The EU e-Privacy Directive is a part of the European Union's strive to enhance online privacy for its citizens.
The Cookies Directive was adopted as an amendment to the e-Privacy Directive in May of 2011 by all countries in the EU.
Websites that are either owned by EU businesses or directed towards EU citizens must inform visitors that cookies are in use, how these cookies are used, and obtain consent before cookies can be used.
Below are two examples of ways that websites could satisfy the EU Cookies Directive with informative pop-ups and header banners.
Here's how the BBC notifies users about cookies:
Here's how the ICO website does it:
Methods of opting out of cookie usage must also be put in place and made known to your website visitors.
The following are minimum requirements that all businesses within the EU must follow.
Country-specific differences in requirements above and beyond these minimums are discussed after this section, at Country-specific differences.
1. Users must be informed that cookies are being used on your website, including:
You can provide a notice, such as a banner, that makes it clear to users that your website or mobile app is using cookies.
2. Prior informed, specific, and voluntary consent must be obtained before cookies are placed on a user's computer equipment and before information about a user's computer equipment is accessed.When obtaining consent, there are two methods that are allowable here:
Affirmative action/explicit consent
Clear and explicit affirmative consent can be obtained by placing a check box or a clickable button in the notice and requiring a user to click in order to consent.
The example below shows a button that is labeled with "I Agree" and will work to obtain affirmative consent.
Further browsing/implied consent
Implied consent will qualify as enough consent to make cookies placement valid so long as the following conditions are met:
Below is an example of how implied consent can be obtained by using banner ads that make it known that continuing to browse will be taken as consent.
The following types of cookies can be used without first obtaining consent from the user:
Examples of cookies under these exceptions include:
Authentication Cookies that identify a user for the duration of the session once that user logs in to a website and uses the site.
Below is an example of a user login box that would place an authentication cookie on a user's computer when the "Remember Me" box is checked so that the user will actually be remembered the next time he reaches this page and this login box:
Multimedia Content Player Cookies that store technical data for the duration of a session where video or audio content is played on a website.
Here's how SoundCloud always links to its Cookies Policy from all embeds:
While the above requirements are the minimum requirements that all EU member countries must follow, a number of countries have adopted custom measurements to ensure and enhance online privacy.
Here's the full list of EU countries with additional requirements:
|Country||Additional Requirements and Instructions|
|Austria||Users must be informed of:
|Belgium||Website operators are allowed to rely on implied consent when that implied consent is "freely given, unambiguous, specific and informed."|
|Denmark||The first time a visitor visits a website, he must be given notice that includes:
|Finland||Consent may be obtained via browser or other app settings.|
|France||Consent may be obtained via browser or other app settings. A 2-step process is required.
Step 1: Place a Cookie Banner
Step 2: Cookie Notice
A website must have a separate page that contains information on:
This page must be linked to in the cookie banner.
|Germany||If consent is obtained electronically, the operator of the website must ensure the following:
|Greece||Consent may be obtained via browser or other app settings.|
|Hungary||Consent may be obtained via browser or other app settings.
Consent is allowed to be obtained after cookies have been placed on a user's device.
|Iceland||Consent may be obtained via browser or other app settings.|
|Ireland||Regulations are rather vague here when it comes to how information about cookies is shared with visitors to a website, and how consent should be obtained and say that this should all be as user-friendly as possible.
While consent may be obtained via browser or other app settings, a Guidance Note by the Data Protection Office states that settings that are currently available as standard on website browsers are not sufficient to be used to obtain consent.
|Italy||When a user accesses a website, a banner must immediately appear that contains cookies notice, including:
If any technologies that allow profiling, such as analyzing purchase behavior or user choices to identify the unique personality traits of a user are used, notification must be given to the Italian Data Protection Authority.
|Latvia||Consent can only be obtained by a strict opt-in method. No implied consent is allowed.|
|Lithuania||The State Data Protection Inspectorate has provided the following ways for consent to be obtained:
|Luxembourg||Information about cookies, consent, and the offering of the right to refuse consent to cookies being used must be provided in a way that is as user-friendly as possible.
Consent may be obtained via browser or other app settings.
|Malta||While consent may be obtained via browser or other app settings, the local DPA recommends against relying on this method as the method of establishing consent.|
|Netherlands||Identities of any and all third-party ad networks on a website must be disclosed to users of the site. Clicking on a link to obtain more information about the cookies in use on a site does not count as obtaining consent.
Cookie policies must be site-specific and not generic.
|Norway||Consent may be obtained via browser or other app settings as long as somewhere on the website there is clear and user-friendly information about:
|Poland||Consent may be obtained via browser or other app settings.|
|Romania||Users must be given clear, comprehensive information about cookies usage. This information must satisfy Romanian data protection rules that require transparency information about how individual personal data is processed by a website.
Consent may be obtained via browser or other app settings.
|Slovakia||Consent may be obtained via browser or other app settings.|
|Slovenia||Consent may be obtained via browser or other app settings.|
|Spain||A user must take a conscious and positive action in order for consent to be obtained or implied, and a user must be informed of what action/s will amount to appropriate consent.
Common and preferred methods include standard "click to accept" boxes in agreements.
Separate Cookies policies are suggested, separating this information from Terms and Conditions and Privacy Policies.
|Sweden||Consent may be obtained via browser or other app settings, but this may change in the future.|
|United Kingdom||Consent may be obtained via browser or other app settings, however the ICO has indicated that current standard browser settings options are not sufficient for obtaining this consent.
Explicit and active consent are highly favored and recommended.
Website owners and operators are expected to conduct cookie audits on their websites and determine appropriate cookie consent strategies meant to protect privacy of users.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
24 June 2019