What do ePrivacy & GDPR say about website cookies?

Struggling to get hold of EU requirements for cookies and user privacy? Here's a quick overview.
Table of Contents

All websites use cookies! But what are the rules on cookies anyway?  And do the EU cookie law or GDPR set the requirements for website cookies? Confused? Let’s take a quick tour of rules on cookies.

Which rules apply to website cookies?

Currently, website cookies fall under two legislations: The ePrivacy Directive (ePD – also commonly known as the European cookie law) and the General Data Protection Regulation (GDPR)

Why? Let’s look closer. 

Now, why are there two legislations for using cookies?

The ePrivacy Directive only concerns the use of cookies; the GDPR on the other hand covers the personal data some cookies collect for processing. 

Link: ePrivacy Directive 2002

Link: General Data Protection Regulation 

The European member states are currently negotiating the new ePrivacy Regulation (ePR) which will repeal the ePrivacy Directive. 

What does the EU cookie law say about website cookies?

The EU Directive 2002/58/EC (ePrivacy) addresses the use of website cookies. More generally, the Directive concerns the processing of personal data and the protection of privacy in the electronic communications sector.

The Directive contains provisions which are crucial for ensuring the users’ trust in the services and technologies they use for communicating electronically.

It states that*:

These requirements hold for both first-party and third-party cookies.

Therefore, you are required to:

*except strictly necessary cookies (cookies need to carry out an online communication).

Cookies that do not require consent

To sum up, if your website uses cookies, which are not strictly necessary for online communications, but serve other purposes (e.g. functional, analytic, marketing), you are obligated to inform your users about cookies and collect their cookie consent.

What does the GDPR say about website cookies?

Not much really. But the GDPR says a lot about personal data processing. 

And since most cookies collect personal data for processing, their use is subject to the GDPR.

To process personal data, you need a lawful basis, i.e. a legal ground to process data. This can be a legitimate interest, but more often processing is based on consent.

With the GDPR, the definition of informed consent and the requirements associated with it changes significantly from the ePD.

It’s not enough just to inform your users about cookies, consent myst be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing og personal data relating to the user. 

That was a long one. What it means is: You have to collect an active and informed consent to cookies.

That means, inform your users of the cookies you use and what data they collect, and ask the user permission for placing cookies (it’s a yes or a no). 

The requirements in the GDPR for obtaining valid consent for cookies can be summarized as the following: if your website uses cookies, which process personal data you must:

Valid consent under the GDPR

If you are not sure whether your website cookies process personal data, you can get a free assessment here: 

Free compliance check

What is the ePrivacy Regulation?

Since the ePrivacy is a Directive, it has to be transposed into law nationally by each of the European member states. 

That changes when the ePrivacy Directive turns Regulation. Then the regulation will apply to all member states.

The ePrivacy Regulation (ePR) will be a law governing subject matter (lex specialis) and will override a law governing general matters (lex generalis) in the General Data Protection Regulation (GDPR). 

Specific rules for cookies described in the ePR will apply rather than general rules from the GDPR.

Until the ePrivacy Regulation enters into force, the provisions in the GDPR for processing of personal data will still apply for all data controllers and processors.

Fines for not complying with the GDPR

The penalties for noncompliance to the GDPR and the ePR are set to a maximum of €20 million or, in the case of a corporation (undertaking) up to 4% of the total worldwide annual turnover, whichever is higher.

Europe has already seen a number of fines in 2019:

And recently, the European Court of Justice (CJEU) ruled in the case against German lottery website Planet49, that all websites must collect an active consent to cookies from their users. 

As such major European Data Protection Authorities like French CNIL, British ICO, Spanish AEPD, Danish Datatilsynet, German BayLDA have updated their legal cookie requirements. 

fines digital markets act

How to comply with the EU cookie law and GDPR when using website cookies?

Here’s a short checklist you can use. If you don’t have a cookie pop-up on your website or if you are unsure whether the one you have collects valid consent, feel free to get a free compliance check. 

Free compliance check

Checklist for collecting valid consent to cookies