The EU e-Privacy Directive is a part of the European Union's strive to enhance online privacy for its citizens.
The Cookies Directive was adopted as an amendment to the e-Privacy Directive in May of 2011 by all countries in the EU.
Websites that are either owned by EU businesses or directed towards EU citizens must inform visitors that cookies are in use, how these cookies are used, and obtain consent before cookies can be used.
You can do that through a Cookies Policy or a Privacy Policy.
You must give users of your website/mobile app the right to refuse the use of cookies. This can mean that users can't use your website/mobile app to its full functionality, but users must be able to refuse.
Websites are able to satisfy this requirement by using pop-up windows or notifications in the top headers that either included information about cookies or provided a link to where this information was located on the website (i.e. to a separate Cookies Policy or to the website's existing Privacy Policy with a Cookies-specific section.)
Below are two examples of ways that websites could satisfy the EU Cookies Directive with informative pop-ups and header banners.
Here's how the BBC notifies users about cookies:
Here's how the ICO website does it:
Methods of opting out of cookie usage must also be put in place and made known to your website visitors.
Requirements by the EU Cookies law
The following are minimum requirements that all businesses within the EU must follow.
Country-specific differences in requirements above and beyond these minimums are discussed after this section, at Country-specific differences.
1. Users must be informed that cookies are being used on your website, including:
- What cookies are used
- Why they are used
- How they are used
You can provide a notice, such as a banner, that makes it clear to users that your website or mobile app is using cookies.
This notice:
- Must be written in clear language that's easy to understand and placed somewhere easy to notice on the website or mobile app, and
- Must provide a link where the detailed Cookies Policy is located on your website or a link to your Privacy Policy where a "Cookies" section is added, if you don't use a separate Cookies Policy agreement for this purpose.
Below is an example from the Thomas Cook website with a huge banner that provides adequate notice, links to its Cookie Policy and has a clear button for accepting cookies.
2. Prior informed, specific, and voluntary consent must be obtained before cookies are placed on a user's computer equipment and before information about a user's computer equipment is accessed.When obtaining consent, there are two methods that are allowable here:
-
Affirmative action/explicit consent
Clear and explicit affirmative consent can be obtained by placing a check box or a clickable button in the notice and requiring a user to click in order to consent.
The example below shows a button that is labeled with "I Agree" and will work to obtain affirmative consent.
-
Further browsing/implied consent
Implied consent will qualify as enough consent to make cookies placement valid so long as the following conditions are met:
- There must be a notice that cookies are being used, and it must be displayed in a clearly visible and unmissable way on the homepage so that upon first visiting the site or using the mobile app, a user will see it
- This notice must make it very clear to the user that by continuing to browse the website, consent to place cookies on their device will be implied
- This notice must remain visible until the user actually continues browsing the website
Below is an example of how implied consent can be obtained by using banner ads that make it known that continuing to browse will be taken as consent.
Exceptions to the consent requirement
The following types of cookies can be used without first obtaining consent from the user:
- Cookies that are used solely for the purpose of transmitting a communication, and
- Cookies that are absolutely necessary for a website to provide the service that the user is requesting.
Examples of cookies under these exceptions include:
-
Authentication Cookies that identify a user for the duration of the session once that user logs in to a website and uses the site.
Below is an example of a user login box that would place an authentication cookie on a user's computer when the "Remember Me" box is checked so that the user will actually be remembered the next time he reaches this page and this login box:
-
Multimedia Content Player Cookies that store technical data for the duration of a session where video or audio content is played on a website.
Here's how SoundCloud always links to its Cookies Policy from all embeds:
- User Input Cookies that help keep track of data a user puts in to a website during a session, including information for filling out forms, or for items added to an e-commerce site shopping cart.
Country-specific differences
While the above requirements are the minimum requirements that all EU member countries must follow, a number of countries have adopted custom measurements to ensure and enhance online privacy.
Here's the full list of EU countries with additional requirements:
| Country | Additional Requirements and Instructions |
| Austria | Users must be informed of:
Implied consent to use cookies is allowed under amendments to the Telecommunications Act when browser or app settings infer consent. |
| Belgium | Website operators are allowed to rely on implied consent when that implied consent is "freely given, unambiguous, specific and informed." |
| Bulgaria |
|
| Denmark | The first time a visitor visits a website, he must be given notice that includes:
The Cookie Policy must be easily accessible and visible, such as by placing a link at the top or bottom of a website alongside the Terms and Conditions or Privacy Policy links. |
| Finland | Consent may be obtained via browser or other app settings. |
| France | Consent may be obtained via browser or other app settings. A 2-step process is required.
Step 1: Place a Cookie Banner
Step 2: Cookie Notice A website must have a separate page that contains information on:
This page must be linked to in the cookie banner. |
| Germany | If consent is obtained electronically, the operator of the website must ensure the following:
|
| Greece | Consent may be obtained via browser or other app settings. |
| Hungary | Consent may be obtained via browser or other app settings.
Consent is allowed to be obtained after cookies have been placed on a user's device. |
| Iceland | Consent may be obtained via browser or other app settings. |
| Ireland | Regulations are rather vague here when it comes to how information about cookies is shared with visitors to a website, and how consent should be obtained and say that this should all be as user-friendly as possible.
While consent may be obtained via browser or other app settings, a Guidance Note by the Data Protection Office states that settings that are currently available as standard on website browsers are not sufficient to be used to obtain consent. |
| Italy | When a user accesses a website, a banner must immediately appear that contains cookies notice, including:
If any technologies that allow profiling, such as analyzing purchase behavior or user choices to identify the unique personality traits of a user are used, notification must be given to the Italian Data Protection Authority. |
| Latvia | Consent can only be obtained by a strict opt-in method. No implied consent is allowed. |
| Lithuania | The State Data Protection Inspectorate has provided the following ways for consent to be obtained:
|
| Luxembourg | Information about cookies, consent, and the offering of the right to refuse consent to cookies being used must be provided in a way that is as user-friendly as possible.
Consent may be obtained via browser or other app settings. |
| Malta | While consent may be obtained via browser or other app settings, the local DPA recommends against relying on this method as the method of establishing consent. |
| Netherlands | Identities of any and all third-party ad networks on a website must be disclosed to users of the site. Clicking on a link to obtain more information about the cookies in use on a site does not count as obtaining consent.
Cookie policies must be site-specific and not generic. |
| Norway | Consent may be obtained via browser or other app settings as long as somewhere on the website there is clear and user-friendly information about:
|
| Poland | Consent may be obtained via browser or other app settings. |
| Romania | Users must be given clear, comprehensive information about cookies usage. This information must satisfy Romanian data protection rules that require transparency information about how individual personal data is processed by a website.
Consent may be obtained via browser or other app settings. |
| Slovakia | Consent may be obtained via browser or other app settings. |
| Slovenia | Consent may be obtained via browser or other app settings. |
| Spain | A user must take a conscious and positive action in order for consent to be obtained or implied, and a user must be informed of what action/s will amount to appropriate consent.
Common and preferred methods include standard "click to accept" boxes in agreements. Separate Cookies policies are suggested, separating this information from Terms and Conditions and Privacy Policies. |
| Sweden | Consent may be obtained via browser or other app settings, but this may change in the future. |
| United Kingdom | Consent may be obtained via browser or other app settings, however the ICO has indicated that current standard browser settings options are not sufficient for obtaining this consent.
Explicit and active consent are highly favored and recommended. Website owners and operators are expected to conduct cookie audits on their websites and determine appropriate cookie consent strategies meant to protect privacy of users. |
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.
