have visitors from inside the European Union, the EU cookie law (ePrivacy Directive) requires you to only use cookies and trackers on your website if EU visitors have given their explicit consent for you to do so. You must inform EU visitors of all cookies on your website and enable them to refuse or withdraw their consent as easily as they can give it.

Try Cookiebot CMP free for 14 days – or forever if you have a small website.

Is cookie consent always required in the EU?

In the EU, cookie consent is the core provision of the EU’s GDPR and the EU cookie law (ePrivacy Directive). To process personal data from individuals inside the EU – whether it be through the use of cookies and other means – you need to first obtain the explicit consent from your end-users.

Sign up to Cookiebot CMP for automatic GDPR/ePrivacy Directive compliance today

Is a cookie policy required by law in the EU?

Yes, the EU’s GDPR and EU cookie law (ePrivacy Directive) requires your website to feature a cookie policy that informs end-users of all the different types and categories of cookies in use on your domain, including their purpose, provider, duration, and other technical specifications. In the EU, a cookie policy can be integrated as part of your website’s larger privacy policy.

Try Cookiebot CMP free for 14 days – or forever if you have a small website.

Are cookies allowed under the EU’s GDPR?

Yes, cookies and trackers that process personal data from users inside the EU are allowed upon obtaining the explicit consent from end-users. However, cookies are not allowed to be activated and used without such consent from the end-user (except cookies that are strictly necessary for the most basic functions of your website).

Scan your website for free to see all cookies in use

Does the EU cookie law apply to US websites?

If US websites have visitors from inside the European Union, the EU’s GDPR/ePrivacy Directive data privacy regime requires the websites to ask for and obtain the explicit consent of these users before processing any of their personal data, and to inform them of all cookies and trackers in use on their domains. This is also known as the GDPR’s “extraterritorial scope”, i.e. it applies to websites that process personal data from EU visitors, regardless of where in the world the websites themselves are located.

Learn more about US data privacy laws

Resources

The ePrivacy Directive, official law text

Learn more about the EU’s cookie consent requirements

Learn more about the EU’s GDPR and cookies

Learn more about the cookie policy requirements for your website

Learn more about the upcoming ePrivacy Regulation and cookies

Get started with Google Consent Mode

Learn more about Shopify and cookies on your website

Visit the European Data Protection Supervisor

Visit the European Data Protection Board (EDPB)

See the EU Parliament’s review of the ePrivacy Directive

Learn more about compliant website tracking

Visit the New York Times Privacy Project

    Stay informed

    Join our growing community of data privacy enthusiasts now. Subscribe to the Cookiebot™ newsletter and get all the latest updates right in your inbox.

    By clicking on “Subscribe” I confirm that I want to subscribe to the Cookiebot™ newsletter. I can easily cancel my Cookiebot™ newsletter subscription and revoke consent to use my data by clicking the unsubscribe link or I can write to [email protected] to make the request. Privacy policy.