The EU e-Privacy Directive is a part of the European Union's strive to enhance online privacy for its citizens.
The Cookies Directive was adopted as an amendment to the e-Privacy Directive in May of 2011 by all countries in the EU.
Websites that are either owned by EU businesses or directed towards EU citizens must inform visitors that cookies are in use, how these cookies are used, and obtain consent before cookies can be used.
You can do that through a Cookies Policy or a Privacy Policy.
You must give users of your website/mobile app the right to refuse the use of cookies. This can mean that users can't use your website/mobile app to its full functionality, but users must be able to refuse.
Websites are able to satisfy this requirement by using pop-up windows or notifications in the top headers that either included information about cookies or provided a link to where this information was located on the website (i.e. to a separate Cookies Policy or to the website's existing Privacy Policy with a Cookies-specific section.)
Below are two examples of ways that websites could satisfy the EU Cookies Directive with informative pop-ups and header banners.
Here's how the BBC notifies users about cookies:
Here's how the ICO website does it:
Methods of opting out of cookie usage must also be put in place and made known to your website visitors.
The following are minimum requirements that all businesses within the EU must follow.
1. Users must be informed that cookies are being used on your website, including:
You can provide a notice, such as a banner, that makes it clear to users that your website or mobile app is using cookies.
This notice:
Below is an example from the Thomas Cook website with a huge banner that provides adequate notice, links to its Cookie Policy and has a clear button for accepting cookies.
2. Prior informed, specific, and voluntary consent must be obtained before cookies are placed on a user's computer equipment and before information about a user's computer equipment is accessed.When obtaining consent, there are two methods that are allowable here:
Affirmative action/explicit consent
Clear and explicit affirmative consent can be obtained by placing a check box or a clickable button in the notice and requiring a user to click in order to consent.
The example below shows a button that is labeled with "I Agree" and will work to obtain affirmative consent.
Further browsing/implied consent
Implied consent will qualify as enough consent to make cookies placement valid so long as the following conditions are met:
Below is an example of how implied consent can be obtained by using banner ads that make it known that continuing to browse will be taken as consent.
The following types of cookies can be used without first obtaining consent from the user:
Examples of cookies under these exceptions include:
Authentication Cookies that identify a user for the duration of the session once that user logs in to a website and uses the site.
Below is an example of a user login box that would place an authentication cookie on a user's computer when the "Remember Me" box is checked so that the user will actually be remembered the next time he reaches this page and this login box:
Multimedia Content Player Cookies that store technical data for the duration of a session where video or audio content is played on a website.
Here's how SoundCloud always links to its Cookies Policy from all embeds: