The European Union currently boasts the world's most comprehensive and expansive regulatory framework to date, the General Data Protection Regulation (GDPR). Complementing this law is the e-Privacy Directive (aka the EU Cookies Directive) to ensure the firm establishment of data protection and online privacy in the EU.

A critical area covered by these regulations is the use of cookies. The EU privacy laws not only require websites to seek user consent before implementing cookies but demands complete transparency when you list them on your website.

However, due to the complexities associated with these frameworks, cookie compliance may be easier said than done. As a result, most website owners are left puzzled, trying to figure out exactly what is required of them in their treatment of cookies and what isn't.

In this article, we will help clarify what the GDPR and the EU Cookies Directive say about your use of cookies, as well as answer key questions like:

  • What are cookies?
  • Do the GDPR and the EU Cookies Directive require you to list individual cookies by name?
  • What are the cookie compliance requirements of the GDPR and the EU Cookies Directive?
  • What are the penalties for non-compliance?


Cookies and EU Privacy Laws

Before exploring what the GDPR and the e-Privacy Directive have to say about your use of cookies, let's briefly examine what cookies are and how they work.

What are Cookies?

Cookies are small data files created by web browsers and stored on a user's device (e.g., computers and phones) when visiting a website. They constitute an important part of the internet experience as they perform some critical functions, including:

  • Storing user information
  • Identifying the geographic location of users
  • Providing a more convenient browsing experience
  • Tracking browsing habits and preferences to deliver personalized advertising
  • Recalling information entered on online forms, login pages, shopping carts, etc.

Cookies help make the browsing experience more personal for users, which is generally perceived to be a good thing. Moreover, without certain cookies, you stand the risk of losing valuable and very detailed information about the behavior of site visitors, which may be used to improve your offerings.

Keep in mind, however, that while cookies are primarily harmless, not everybody wants to be tracked by them (as a matter of privacy). This has led to the proliferation of various privacy laws to give users more control where cookies are concerned.

As a result, it is now effectively illegal for any website to store certain cookies without the consent or approval of its users.

Now that we have a basic understanding of what cookies are and how they work, let's take a look at what the EU privacy laws have to say about cookies.

Cookies and the GDPR

Cookies and the GDPR

The GDPR is the most robust legal framework in the world right now, and as such, has managed to cover all the bases necessary to address personal data protection and digital privacy in the world today.

The regulation also has a wide coverage as it applies to businesses and websites outside the EU so long as they collect personal data from or track users residing in the EU.

Although cookies are mentioned only once throughout the GDPR's 99 Articles and its 173 Recitals, the implications are significant for websites that employ them to observe users' browsing activity.

Here's the original text from the GDPR, in Recital 30:

"Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them."

In the Recital above, the GDPR explains that while cookies may not be sufficient to distinguish individuals on their own, they could indirectly contribute to their identification. Consequently, this qualifies cookies as personal information in certain instances and therefore subjects them to the GDPR.

Generally, GDPR cookie compliance can be implemented on websites through cookie banners that give users an option to accept or reject certain cookies depending on their preferences.

Cookies and the EU Cookies Directive

Cookies and the EU Cookies Directive

The EU Cookies Directive, on the other hand, deals more directly not only with cookies but similar technologies that store or retrieve information on users' devices. Common examples include web beacons, pixel tags, advertising IDs, and so on.

Strictly speaking, the EU Cookies Directive is a bigger authority to the GDPR when it comes to cookie compliance. This is because the Directive addresses key aspects about the confidentiality of electronic communications as well as includes specific rules on cookies and similar technologies, hence its given name, "The EU Cookie Law."

Upon its introduction, the Directive also triggered a widespread adoption of cookie consent pop-ups for websites to obtain initial consent from users before providing them with cookies.

Furthermore, the Cookies Directive requires website owners to inform users about the type, usage, and purpose of cookies they use. This applies to all websites that target EU users, regardless of their location.

Does the GDPR or the EU Cookies Directive Require Individual Cookies to be Listed by Name?

Does the GDPR or the EU Cookies Directive Require Individual Cookies to be Listed by Name?

