The EU e-Privacy Directive is a part of the European Union's strive to enhance online privacy for its citizens.
The Cookies Directive was adopted as an amendment to the e-Privacy Directive in May of 2011 by all countries in the EU.
Websites that are either owned by EU businesses or directed towards EU citizens must inform visitors that cookies are in use, how these cookies are used, and obtain consent before cookies can be used.
Below are two examples of ways that websites could satisfy the EU Cookies Directive with informative pop-ups and header banners.
Here's how the BBC notifies users about cookies:
Here's how the ICO website does it:
Methods of opting out of cookie usage must also be put in place and made known to your website visitors.
The following are minimum requirements that all businesses within the EU must follow.
1. Users must be informed that cookies are being used on your website, including:
You can provide a notice, such as a banner, that makes it clear to users that your website or mobile app is using cookies.
2. Prior informed, specific, and voluntary consent must be obtained before cookies are placed on a user's computer equipment and before information about a user's computer equipment is accessed.When obtaining consent, there are two methods that are allowable here:
Affirmative action/explicit consent
Clear and explicit affirmative consent can be obtained by placing a check box or a clickable button in the notice and requiring a user to click in order to consent.
The example below shows a button that is labeled with "I Agree" and will work to obtain affirmative consent.
Further browsing/implied consent
Implied consent will qualify as enough consent to make cookies placement valid so long as the following conditions are met:
Below is an example of how implied consent can be obtained by using banner ads that make it known that continuing to browse will be taken as consent.
The following types of cookies can be used without first obtaining consent from the user:
Examples of cookies under these exceptions include:
Authentication Cookies that identify a user for the duration of the session once that user logs in to a website and uses the site.
Below is an example of a user login box that would place an authentication cookie on a user's computer when the "Remember Me" box is checked so that the user will actually be remembered the next time he reaches this page and this login box:
Multimedia Content Player Cookies that store technical data for the duration of a session where video or audio content is played on a website.
Here's how SoundCloud always links to its Cookies Policy from all embeds: