Ultimate Guide to EU Cookie Laws

If you run a website, it’s a safe bet you use cookies. If you live in Europe and your site uses cookies, you may be breaking the law.

Cookies have become an essential part of our web browsing experience. They make it possible for the websites we visit most to keep track of our preferences without forcing us to log in each time. They allow sites to remember our user names. They enable online stores to keep track of items we’ve put in our shopping carts. They provide the necessary data for some of the most popular website analytic tools. In a lot of ways, they make the Internet act the way we expect it to.

So why did the EU feel it needed to regulate cookies?

Unfortunately, the use of cookies also raises a number of privacy concerns. Tracking cookies, 3rd party cookies placed on sites for advertising purposes, can collect your browsing habits, see what type of products you view, and what you purchase. They use that information to feed you targeted ads, both on the original site you visited and any other sites that have the same 3rd party cookies installed. So if you’re browsing SSD drives on Amazon, you may start seeing advertisements for SSD deals while you’re browsing Facebook or visiting your favorite tech store.

For some internet users, this is extremely useful. If you’re trying to find the best price for a product, that 3rd party add might have exactly what you’re looking for. And for site owners, tracking cookies can be very lucrative. The more targeted your ads, the better chance users will click on them. Most internet users have largely accepted that tracking cookies are a necessary evil to keep our favorite sites free. But for many, cookies make it far too easy for websites to track our every online move and use our browsing histories for their own personal gain.

In 2011, the European Union agreed. They felt internet users had to right to understand what and how cookies were being used by the websites they visit and the ability to opt-out of those cookies when necessary.

With the passing of Directive 2009/136/EC, which has come to be known as the Cookie Law, the European Parliament mandated that all countries within the EU must setup laws requiring websites to obtain informed consent before they can store or retrieve information on a visitor’s computer or web-enabled device.

In other words, if you’re in Europe and host a website that uses cookies, you are required to tell your visitors that you’re using cookies, let them know what those cookies are being used for, and get their consent before you can place cookies on their device.

What is the EU Cookie Legislation?

The EU Cookie Legislation began as a directive from the European Union, which was intended to protect online privacy. Some variation on the policy has since been adopted by all countries within the EU.

The EU Cookie Legislation requires 4 actions from website owners who use cookies:

  1. When someone visits your website, you need to let them know that your site uses cookies.
  2. You need to provide detailed information regarding how that cookie data will be utilized.
  3. You need to provide visitors with some means of accepting or refusing the use of cookies in your site.
  4. If they refuse, you need to ensure that cookies will not be place on their machine.

How you handle these requirements is entirely up to you, and we’ll discuss some of your options later. The important part is that you handle them.

Some Cookies Don’t Need Consent

Of course, not all cookies are evil. In fact, some are essential for the proper functioning of a website. The EU understands this and makes an exception for cookies that are “strictly necessary” to fulfill the services requested by your site visitors.

This exception is particularly important for online retailers. When you visit your favorite online store, you expect the items you add to your shopping cart to still be in your shopping cart when you check out. Cookies make that happen. If you opted out of those cookies, you would, in essence, be opting out of the very reason you went to that site in the first place. Asking a customer if they want to allow cookies to make their shopping cart work would be like asking them if they want the thread to keep their shirt together.

The exact scope of what is “strictly necessary” is not clearly defined. In the case above, anyone coming to your site to shop expects that the shopping cart will function. These cookies are necessary. On the other hand, providing your customers with a customized user experience or tailored product suggestions is not a requirement for an online store, and cookies that enable these features do not fall under the “strictly necessary” category. You’ll need to get consent before you use them.

Cookies that provide security features for websites where high levels of security are expected, such as online banking sites, are also deemed strictly necessary.

The exact EU guidelines regarding the “strictly necessary” exception read as follows:

“This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.”

If you are uncertain whether your cookies are strictly necessary, it’s best to consult your local regulators. They can provide additional insight and specific guidelines for your country. In general, it is best to err on the side of caution. Unless you absolutely know your cookies are strictly necessary, assume they are not.

Any cookie that does not fall under the “strictly necessary” definition needs consent before you can store it on a visitor’s device.

This is Not Just for Cookies

The Cookie Legislation is not restricted to cookies. In fact, cookies are never mentioned in the regulation itself. There are plenty of ways to store user information, and many of those involve pushing files to the user’s computer, phone, or tablet. The regulation purposely avoids naming any technology explicitly, in order to include all such technologies, as well as yet-to-be-created technologies.

So what does that mean? Cookies are the most common technology used to store user information on their personal device, which is why the regulation is commonly known as the Cookie Legislation or Cookie Law. However, any other technology that stores information within a user’s web browser or anywhere else on their device, must be disclosed and receive approval. This includes tools such as Flash and HTML5 Local Storage, both of which store information locally in a similar fashion as cookies.

Does This Affect Me?

That depends on whether or not your website uses cookies. Chances are, it does, even if you don’t realize it.

Most modern content management systems, such as WordPress or Drupal, use cookies in order to verify who you are, log you in, or track your comments. Blogging software, forums, and many other web applications utilize cookies for many of the same reasons. Online stores utilize cookies for everything from the shopping cart to user logins to tailored product suggestions. If you use Google Analytics, Google AdSense or AdWords, or social media plugins such as “like” buttons, your website uses cookies. If you have any embedded YouTube videos or other media content, these may also contain cookies.

If you are still unsure, you can view the cookies on your site using Google Chrome. Just open the Developer Tools and click on the Resources tab. There you can view any cookies on the current page. Make sure to visit every page, and test every possible interaction point: leave a comment, login, like the page on Facebook, etc. If you don’t find any cookies, you probably don’t have to worry. But if there are cookies, it’s time to consider your options.

How Do I Comply With EU Cookie Law?

The EU regulations do not set out specific compliance requirements. They simply establish high-level requirements. How you comply with those, is largely up to you. Here are a few options:

Option 1 – Get rid of your cookies

This seems pretty obvious, but it may not be as easy as you think. If you just have a simple, static website, getting rid of your cookies should be easy. Use the Google Chrome method above to figure out where cookies exist, and get rid of that code. It may be as simple as removing a comments field or that rarely-used “like” button.

However, if your website has anything more complicated than static HTML, getting rid of your cookies will be a lot harder, and you have to consider what you will be sacrificing in the process. If you post a daily blog to your site, cookies are essential for comments. Do you want to lose comments just to avoid telling your visitors about cookies? Probably not.

Option 2 – Add a Pop-Up or Similar Technology

There are no specific instructions regarding how users need to be informed, or precisely what information you need to provide them with. However, there are some generally accepted approaches.

First, you need to let users know that cookies are being used. This can be done through a pop up, header bar, or similar technology. The wording does not need to be complex or even detailed at this point. Details can be provided elsewhere. The important thing is that the warning exists, and that it includes the option to opt-out of cookies.

If you’re not sure what that would look like, there’s a great example from ICO, the UK’s regulation body responsible for enforcing the Cookie Legislation. When you first access their website, the follow pop-up appears:

We have placed cookies on your device to help make this website better.

You can use this tool to change your cookie settings. Otherwise, we’ll assume you’re OK to continue.

The pop up/header bar you use must have a place for users to consent or opt-out of cookies. If users ignore the warning, you can generally assume consent.

Option 3 – Get Implied Consent

Depending on your country’s interpretation of the law, you may only need to get a user’s “implied consent.” Rather than forcing every user to click “accept” before they can access your site, you can instead display a short message informing them that cookies are being used, typically through a header bar or some other non-obstructive method. After a predefined period of time, which may be as short as a few seconds, the announcement can disappear. If the user remains on your site, consent is implied.

This is the method the UK government uses; however, before you decide to take this route, you should check with your local regulator to ensure it meets your country’s requirements.

Option 4 – Add It to Your Terms and Conditions

Including a pop up may not provide the best user experience, so some companies have opted for including the cookie disclosure within their terms and conditions. This can be a very effective and non-intrusive method, but there are a couple of caveats.

First, users have to agree to the use of cookies, so if you include the information in your T&Cs, you need a way for users to approve your T&Cs. This is usually done as part of a sign-up or registration process. If your website does not require users to sign up, this option probably won’t work for you.

Second, you cannot simply add the cookie language to your existing terms and conditions, because you need to gain consent specifically for the use of cookies. This means, if you already have users who have agreed to your T&Cs, after adding the cookie language you will need to prompt them to review and agree to the new T&Cs.

Option 5 – Get a program to do it for you

There are plenty of applications and plugins available that can help you comply with cookie laws. Depending on the program, they may be able to assist you with such tasks as identifying cookies on your website, creating a detailed list of how your cookies are used, informing users about cookie use, and obtaining their consent. Some programs will even adjust settings and information as cookies change.

Programs like Cookie Consent and Cookie Control can help you automate the consent process. If you’re running WordPress, there are a number of plugins available, such as Cookie Law Info. Many of these programs are available for free or low cost, and can make the entire process much simpler.

When to obtain consent?

Consent should be obtained the first time a user visits your site. It does not need to be obtained upon return visits (you should be able to identify return visitors, thanks to cookies). Once consent is received, you can assume the user consents to those same cookies each time they return. You also do not need to obtain consent every time you change cookies. Provided you have already explained the purposes of the cookies on your website, changes to those cookies do not represent a violation of the original agreement, unless you have made significant changes to the way cookie information is being used. In that case, you will need to prompt users for consent once again.

Providing Cookie Information

Regardless of the method you use to obtain consent, you still need to provide detailed information regarding the types of cookies you use, and how they are used. This can be done on a separate “Cookie” disclosure page, or as part of your site’s Privacy Policy or Terms and Conditions. Wherever you store this information, it must be accessible through a link located on every page of your site.

As with everything else about this legislation, there are no specifics available regarding what information needs to be provided. However, the best course of action is to detail the types of cookies you use and how the information from each of those types of cookies is being used. You do not need to detail every single cookie on your website, as many of them are doing essentially the same thing. It is, however, particularly important to call attention to any third party cookies that may be present, as this is where you are likely to get in the most trouble for non-compliance.

It may also be a good idea to provide some information regarding what cookies are, though this is not a requirement. The more information you provide you site visitors, the more comfortable those concerned with cookies will feel. There is plenty of information available regarding all types of cookies, so take the opportunity to educate your users.

Once you have your cookie disclosure process implemented, make sure you regularly audit your site for changes and update any relevant cookie information to match.

Understanding Cookies

What is a cookie?

A cookie is nothing more than a very small text file. When you visit a website, the server that hosts that site places this file on your computer, typically somewhere within your browser settings files. Once it’s on your computer, the cookie acts a lot a rewards card you might have for your local grocery store. You won’t get free coffee with it, but the next time you visit that website, the cookie will let the site know who you are and any other relevant information necessary for personalizing your user experience.

The exact information stored on the cookie will vary from site to site, depending on what information is necessary for that particular viewing experience. In most cases, it will identify you in some way. For example, if the site requires a login, the cookie may allow you to remain logged in, or at least let the site remember your username. If you always use the same weather site to get your local forecast, cookies allow that website to remember your location, so you won’t have to re-enter it every time.

Sites that use advertising cookies may place information about items you’ve viewed or purchased, which can then be used to customize the ads you see in the future. Going back to our store card analogy, this is a lot like your grocery store giving you coupons for their special Starbucks coffee beans, because last time you were in you purchased a can of Folgers.

Types of Cookies

There are three primary types of cookies.

Session cookies are temporary cookies. They store information about your current session, and then are erased when your browser is closed. These types of cookies are often used to track things like the items you put in your shopping cart, or to store temporary security information, such as may be necessary when accessing your bank’s website. This is why, when you log off from your bank’s site, it will usually advise you to close your browser window. Doing so will remove any session cookies. Session cookies are the least likely to raise privacy concerns, and many of them fall into that “strictly necessary” category.

Permanent cookies, sometimes call persistent or stored cookies, are placed on your device’s hard drive and not deleted when your browser is closed. These cookies can be used to recognize users when they return to your site, track their viewing patterns within your site in order to improve the user experience, and provide data for your analytics programs. Permanent cookies can store information for an indefinite amount of time, so they are very useful when trying to create a customized user experience or analyze return visitor behavior. They can also be used for advertising purposes and, when third party ads are present, can cause your user information or computer information to be shared with other websites. This is where much of the privacy concern over cookies comes into play.

Browser independent cookies, such as Flash or Silverlight cookies, act a lot like permanent cookies, except they aren’t stored by your browser. Instead, they are stored in their respective program files. This makes them a bit trickier to delete, as you may need to install a separate program, such as Adobe’s Flash Cookie Remover. For website owners, they can provide a valuable tool, since they can be used to back up traditional cookie data. That way, even if a user deletes their cookie files, your website can still recognize them and provide the same custom experience by retrieving their information from the Flash cookie. Of course, if you are utilizing browser independent cookies on your site, you will need to disclose this.

Blocking Cookies

All modern browsers provide users with some method for blocking cookies. This is typically part of the security or privacy settings. In some cases, it is simply a “Do Not Track” option, which is meant to tell websites you do not wish to receive 3rd party tracking cookies. There is no guarantee that this setting will be honored, but since you’re reviewing this page, it’s a good idea to make sure your website does. In some cases, browsers can be set up to automatically block different types of cookies. Chrome, for example, allows users to dump local data when your browser is shut down, block sites from placing any data on your computer, or block all third party cookies. The EU Legislation allows for these settings to be used in determining consent; however, not all browsers allow users to set such specific settings, so you shouldn’t rely on this for compliance purposes.

What Happens if a User Opts Out?

If your users decide to opt out of the cookies on your site, you have a few different options available for handling their request.

The easiest option is to do nothing. Simply let the user know that cookies are being used, and they have to make the next move. If they don’t want to accept your cookies, they can leave your site or update their browser settings. This option means less work for you, but it won’t provide the best experience for users.

A step above this is to provide users with information regarding how to update their browser settings. Many sites provide detailed information for most browsers. You could either link to one of these sites, or create a similar guide of your own. Your guide can either appear in a pop up after a user declines consent, or it can be part of your Privacy Policy, Cookie Information page, or its own separate page.

If you want to streamline the user experience, you can also set your website up to shut off cookies when the user declines consent. Or, better yet, allow the user to select what type of cookies they are okay with, and shut off all the others. This can get a bit tricky, particularly if you’re not very tech savvy. Thankfully, many of the cookie compliance applications can accomplish this for you. This approach will provide the best overall user experience, and the least chance of users simply abandoning your site. However, it will likely also result in higher opt-out or partial opt-out rates. If you rely heavily on cookies for analytics or third party advertising profits, it may not be the best option for your site.

What Penalties Can Website Owners Face if They Don’t Comply?

Since the EU Cookie Legislation is not a law, it does not set any specific penalties. Instead, it requires local governments to establish their own laws and associated penalties. This means the potential penalties you face for non-compliance will vary depending on where you live.

But, in most cases, if you are not in compliance, local regulators will likely take one of the following actions:

Request Information – Before your local regulator starts making requests for changes, they may ask you to provide some additional information. This may involve specifics on the types of cookies your site uses, links to your cookie information section, or anything else that can help them determine whether your site is in compliance, or if further efforts need to be made.

Request for Changes – If your local regulator determine your site is not compliant, they will likely request that you take some course of action to make it compliant. Consider this your friendly warning. If you haven’t added that consent pop-up yet, now’s the time to do it.

Enforcement – This is the not-so-nice change request. At this point, the local regulator will give you specific actions that must be completed within a set amount of time. If you still haven’t mentioned those Google Ads on your cookie information page, now you absolutely have to. If you don’t comply, you could face criminal charges.

Fines – The guidelines involving what qualifies for a fine vary from country to country, as does the maximum amount of the fine you may receive. For specific details, you should consult your local regulator. Or, better yet, make sure your site is compliant, so you don’t have to worry about fines.

There is one last penalty that you won’t ever personally face, but it is worth mentioning. If your local regulating body fails to enforce the Cookie Legislation, they may also face fines or other penalties. So before you head down to the ICO to give them a piece of your mind, remember that they have to enforce these regulations, whether they want to or not.

Reporting a Site for Non-Compliance

Depending on how you feel about the Cookie Legislation, you may be wondering why anyone would report a site for non-compliance. Whether you support the regulations or not, there are privacy concerns involved with the use of cookies, particularly third party cookies, and any website that intentionally hides their use of cookies from their visitors deserves some scrutiny. Maybe they’re simply lazy. Maybe they’re protesting the regulations. Or maybe they really do have something to hide.

So if you come across a site that is non-compliant, you have a couple of options.

You can do nothing. If you don’t support cookie laws, or you don’t care, you’re well within your right to ignore the offence.

Or you can report them to your local regulator. Depending on where you are, you may have to do this in person or over the phone. If you’re in the UK, the ICO has an online complaint tool you can use. Keep in mind that simply filing a complaint is no guarantee that actions will be taken against the non-compliant organization, but the regulatory body will review the complaint. It’s also important to note that organizations located outside of your own country fall under different legal requirements, but in this case your local regulator should be able to advise you on the best course of action.

Resources