Simply put, no, neither the GDPR nor the EU Cookies Directive specifically requires that you list cookies individually on your website.

This decision is likely intentional, as listing individual cookies by name is both a major complication and a burden for websites trying to achieve cookie compliance.

Moreover, listing cookies individually would require you (as a website owner) to conduct endless audits of not only all the cookies you use, but also the cookies used by your third parties. This would be irrational, counterproductive, and most likely unhelpful to users.

Supporting this notion is the UK's Information Commissioner's Office (ICO). The body released a document titled "Guidance on the rules on use of cookies and similar technologies" to address specific compliance issues relating to cookies and similar technologies.

Here's its original text on page 18, showing how to provide information about cookies:

"The Regulations are not prescriptive about the sort of information that should be provided, but the text should be sufficiently full and intelligible to allow individuals to clearly understand the potential consequences of allowing the cookies should they wish to do so. This is comparable with the transparency requirements of the first data protection principle. At present, levels of user understanding are likely to be low and so those using cookies will need to make a particular effort to explain the activities of cookies in a way that people will understand. Long tables or detailed lists of all the cookies operating on the site may be the type of information that some users will want to consider. For most users it may be helpful to provide a broader explanation of the way cookies operate and the categories of cookies that you use on your website. A description of the types of things analytical cookies are used for on the site will be more likely to satisfy the requirements than simply listing all the cookies you use with basic references to their function."

Note how the text does not set out what information you must provide or require you to list cookies by name but requires only that your description of cookies be "sufficiently full and intelligible."

Here's a translated excerpt from a cookie guide of the Spanish national authority for data protection that also supports this sentiment:

"We will begin by indicating that in the opinion of this Agency the regulations studied intend that the user is sufficiently informed about the use of data storage and retrieval devices in their terminal equipment, being essential that this information be about the purposes of said devices. However, the regulations do not require that the information detail the name of the devices, since the essential thing is to inform about the points indicated above, and particularly about the use of cookies, who uses them and for what. Therefore, it is not necessary to display the second layer of information in a table or otherwise specify the names of each and every cookie."

In sum, the GDPR, the EU cookies directive and other European national authorities require you to clarify what categories of cookies you use, how they work, and why you need them on your website rather than listing cookies individually by name.

If you have third-party platforms integrated into your website, you also need to disclose relevant information that addresses their Cookie Policies and Practices.

Cookie Compliance Requirements of the GDPR and the EU Cookies Directive

The cookie compliance requirements under the GDPR, the EU Cookies Directive, and other prominent authorities are fairly similar, give or take a few slight changes. That said, let's take a look at some common best practices for compliance under these regulations.

Identify and Inform Users About Cookies

The first step you as a website owner must take to comply is to identify the categories of cookies your website uses. This is necessary to help demonstrate transparency as well as to discover which cookies need user consent before they can be implemented and which don't.

Generally, cookies used by most websites fall under (but aren't restricted to) the following categories:

  1. Origin
  • First-party cookies: These refer to cookies placed directly on users' devices by your website.
  • Third-party cookies: These, on the other hand, refer to cookies placed on users' devices by a third-party service integrated into your website (e.g., analytics or ad platforms).
  1. Duration
  • Session cookies: These are temporary cookies that expire once a user's session ends or the browser is closed.
  • Persistent cookies: As the name implies, this category of cookies remains on a user's device for a longer period until they are manually erased by the user or until their expiration date lapses.
  1. Purpose
  • Strictly necessary cookies: These cookies are essential for users to access your website and enjoy its core features (e.g., account login). Although consent is not needed to implement such cookies, you are required to explain what they do and why they are needed.
  • Functionality cookies: These cookies are primarily implemented to remember a user's previous choices (e.g., login information, language preferences, location, etc.)
  • Performance cookies: These cookies collect information about the browsing habits and preferences of users for the sole purpose of improving website functions and browsing experience. They are typically third-party cookies, for example, Google Analytics.
  • Marketing cookies: These are typically third-party cookies that observe users' browsing activities to help deliver more personalized content and targeted ads (e.g., Google Adwords).

