25th Nov 2022 
21 Min Read
You must comply with all the relevant cookie laws in your country or wherever the website operates if your website uses cookies to collect or track personal data. The cookie law means that the cookies on your website must be accepted by the visitor and the visitor must be informed about the usage of cookies. This article discusses cookie law and its implications for websites. It also provides steps to comply with the cookie laws in six easy steps.
Cookies are small text files that are placed on your computer by websites that you visit. They are widely used to make websites work, or work more efficiently, as well as to provide information to the owners of the site. E.g., if you allow your browser to remember your login details, this cookie will be stored and then used when you return to the site.
Cookies work by assigning your computer a unique identification number (an ID) that allows the website to remember things about you as you move around the Internet. When you visit a site that uses cookies, your browser will tell the site which cookie (if any) it has stored for that site. The site can then use that cookie to determine whether you have visited before and what information you may need to complete a task or access certain services. For example, a cookie can contain your user name and password, so you do not have to re-enter them each time you visit the site.
Cookies do not harm your computer, but some people find them annoying because they cannot control what type of cookies the website stores on their device or how their browser uses them.
Read more about internet cookies.
What is a cookie law?
A cookie law is a set of guidelines governing the use of cookies on websites. When you visit a website, some cookies are used to track you and your browsing habits to provide a better experience for you. However, not everybody wants to be tracked by cookies. So, certain laws were created which make it illegal for websites to store cookies without the user’s knowledge or consent.
The reason why these laws have been introduced is to protect the users’ privacy and prevent the misuse of information collected by cookies. Most of the time, companies use the user information for marketing purposes, which could mean that the users get unsolicited advertising.
What is the EU cookie law?
ePrivacy Directive, introduced in 2002 and later amended in 2009, is an EU regulation that protects the confidentiality of electronic communications within the European Union (EU). It applies to all electronic means of communication, including but not limited to e-mail, instant messaging, SMS messages, and phone calls. The Directive regulates how advertisers and other third parties may use electronic communications. It includes provisions that restrict monitoring and blocking of communications, as well as requirements for consent before storing and collecting personal data. It gave the EU member states a framework to make their own laws to implement the Directive. All EU member states have since adopted the Directive in 2011 and implemented their laws.
It was revised to include rules on cookies, tracking, and other similar forms of online tracking, which gave its name “the EU Cookie Law.” The Directive introduced new requirements for websites to gain prior consent from visitors to store or retrieve information on their devices. Additionally, the law dictates that website owners must inform users of the cookies they use and how they will be used. This applies to all websites, no matter where they are hosted.
The law exempts strictly necessary cookies from this. It agrees that cookies are a useful technology; however, it can also affect user privacy. It mandates that a website must:
- Provide clear and precise information about the cookies (including strictly necessary ones) and their purpose when users visit a website.
- Get prior consent from users to store the cookies on their devices.
- Make available an option for users to deny consent to use the cookies.
- Make the means of providing cookie information, opt-out option, and requesting consent as user-friendly as possible.
- Access to the specific website content may be conditional on the informed user consent if it is used for a legitimate purpose.
In 2017, the EU proposed a regulation known as ePrivacy Regulation (ePR), which will repeal ePD. Unlike the Directive, it will become a mandatory law across all member states once it comes into effect. The final draft is expected to address some concerns regarding cookie consent. One main difference from the Directive is that its websites can longer use ‘legitimate interest’ as the basis for using cookies under the ePrivacy Regulation.
As per the recent developments, the final effective date still remains unknown, and with the 24-month transition period, it is unlikely to be before 2023.
Another law from the EU that regulates the use of cookies is the General Data Protection Regulation (GDPR). Compared to the cookie law, the GDPR has broader applicability. The Directive targets personal data collected over an electronic communication service or network and that are publicly available; whereas the Regulation seeks to implement rules for personal data that are not publicly available.
Read more ePrivacy vs. GDPR.
With the exceptions of these and a few other differences, they both have similar clauses, particularly in the case of cookies. Like the ePrivacy law, the Regulation requires websites to get well-informed (all necessary details about cookies and their purpose) GDPR cookie consent from users before storing cookies on their devices, and give them the choice to opt out and withdraw consent. However, unlike The Directive, the GDPR is not lenient about conditional access to websites upon user consent.
What are other major cookie laws outside the EU?
The ePrivacy Directive may have formed the blueprint for the cookie law. However, other laws also regulate cookies and play an important role in shaping the privacy landscape in the world. We will discuss the former EU member, UK’s laws as well as the US laws that form the basis for cookie laws in their respective regions.
Cookie law in the UK
Before Brexit, the UK data privacy landscape included the EU GDPR, ePrivacy Directive and the UK Data Protection Act 2018.
After Brexit, the UK is no longer conformed to the EU cookie law or GDPR unless any business there uses EU individuals’ personal data for offering goods and services or to monitor their behavior.
Organizations that deal with the personal data of UK individuals must comply with the UK-made version of the GDPR. Other than its regime about national intelligence and security, the UK GDPR is borrowed word-to-word from its EU version. So its requirements for cookie usage are the same as the EU GDPR.
To protect the personal data collected via electronic communication networks or services, the UK adopted the Privacy and Electronic Communications Regulations (PECR) derived from the EU ePrivacy Directive.
The Data Protection Act, along with UK GDPR and PECR, form the data privacy and protection landscape of the UK.
The PECR like its EU counterpart has some clauses for cookies. The law advises websites to inform users about cookies, and clearly explains what the cookies do and their purpose. Like the ePrivacy Directive, the PECR also requires websites to get prior consent to store cookies on user devices and the consent is only valid if it is freely given, informed, explicit, specific, and withdrawable.
Cookie law in the US
The United States does not have a cookie law. However, there are federal laws and some state laws that deal with cookie usage.
Children’s Online Privacy Protection Act (COPPA) is a federal law that regulates the use of cookies on a website that caters to children under 13 years of age
State laws like the California Consumer Privacy Act (CCPA) also regulated the use of cookies. The CCPA applies to business that caters to California consumers and meets one of the following thresholds:
- Earns over $25 million in annual gross revenue.
- Annually buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices for commercial purposes.
- Derives at least 50% of its annual revenue from selling personal information.
The definition of personal information under CCPA also expands to digital identifiers, such as cookies. It requires websites to inform users about cookies set by the site, its source, purposes, and whom you share the information with. The website must also provide an opt-out choice for users to deny the site from selling or sharing their personal information. This option must be easily accessible and user-friendly.
How to comply with the cookie law?
As we’ve seen many laws have almost the same requirements save for a few clauses. So, if you want your website to comply with these laws, there are some common best practices that you can adapt for it.
#1 Identify cookies
To understand which type of cookies you want to regulate, you must first identify the type of cookies your website uses. You need to understand which cookies need consent to move forward and to block until you receive them.
You can either do manual checking using your browser settings or use a free online cookie scanner.
Check cookies for FREE
CookieServe scans your websites for cookies and generates a detailed report in seconds!
FREE COOKIE CHECKER
*No email required
#2 Update your privacy/cookie policy
A privacy policy tells the website users all about the site’s data collection, use, or disclosure practices. They let the users know about what type of personal data the site collects, from where and why. It tells them how they can manage it, what they can do to exercise their data rights, like the right to access, correct, or delete. The privacy policy also discloses where the website shares the data for its services and how users can contact the site admin to register their complaints or for further queries.
A cookie policy is part of a privacy policy and sometimes, a separate page. You can add details about cookies, and all the other relevant details mentioned above in the privacy policy itself. Or you can add a separate page to share details about cookies.
The policy pages must be readily accessible and easily understandable.
#3 Inform users
The website must inform users about the cookies used by your website and its purposes. Usually, this should be done before the point of collection of data, i.e. the first time the users visit the site. The information should be given in plain and simple language so that the users can make an informed decision about proceeding with the data collection or monitoring by cookies.
The cookie notification is usually implemented via a cookie banner.
#4 Cookie consent
Additionally, the website must also give the option for cookie consent. It must give users the choice to opt in or opt out of cookies. They can select either of these and the website must implement it. That is, if the users choose to opt in, the site can load the cookies. However, if they opt out, the site should not load the cookies.
There is also one more option that the banner must provide for setting user preferences. It will be used by users to give consent to the type of cookies that they want the site to load and block others. You must ensure that the website loads cookies only when the users explicitly give their consent. E.g., by clicking a button or link. Implied consent, i.e. scrolling the website without taking any action or closing the cookie banner is not an indication of opt-in consent. Finally, there should not be any pre-ticked or pre-approved option.
#5 Allow users to withdraw consent
There are times when the users may change their minds and want to withdraw their cookie consent. The website must allow users to do that any time they wish. This allows for a user-friendly system and gives them more control over the privacy of their data. Once they withdraw consent, the website must immediately cease collecting or tracking any personal data using those cookies.
#6 Record cookie consent
Laws like GDPR require websites to be able to prove that they received consent. To do that you must document all the consents users give to your site in case the users ask for it.
Complying with cookie law is easier than before!
Use CookieYes cookie consent manager to comply with major cookie laws on the world.
TRY IT FREE
*No credit card required. Upgrade any time.
Frequently asked questions
What does the cookie law require?
The cookie law requires websites to get prior consent from users for storing cookies on their devices. It mandates that websites should only store cookies upon receiving the opt-in consent from them and otherwise block the cookies from loading. The request for consent should be preceded by a notification about cookies and why they are used so that the users can make a well-informed decision.
What is the cookie law and why is it important?
The cookies law is a part of the privacy legislation that regulates the use of cookies on websites. The EU cookie law mandates websites to:
- Provide information about the cookies and their purpose when users visit a website.
- Get user consent to store cookies on their devices.
- Let users opt out of cookies
- Make cookie opt-in and opt-out options as easy as possible.
- Allow conditional access to the website upon user consent.
Who needs a cookie policy?
A website needs a cookie policy if it uses cookies that collect, use, or disclose the personal data of its users. They need the cookie policy to inform users about the same and give detailed overviews of the cookies that will be stored on user devices. The website must explain how users can opt out of it and block such cookies.
Should I accept cookies?
Accepting cookies depends upon the type of cookies the website is using. In case the cookies use technical cookies that are required for any service that the user may require, there is no point in denying consent to them. However, some cookies will use the personal data to track users’ online activities and might disclose such information to third parties, you can choose to not accept them.
How does cookie consent work?
Cookie consent works by allowing website users to opt in, opt out or consent to specific cookie types. It gives them the control to decide if they want the website to load the cookies on their devices. It is implemented via cookie banners or popups that show up when users visit the website for the first time.
4 Comments
Stephen Panting
My concern is the language. You say only “plain and simple language”, but even within the EU many languages are used. Is it required to detect the language of the user and display in that language? Doing that infringes their privacy ! My website is aimed at many if not all countries, though most is written in English. Should I use English for all pages ? That fails to provide “plain and simple language” for non-English speakers.
Regards Steve in Shanghai
2 years ago
Shreya
Hi Stephen,
This is a great question. I can answer this by quoting the Art. 7.2 of GDPR: “the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.”
The article says that you have to make sure the language is understandable and easy to read. You have to use language that’s clear and simple so that people don’t get confused about what they’re agreeing or not agreeing to.
“intelligible”, “accessible”, & “clear and plain” do have a lot of significance here. The GDPR wants you to ask for permission in a way that meets all these requirements; regardless of the language, you use. English is obviously the first and safe choice for worldwide communication. However, since many countries have separate regulations, it would mean you’ll have to look at each law to decide if you should provide translated copies specific to the jurisdiction. You can have a look at your most visited by regions and use tools that can automatically translate the content into those languages.
I don’t think you need to translate all the pages, but those that ask for user consent and legal pages like privacy policy, cookie policy and terms & conditions.
2 years ago
Penny
You say it is for our Privacy BUT that our information and online use can be disclosed and tracked, how can that be “for our Privacy” you say there are different kinds of cookies, how do we tell one from another? Lastly, why do only SOME sites offer a “reject all” option as opposed to a complex “choose which cookies” when most public are not experienced enough to distinguish? If i am not offered a reject all i just reject them and find another website. I always do.
10 months ago
Shreya
Cookies serve different purposes, and not all of them invade privacy. While some cookies may track personal information, others are necessary for website functionality or improving the user experience. The availability of a “reject all” option versus a more detailed “choose which cookies” option depends on the website. Granular options help users understand and decide which cookies to accept. Checking a website’s privacy policies can provide further details in this regard. Ideally, it is recommended that all websites offer both a “reject all” and a granular option, allowing users to have greater control. However, the inclusion of such options ultimately depends on the privacy laws applicable to the website. If you feel uncomfortable with a website’s cookie settings, it is reasonable to look for an alternative.
10 months ago