EU Cookies Directive

The EU e-Privacy Directive is a part of the European Union's strive to enhance online privacy for its citizens.

The Cookies Directive was adopted as an amendment to the e-Privacy Directive in May of 2011 by all countries in the EU.

Websites that are either owned by EU businesses or directed towards EU citizens must inform visitors that cookies are in use, how these cookies are used, and obtain consent before cookies can be used.

You can do that through a Cookies Policy or a Privacy Policy.

You must give users of your website/mobile app the right to refuse the use of cookies. This can mean that users can't use your website/mobile app to its full functionality, but users must be able to refuse.

Websites are able to satisfy this requirement by using pop-up windows or notifications in the top headers that either included information about cookies or provided a link to where this information was located on the website (i.e. to a separate Cookies Policy or to the website's existing Privacy Policy with a Cookies-specific section.)

Below are two examples of ways that websites could satisfy the EU Cookies Directive with informative pop-ups and header banners.

Here's how the BBC notifies users about cookies:

BBC Notification: Cookies on website

Here's how the ICO website does it:

ICO Notification: Cookies are in use on website

Methods of opting out of cookie usage must also be put in place and made known to your website visitors.

Requirements by the EU Cookies law

The following are minimum requirements that all businesses within the EU must follow.

1. Users must be informed that cookies are being used on your website, including:

  • What cookies are used
  • Why they are used
  • How they are used

You can provide a notice, such as a banner, that makes it clear to users that your website or mobile app is using cookies.

This notice:

  • Must be written in clear language that's easy to understand and placed somewhere easy to notice on the website or mobile app, and
  • Must provide a link where the detailed Cookies Policy is located on your website or a link to your Privacy Policy where a "Cookies" section is added, if you don't use a separate Cookies Policy agreement for this purpose.

Below is an example from the Thomas Cook website with a huge banner that provides adequate notice, links to its Cookie Policy and has a clear button for accepting cookies.

Thomas Cook Cookies Notification in the Header

2. Prior informed, specific, and voluntary consent must be obtained before cookies are placed on a user's computer equipment and before information about a user's computer equipment is accessed.When obtaining consent, there are two methods that are allowable here:

  • Affirmative action/explicit consent

    Clear and explicit affirmative consent can be obtained by placing a check box or a clickable button in the notice and requiring a user to click in order to consent.

    The example below shows a button that is labeled with "I Agree" and will work to obtain affirmative consent.

  • WeTransfer: I agree button

  • Further browsing/implied consent

    Implied consent will qualify as enough consent to make cookies placement valid so long as the following conditions are met:

    1. There must be a notice that cookies are being used, and it must be displayed in a clearly visible and unmissable way on the homepage so that upon first visiting the site or using the mobile app, a user will see it
    2. This notice must make it very clear to the user that by continuing to browse the website, consent to place cookies on their device will be implied
    3. This notice must remain visible until the user actually continues browsing the website

    Below is an example of how implied consent can be obtained by using banner ads that make it known that continuing to browse will be taken as consent.

  • Notification box: By continuing with website, you agree to

Exceptions to the consent requirement

The following types of cookies can be used without first obtaining consent from the user:

  1. Cookies that are used solely for the purpose of transmitting a communication, and
  2. Cookies that are absolutely necessary for a website to provide the service that the user is requesting.

Examples of cookies under these exceptions include:

  1. Authentication Cookies that identify a user for the duration of the session once that user logs in to a website and uses the site.

    Below is an example of a user login box that would place an authentication cookie on a user's computer when the "Remember Me" box is checked so that the user will actually be remembered the next time he reaches this page and this login box:

  2. SalesForce Login with Remember Me

  3. Multimedia Content Player Cookies that store technical data for the duration of a session where video or audio content is played on a website.

    Here's how SoundCloud always links to its Cookies Policy from all embeds:

  4. Cookies Policy from SoundCloud Embed

  5. User Input Cookies that help keep track of data a user puts in to a website during a session, including information for filling out forms, or for items added to an e-commerce site shopping cart.