Once you've identified the purpose and categories of cookies used by your website, you need to explicitly inform your users.

This information should be prominently displayed upon a user's first visit to your website as well as in your Privacy/Cookie Policy.

Additionally, your description of cookies should not be overly complex but presented in plain and simple language so users can make an informed decision to either accept or reject them.

Here's a good example from Bain & Company that concisely summarizes the categories and purposes of its cookies in simple language. Note how it also includes a link to its Policies:

Bain and Company cookie consent notice

Consent is perhaps the most important and deeply regulated requirement in every cookie compliance regulation out there.

Briefly, here are some best practices to help your website comply with the consent requirements of the GDPR and the EU Cookies Directive:

  • Obtain informed consent before implementing all cookies, with the only exception being strictly necessary cookies.
  • Give users the option to opt-in or opt-out of receiving cookies by having them click a button or tick an unchecked box. Implied consent and pre-ticked boxes do not satisfy the opt-in and opt-out requirements of the law.
  • Allow users to customize their cookie preferences, i.e., to accept the desired cookies while blocking others.
  • Give users the ability to easily withdraw their consent whenever they wish.
  • Finally, retain evidence of consent obtained from users.

Here's a good example from EY that complies accordingly with these stipulations:

EY Cookie consent notice

Provide a Privacy or Cookies Policy

Your website is required under law to post a Privacy Policy that discloses relevant information to address users' privacy concerns, a significant part of which includes your use of cookies.

While cookies are typically addressed in a Privacy Policy, most websites also publish a Cookies Policy on a separate webpage that gives a more comprehensive account of their use of cookies and similar technologies.

A legally-compliant Cookies Policy typically includes the following:

  • The categories of cookies you use
  • Their various uses and purposes
  • How users can control their information
  • Third-party cookies and a link to their Privacy or Cookies Policy

Here's one such example from Amazon:

Amazon Security and Privacy: About Cookies page excerpt

Additionally, both your Privacy and Cookies Policy must be conspicuously displayed on your website, usually on sign-up forms, website footers, and checkout pages. Finally, your Policies must be clear, transparent, and easy to understand.

Penalties for Non-Compliance

Penalties for Non-Compliance

The penalties for violating the GDPR and the EU Cookies Directive are one of the highest in the world right now, easily running into millions of dollars.

Although the EU Cookies Directive is not explicit about the penalties for violating its provision (primarily because it's not yet a regulation), the potential fines for non-compliance may be significant for websites that fail to comply. Moreover, the policies regarding what qualifies for punishment may vary depending on where you live, as does the maximum amount of the fine you may receive.

Under the GDPR, however, penalties for violating cookie compliance obligations are pretty substantial. In most cases, cookies are subject to the GDPR when they (in conjunction with other unique identifiers) can potentially identify an individual.

For lower-level cases, breaching the GDPR can result in fines of up to €10 million or 2% of the company's annual worldwide revenue, whichever is greater. The more serious cases can result in a fine of up to €20 million or 4% of the company's annual worldwide revenue, whichever is greater.

For tips and strategies on avoiding violating other aspects of the GDPR and receiving fines, check out our feature article: How to Avoid GDPR Fines.

Summary

Understanding your cookie compliance requirement is an essential obligation of every website owner. It's important to get a good grasp of the specific cookie requirements under the EU privacy laws so you don't end up non-compliant or undertaking burdensome and unnecessary tasks in an effort to be compliant.

Here's a quick recap of key things to note when trying to comply with the cookies regulations under the GDPR and the EU Cookies Directive:

  • Listing cookies individually by name is not required under both regulations, as long as you properly explain the categories of cookies used, as well as their uses and purposes.
  • Obtaining users' consent before you use cookies is a critical requirement, with the exception of strictly necessary cookies.
  • Providing detailed and specific information about cookies is good practice and helps you be compliant.
  • Posting a Privacy Policy and/or a Cookie Policy is a core requirement under both regulations.
  • Documenting proof of consent can help protect you from legal liabilities.
  • Withdrawing consent should be as easy as it was for users to give them in the first place.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy