The EU Cookie Law sets rules on how websites and apps set cookies and other trackers. It's part of an important EU law called the ePrivacy Directive.

The law requires website and app operators to get consent for certain types of cookies. The law also states that website and app operators must provide certain information about cookies to their users.

It's particularly important for developers and marketing teams to understand the EU's cookie rules, not just lawyers or compliance departments. This article will explain what the EU Cookie Law says, who it covers, and what you need to do to comply.



The "EU Cookie Law" is part of the EU's ePrivacy Directive.

The ePrivacy Directive covers more than just cookies. It sets rules on email and telephone marketing, spyware and more. When we refer to the "EU Cookie Law," we mean the parts of the ePrivacy Directive concerning cookies.

The ePrivacy Directive is not to be confused with the EU General Data Protection Regulation (GDPR). However, the two laws interact in some important ways.

Every EU country, together with the UK, Iceland, Liechtenstein and Norway (we'll refer to these countries as "Europe" as a shorthand), has implemented the ePrivacy Directive in its national law.

In the UK, for example, there's the Privacy in Electronic Communications Regulations (PECR). France puts the EU Cookie Law in Article 86 of its Data Protection Law. And in Ireland, the law is implemented via the country's ePrivacy Regulations.

While there is some variation between these national laws, the rules on cookies are essentially the same.

Recital 25 of the ePrivacy Directive gives the gist of what the law has to say about cookies:

EUR-Lex ePrivacy Directive Article 25

Essentially:

  • Cookies aren't necessarily bad. They can be helpful and legitimate.
  • You should give people clear and precise information about how you use cookies.
  • You should offer people a user-friendly way to consent to cookies.

These are the essential rules under the EU Cookie Law. But as we'll see, things get a little more complicated when it comes to applying the law in practice.

The ePrivacy Directive is due to be repealed by a new law called the ePrivacy Regulation. This new law has been subject to major delays, but it should pass within the next couple of years.

Who Does the EU Cookie Law Apply to?

The EU Cookie Law applies to website and app operators. If you run a website or app, you're responsible for ensuring your cookies comply with the rules.

The law applies to companies of all sizes in all sectors, regardless of revenues or number of employees. But does the EU Cookie Law apply to companies based outside of Europe?

Essentially, yes.

If your company has any European presence, it's covered by the EU Cookie Law. If you don't have any European presence, the answer is a little more complicated.

Most European countries have given their data protection regulators the power to investigate non-European companies under the EU Cookie Law. So if someone in France complains about your cookies, you might hear from the French regulator.

Plus, if you're targeting customers in Europe, you're likely covered by the GDPR. As mentioned, the GDPR interacts with the EU Cookie Law in some important ways.

To be safe, you should consider complying with the EU Cookie Law in respect of European users, whether or not you have any presence in Europe.

What Does the EU Cookie Law Require?

The EU Cookie Law requires website and app operators to:

  • Get consent for certain types of cookies (and other trackers)
  • Provide certain information about their cookies

Here's the relevant part of the law, from a 2009 amendment of Article 5 (3) of the ePrivacy Directive:

EUR-Lex ePrivacy Directive Article 5 3 with the beginning highlighted

The ePrivacy Directive as a whole requires much more than this, but we're focusing on the cookie-related parts.

As a general rule, the EU Cookie Law requires consent for cookies that are used for the following purposes:

  • Advertising
  • Analytics
  • Social media tracking

It's also important to note that the law also requires consent for some things other than cookies.

The EU Cookie Law requires website and app operators to obtain consent for "the storing of information" and the "gaining of access to information already stored" in a user's "terminal equipment" (device).

There are plenty of things that can access or store information on a user's device besides cookies, such as:

  • Pixels
  • Beacons
  • JavaScript

The law applies to these technologies, too (but we'll use "cookies" as a catch-all).

As mentioned, not all cookies require consent. Let's look again at what the law says:

EUR-Lex ePrivacy Directive Article 5 3 with the ending highlighted

So, the following types of cookies are exempt from the consent requirement:

  • Cookies used "for the sole purpose of carrying out the transmission of a communication..."
  • Cookies that are "strictly necessary (for providing a) service explicitly requested by the user..."

The European Data Protection Board (EDPB) adopted an opinion which lists cookies that might fall into these two exempt categories. Such cookies include:

  • User input cookies
  • Authentication cookies
  • Multimedia player cookies
  • Load-balancing cookies
  • User interface customisation cookies
  • Certain security cookies, if they are used to authenticate users for a service they have requested

You can normally set the above types of cookies without consent, but they should generally only persist for a single session (except security cookies, which might last longer than a session but should not persist for longer than needed).

Some regulators and national laws interpret the law slightly more liberally, allowing website operators to set certain first-party analytics cookies without consent if they are used to "aggregate statistical purposes". But this varies from country to country.

How to Get Consent for Cookies

To get consent for cookies, you must follow the GDPR.

The GDPR doesn't provide a set of steps or methods for obtaining cookie consent, but it does provide a definition of "consent." Your cookie consent solution must comply with this definition.

So let's take a look at the GDPR's main definition of consent, at Article 4:

EUR-Lex GDPR Article 4 Sections 11 and 12

This part of the GDPR, from Article 7, is also relevant:

EUR-Lex GDPR Article 7 Section 3

So to summarize these provisions, we can see that GDPR-valid "consent" has the following six characteristics:

  • Freely given
  • Specific
  • Informed
  • Unambiguous
  • Given via a clear, affirmative action
  • Easy to withdraw

You can clearly apply this consent definition to a cookie consent solution, such as a cookie banner:

  • Freely given: Make it as easy to refuse cookies as it is to accept them.
  • Specific: Don't "bundle" cookie consent with consent for other activities.
  • Informed: Give users the right information about cookies.
  • Unambiguous: Make it clear what you're asking consent for.
  • Given via a clear, affirmative action: Don't use pre-ticked boxes or assume that inaction means consent.
  • Easy to withdraw: Provide a way for your users to easily withdraw their consent if they change their minds.

In practice, this means your cookie banner must, for example:

  • Provide "accept" and "refuse" options that are both accessible with one click
  • Offer the "refuse" option up front, not buried in a menu
  • Use buttons of the same size and color for "accept" and "refuse"

We'll look at some real-world cookie consent examples later in the article.

What Information to Provide About Cookies

Again, when providing information about cookies, you should follow the GDPR.

Bear in mind that you should provide cookies information before you set any cookies on your user's device. But you also need to provide "comprehensive" information. Getting the balance right can be tricky.

Here's how the UK's data regulator, the Information Commissioner's Office (ICO) describes the information you have to provide about your cookies:

ICO: What are the rules on cookies and similar technologies: What does clear and comprehensive information mean section

So according to the ICO, you should tell users:

  • What cookies you use
  • Why you use those cookies
  • Any other companies with whom you share cookie data
  • How long cookies will remain on your users' devices

(A reminder that this applies to all types of trackers, not just cookies).

While your cookie information has to be "comprehensive," try not to overwhelm your users.

There are two places you can provide cookie information:

  • On your cookie consent solution (e.g. cookie banner)
  • In your Privacy Policy or Cookies Policy (sometimes called a "Privacy Notice" or "Cookies Notice")

In practice, you're likely going to be providing short and concise information on your cookie banner and a longer explanation of your cookies in your Privacy Policy or Cookies Policy.

We'll look at some real-world examples of how to provide cookies information in the "Cookie Consent Examples" section below.

Country-Specific Differences

While the above requirements are the minimum requirements that all EU member countries must follow, a number of countries have adopted custom measurements to ensure and enhance online privacy.

Here's a list of EU countries with their specific requirements:

Country Additional Requirements and Instructions
Austria

Users must be informed of:

  • The types of personal data being processed
  • The purposes of the processing
  • The legal basis for processing, and
  • The duration of the storage

Implied consent to use cookies is allowed under amendments to the Telecommunications Act when browser or app settings infer consent.

Belgium

The following must be provided:

  • A "clear, comprehensible and visible notice" about the use of cookies, such as a cookie banner
  • A link to a Cookie Policy within the banner and on every page of the website
  • The legal basis for processing, and
  • The duration of the storage

Website operators are allowed to rely on implied consent when the notice about cookies is clearly visible, clearly states that further browsing constitutes consent, and that the notice remains visible until the user continues to browse the site.

Bulgaria
  • A mechanism for refusing consent must be provided to users.
  • All collected data must be destroyed after the expiration of a specified period of time.
Denmark

The first time a visitor visits a website, he must be given notice that includes:

  • Information on cookies usage by that website and potentially by any third parties,
  • A consent request message that provides a link to a detailed cookie policy and information on how to decline the website's use of cookies.This message can contain language that instructs a user that by continuing to use the site and not actively declining the use of cookies, implied consent will be obtained.

The Cookie Policy must be easily accessible and visible, such as by placing a link at the top or bottom of a website alongside the Terms and Conditions or Privacy Policy links.

Finland
  • Consent must be obtained for all non-essential cookies, before they are placed.
  • Only express consent is valid. No pre-ticked checkboxes. Scrolling doesn't count as consent.
  • Request consent in a clear way and keep a record of it.
  • Make opting out of cookies as easy as opting in.
France

Consent may be obtained via browser or other app settings. A 2-step process is required.

Step 1: Place a Cookie Banner

  • The cookie banner must remain on the web page until a user clicks elsewhere on a site and must provide the following information:

    • The purpose of the cookies that the website seeks to place,
    • A way for a user to decline or object to the use of cookies,
    • A link provided to where these settings can be modified to reflect a decline or objection, and
    • Information that states that if the user continues to navigate the site without actively declining or objecting the use of cookies, consent will be implied.
  • Step 2: Cookie Notice

    A website must have a separate page that contains information on:

    • The use of cookies on the website and the purpose the cookies serve, and
    • A way for a user to reject these cookies.

    This page must be linked to in the cookie banner.

Germany

Cookies can only be placed if clear, comprehensive notice and information has been provided to the user, and clear consent obtained.

If consent is obtained electronically, the operator of the website must ensure the following:

  • That consent was clearly and actively given after being informed of the right to revoke consent at any time,
  • That a record of this consent is kept,
  • That users are able to access and view their consent status at any time, and
  • That users can revoke consent at any time.
Greece

Provide information about cookies prior to requesting consent, such as with a cookie banner or pop-up window that links to your Cookie Policy.

Within your Cookies Policy and/or cookie banner, state the expiration time of any cookies that collect personal information, such as 1 year, 5 years, etc.

Get consent by affirmative action such as checking a box.

Hungary

Informed consent must be obtained before placing non-essential cookies.

Users must be informed of details of how cookies will be used at the time that consent is requested, such as in a cookie consent notice. Simply stating "we use cookies to improve our site's functioning" and requesting consent is not adequate.

Iceland

Consent must be obtained for third party cookies.

First party cookies can be placed subject to either consent or legitimate interests where appropriate.

Ireland

Consent must be obtained before placing cookies aside from strictly necessary ones or communication ones. Consent must be to the GDPR standard of "freely given, specific, informed and unambiguous."

Users must be given comprehensive, easy to understand information about the use of cookies, such as via an informative, detailed cookie banner or a Cookies Policy.

Consent cookies should have a maximum retention period of 6 months.

Italy

When a user accesses a website, a banner must immediately appear that contains cookies notice, including:

  • A link to the full text of the Cookies Policy that includes:

    • information on specific types of cookies used, and
    • whether the site uses third-party cookies,
  • A link to an area where a user is able to select which specific cookies he or she wishes to allow or disallow.
  • Notice that if the user continues to use the website, consent to the use of cookies will be adequately implied.

Consent is not required for technical cookies, but consent is the only way to legally use profiling cookies.

Latvia Consent can only be obtained by a strict opt-in method. No implied consent is allowed.
Lithuania

The State Data Protection Inspectorate has provided the following ways for consent to be obtained:

  • Pop-ups
  • Information at the top of the main webpage/homepage
  • Individual cookie consent in a registration section of the webpage.
Luxembourg

Information about cookies, consent, and the offering of the right to refuse consent to cookies being used must be provided in a way that is as user-friendly as possible.

Consent must be obtained before placing any cookies aside from strictly necessary cookies.

Malta

GDPR-compliant levels of informed consent must be obtained.

Cookie walls, pre-ticked checkboxes and assuming consent by scrolling are not allowed as valid consent-obtaining methods.

Netherlands

GDPR-compliant consent must be obtained for non-essential cookies.

Allow users to access your site even if they decline consent for cookies.

Norway

Consent may be obtained via browser or other app settings as long as somewhere on the website there is clear and user-friendly information about:

  • What kinds of cookies are being used,
  • What other similar technologies, if any, are being used,
  • What user information will be processed,
  • Who is processing this information, and
  • Why this information is being processed.
Poland A GDPR-compliant level of consent should be obtained for non-essential cookies.
Romania

Users must be given clear, comprehensive information about cookies usage. This information must satisfy Romanian data protection rules that require transparency information about how individual personal data is processed by a website.

Consent should be GDPR compliant for non-essential cookies.

Slovakia Freely-given, informed opt-in consent must be obtained for non-essential cookies.
Slovenia

GDPR-compliant consent must be obtained before non-essential cookies are used.

Before giving consent, users must be presented with information about who will be processing the data obtained from the cookies, and what the purpose of the processing is.

This can be obtained by providing an informative cookie consent notice, and/or with a Cookies Policy.

Spain

A user must take a conscious and positive action in order for consent to be obtained or implied, and a user must be informed of what action/s will amount to appropriate consent.

Common and preferred methods include standard "click to accept" boxes in agreements.

Users must be given access to transparent information such as what cookies are used, who will use them, and why. Having a Cookies Policy will satisfy this requirement.

Sweden Active, informed consent must be obtained, and records of this stored for 5 years. Users must be able to easily withdraw consent at any time.
United Kingdom

You must obtain active and clearly given consent for all non-essential cookies.

You must also inform people about what cookies do and why you are using the ones you use.

Enforcement and Penalties Under the EU Cookie Law

The EU Cookie Law is enforced by Europe's Data Protection Authorities (DPAs). DPAs can take action under the EU Cookie Law (or the broader ePrivacy Directive) proactively or in response to a complaint from someone in their jurisdiction.

The EDPB, which consists of all EU DPAs, even set up a "Cookie Banner Taskforce" in response to the hundreds of complaints about non-compliant cookie consent solutions.

And unlike under the GDPR, most DPAs can directly investigate cookies complaints, even when the non-compliant company has its "main establishment" (main base of EU operations) outside of their jurisdiction.

This is why we see the French DPA, known as the "CNIL," regularly enforces EU cookies rules against companies based in Ireland, such as Google, Meta and Tiktok. In GDPR cases, France would need to refer these complaints to Ireland.

Fines under the EU Cookie Law vary from country to country.

For example, France enforces cookie violations under the French Data Protection Law. Under this law, violations of the EU Cookie Law are punished at the same level as violations of the GDPR.

The maximum fine is the higher of either:

  • €20 million (approximately $22 million), or
  • 4% of global worldwide turnover for the previous year

Other countries have different systems. In the UK, for example, the maximum fine is £500,000 (around $616,000). However, the UK is considering changing its rules soon, to bring these penalties up to GDPR level.

And remember that cookie data can count as personal data under the GDPR, so violating the rules on cookies can also mean violating the GDPR.

Cookie Consent Examples

Now let's look at some real-life examples of cookie consent.

Here's a good example of a simple cookie consent banner to get us started, from the European Central Bank:

European Central Bank cookie consent notice banner with highlighted options

Note the two buttons, both equal size, offering options to accept or reject cookies. The choice is clear and the options are equally weighted. The banner provides some basic information about the use of cookies and offers a link for further information.

Here's another example, from Lego:

Lego Privacy Preferences: Cookie consent notice

This example offers two main choices, "Just Necessary" and "Accept All." If you want to customize which cookies Lego sets, you can choose "Cookie Settings." The cookie banner provides more detailed information than our first example.

There are a few things worth noting about this cookie banner.

First, the "Just Necessary" option might be a little unclear to some users. However, it reflects the fact that Lego will still set some "necessary" (or "essential") cookies regardless of whether the user consents.

Second, the cookie banner is relatively large. Users can't actually view the page behind the banner unless they choose an option. This might not meet the "freely given" element of consent as the user may click without thinking just to get rid of the banner.

Let's look at one more example, from law firm DWF:

DFW Group Cookie consent notice

DWF's cookie banner offers two main options: "Necessary cookies only" and "Accept all cookies." Both options are equal. There's a brief explanation of how and why the website uses cookies, and an option to find out more and customize cookies.

This example would appear to meet the GDPR's consent standards.

For more examples of how to implement a cookie banner, see our article Cookie Consent Examples.

Conclusion

The EU Cookie Law is part of the EU's ePrivacy Directive. Each EU country (plus the UK, Iceland, Lichtenstein, and Norway) implements the law slightly differently.

The EU Cookie Law applies to website and app operators.

To comply, you must get consent for non-essential cookies, for example via a cookie banner. Your consent request must meet the standards set out in the GDPR.

You must provide information about how and why you use cookies.

Enforcement of the EU Cookie Law works differently in different countries, but penalties can be as high as €20 million or 4% of annual worldwide turnover.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy