Cookies are small text files that are placed on your computer by websites that you visit. They are widely used to make websites work, or work more efficiently, as well as to provide information to the owners of the site. E.g., if you allow your browser to remember your login details, this cookie will be stored and then used when you return to the site.
Cookies do not harm your computer, but some people find them annoying because they cannot control what type of cookies the website stores on their device or how their browser uses them.
Read more about internet cookies.
What is a cookie law?
The reason why these laws have been introduced is to protect the users’ privacy and prevent the misuse of information collected by cookies. Most of the time, companies use the user information for marketing purposes, which could mean that the users get unsolicited advertising.
What is the EU cookie law?
ePrivacy Directive, introduced in 2002 and later amended in 2009, is an EU regulation that protects the confidentiality of electronic communications within the European Union (EU). It applies to all electronic means of communication, including but not limited to e-mail, instant messaging, SMS messages, and phone calls. The Directive regulates how advertisers and other third parties may use electronic communications. It includes provisions that restrict monitoring and blocking of communications, as well as requirements for consent before storing and collecting personal data. It gave the EU member states a framework to make their own laws to implement the Directive. All EU member states have since adopted the Directive in 2011 and implemented their laws.
It was revised to include rules on cookies, tracking, and other similar forms of online tracking, which gave its name “the EU Cookie Law.” The Directive introduced new requirements for websites to gain prior consent from visitors to store or retrieve information on their devices. Additionally, the law dictates that website owners must inform users of the cookies they use and how they will be used. This applies to all websites, no matter where they are hosted.
The law exempts strictly necessary cookies from this. It agrees that cookies are a useful technology; however, it can also affect user privacy. It mandates that a website must:
- Provide clear and precise information about the cookies (including strictly necessary ones) and their purpose when users visit a website.
- Get prior consent from users to store the cookies on their devices.
- Make available an option for users to deny consent to use the cookies.
- Make the means of providing cookie information, opt-out option, and requesting consent as user-friendly as possible.
- Access to the specific website content may be conditional on the informed user consent if it is used for a legitimate purpose.
In 2017, the EU proposed a regulation known as ePrivacy Regulation (ePR), which will repeal ePD. Unlike the Directive, it will become a mandatory law across all member states once it comes into effect. The final draft is expected to address some concerns regarding cookie consent. One main difference from the Directive is that its websites can longer use ‘legitimate interest’ as the basis for using cookies under the ePrivacy Regulation.
As per the recent developments, the final effective date still remains unknown, and with the 24-month transition period, it is unlikely to be before 2023.
Read more ePrivacy vs. GDPR.
With the exceptions of these and a few other differences, they both have similar clauses, particularly in the case of cookies. Like the ePrivacy law, the Regulation requires websites to get well-informed (all necessary details about cookies and their purpose) GDPR cookie consent from users before storing cookies on their devices, and give them the choice to opt out and withdraw consent. However, unlike The Directive, the GDPR is not lenient about conditional access to websites upon user consent.
What are other major cookie laws outside the EU?
The ePrivacy Directive may have formed the blueprint for the cookie law. However, other laws also regulate cookies and play an important role in shaping the privacy landscape in the world. We will discuss the former EU member, UK’s laws as well as the US laws that form the basis for cookie laws in their respective regions.
Cookie law in the UK
Before Brexit, the UK data privacy landscape included the EU GDPR, ePrivacy Directive and the UK Data Protection Act 2018.
After Brexit, the UK is no longer conformed to the EU cookie law or GDPR unless any business there uses EU individuals’ personal data for offering goods and services or to monitor their behavior.
Organizations that deal with the personal data of UK individuals must comply with the UK-made version of the GDPR. Other than its regime about national intelligence and security, the UK GDPR is borrowed word-to-word from its EU version. So its requirements for cookie usage are the same as the EU GDPR.
To protect the personal data collected via electronic communication networks or services, the UK adopted the Privacy and Electronic Communications Regulations (PECR) derived from the EU ePrivacy Directive.
The Data Protection Act, along with UK GDPR and PECR, form the data privacy and protection landscape of the UK.
The PECR like its EU counterpart has some clauses for cookies. The law advises websites to inform users about cookies, and clearly explains what the cookies do and their purpose. Like the ePrivacy Directive, the PECR also requires websites to get prior consent to store cookies on user devices and the consent is only valid if it is freely given, informed, explicit, specific, and withdrawable.
Cookie law in the US
The United States does not have a cookie law. However, there are federal laws and some state laws that deal with cookie usage.
- Earns over $25 million in annual gross revenue.
- Annually buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices for commercial purposes.
- Derives at least 50% of its annual revenue from selling personal information.
The definition of personal information under CCPA also expands to digital identifiers, such as cookies. It requires websites to inform users about cookies set by the site, its source, purposes, and whom you share the information with. The website must also provide an opt-out choice for users to deny the site from selling or sharing their personal information. This option must be easily accessible and user-friendly.
How to comply with the cookie law?
As we’ve seen many laws have almost the same requirements save for a few clauses. So, if you want your website to comply with these laws, there are some common best practices that you can adapt for it.
#1 Identify cookies
To understand which type of cookies you want to regulate, you must first identify the type of cookies your website uses. You need to understand which cookies need consent to move forward and to block until you receive them.
The policy pages must be readily accessible and easily understandable.
#3 Inform users
The website must inform users about the cookies used by your website and its purposes. Usually, this should be done before the point of collection of data, i.e. the first time the users visit the site. The information should be given in plain and simple language so that the users can make an informed decision about proceeding with the data collection or monitoring by cookies.
The cookie notification is usually implemented via a cookie banner.
#4 Cookie consent
Additionally, the website must also give the option for cookie consent. It must give users the choice to opt in or opt out of cookies. They can select either of these and the website must implement it. That is, if the users choose to opt in, the site can load the cookies. However, if they opt out, the site should not load the cookies.
There is also one more option that the banner must provide for setting user preferences. It will be used by users to give consent to the type of cookies that they want the site to load and block others. You must ensure that the website loads cookies only when the users explicitly give their consent. E.g., by clicking a button or link. Implied consent, i.e. scrolling the website without taking any action or closing the cookie banner is not an indication of opt-in consent. Finally, there should not be any pre-ticked or pre-approved option.
#5 Allow users to withdraw consent
There are times when the users may change their minds and want to withdraw their cookie consent. The website must allow users to do that any time they wish. This allows for a user-friendly system and gives them more control over the privacy of their data. Once they withdraw consent, the website must immediately cease collecting or tracking any personal data using those cookies.
#6 Record cookie consent
Laws like GDPR require websites to be able to prove that they received consent. To do that you must document all the consents users give to your site in case the users ask for it.
Frequently asked questions
What does the cookie law require?
The cookie law requires websites to get prior consent from users for storing cookies on their devices. It mandates that websites should only store cookies upon receiving the opt-in consent from them and otherwise block the cookies from loading. The request for consent should be preceded by a notification about cookies and why they are used so that the users can make a well-informed decision.
What is the cookie law and why is it important?
- Provide information about the cookies and their purpose when users visit a website.
- Get user consent to store cookies on their devices.
- Let users opt out of cookies
- Make cookie opt-in and opt-out options as easy as possible.
- Allow conditional access to the website upon user consent.
Should I accept cookies?
Accepting cookies depends upon the type of cookies the website is using. In case the cookies use technical cookies that are required for any service that the user may require, there is no point in denying consent to them. However, some cookies will use the personal data to track users’ online activities and might disclose such information to third parties, you can choose to not accept them.
How does cookie consent work?
Cookie consent works by allowing website users to opt in, opt out or consent to specific cookie types. It gives them the control to decide if they want the website to load the cookies on their devices. It is implemented via cookie banners or popups that show up when users visit the website for the first time.