EU Cookies Directive

Written by Maria Ansari and last updated on 01 April 2020.

EU Cookies Directive

If your business is based in the EU or targeted towards EU citizens, you're required to comply with the EU Cookies Directive. Being compliant with this directive means that you must notify your site's visitors of your use of cookies and obtain their explicit consent before you place or access cookies on their devices.

In this article, we'll take a look at what the EU Cookies Directive is, what it requires, and who it applies to. We'll also walk you through a number of different steps you can follow to comply with the EU Cookies Directive. Finally, we'll wrap up by sharing some examples of websites that are in compliance with the EU Cookies Directive.


Understanding the EU Cookies Directive

Understanding the EU Cookies Directive

The ePrivacy Directive is part of the European Union's efforts to improve data protection and privacy for its citizens in the digital age. It regulates a number of important issues including the use of cookies.

The EU Cookies Directive was adopted as an amendment to the ePrivacy Directive and covers all kinds of online tracking technologies including cookies, device fingerprinting, local shared objects, web beacons, HTML5 local storage and other technologies that track online activities.

The EU Cookies Directive requires websites that use cookies to do three things:

  • Let visitors know that the website uses cookies.
  • Give visitors detailed information about how the data collected with cookies will be used.
  • Provide visitors with a clear option to accept or refuse the site's use of cookies.

The EU Cookies Directive doesn't only apply to businesses that directly place cookies on their visitors' devices. If a website uses a third-party service such as Google Analytics and that third party uses cookies to track the online behavior of the website's visitors, then the website using the third-party service is required to comply with the EU Cookies Directive.

So, for example, if you own or operate a blog and are using Google Analytics or other third party tools, you are required to comply with the EU Cookies Directive.

In fact, the Privacy section of the Google Analytics Terms of Service states that if you use their services, you must post a Privacy Policy on your website and abide by it. In addition to this, you have to comply with all applicable laws, policies, and regulations that are related to collecting data from your site's visitors. The Cookies Directive is one of these applicable laws.

Google Analytics Terms of Service Privacy clause

Google requires you to notify your visitors that your site uses cookies to collect data, that you're using Google Analytics' services on your website, and that they collect and process the data they get from you.

You're also required to give your visitors a detailed explanation of your use of cookies and obtain their consent for storing and accessing cookies on their devices.

Now that you have a clear understanding of what the EU Cookies Directive is and what it requires, let's take a look at how you can make sure your website complies with it.

How to Comply with the EU Cookies Directive

How to Comply with the EU Cookies Directive

In the following sections, we'll walk you through five different things you need to do in order to make sure your website is compliant.

1. Have a Privacy Policy

If you collect any form of personal information from your website's visitors or end users, you need to post a Privacy Policy on your site that explains how your business collects, handles, and uses the information.

Privacy Policies are required by laws intended to protect consumer privacy rights. Because you're collecting information from your site's visitors that could be used to identify them, you are required to comply with those laws.

Protected information is called personally identifiable information and it includes names, email addresses, street addresses, phone numbers, credit card information, blood type, marital status and more.

If you're not knowingly collecting personal information from your site's visitors, it's possible and even likely that you may be doing it unknowingly.

Some third-party services like Google Analytics and ClickBank use online tracking technologies that collect information like IP addresses or information about the user's device. For this reason, these third-party services require you to post a Privacy Policy on your website that explains this.

2. Have a Cookies Policy

You're required to post a separate Cookies Policy on your website. Adding a Cookies clause to your Privacy Policy isn't enough to be compliant with the EU Cookies Directive.

At minimum, your Cookies Policy should inform your site's visitors that you're using cookies, explain how you use them and have some information on how users can manage cookie settings on their devices.

In order to be compliant with the EU Cookies Directive, you'll need to cover the following points in your Cookies Policy:

  1. State that your website uses cookies.
  2. Explain what cookies are.
  3. Mention the types of cookies you use, including those used by your third parties.
  4. Explain how you're using the cookies.
  5. Include instructions for how users can manage their cookie settings on their device(s).

Having a Cookies Policy posted on your website that covers all of these bases is perhaps the best way for EU-based businesses to stay compliant with the EU Cookies Directive. Here's how the Information Commissioner's Office website explains which types of cookies they use and why they need them:

ICO UK Global Cookies Policy: Excerpt of Use of Cookies clause

The website uses a table with three columns - Cookie, Name, Purpose - to explain the types of cookies they're using, the specific name of each cookie, and why they use it. This user-friendly approach is recommended in order to help educate and empower website users.

In addition to this, they also have a section on How do I change my cookie settings that links to helpful resources on how users can see which cookies have been set on their devices, and how they can manage and delete them. The section also links to a page that explains how users can opt out of being tracked by Google Analytics.

ICO UK Global Cookies Policy: How do I change my cookie settings clause

3. Have a Banner or Pop-Up Notification

One of the most important requirements of the EU Cookies Directive is to let your site's visitors know that your website uses cookies. While your Privacy Policy or Cookies Policy states this, it's important that you also actively inform your visitors that your site uses cookies.

One way to do this is by adding a banner or pop-up notification to your website so that first-time visitors are notified of your cookie usage and are given a link to your complete Cookies Policy.

Olive Clothing has a pop-up notification at the top of its website to inform visitors that their site uses cookies and what exactly this means.

Olive Clothing cookies pop-up notice

Here's an example of a banner ad from the Travel Calculator mobile app that lets users accept or decline the use of cookies, as well as access the Privacy Policy from within the banner.

Travel Calculator: This website uses cookies - footer banner

Under the EU Cookies Directive, consent must be actively provided by the user through some type of affirmative action before a website can place cookies on a user's device.

You need to provide your visitors with a clear option to accept your site's use of cookies.

Most businesses choose to add a simple checkbox or a button to their cookies notice (banner or pop-up notification) that prompts users to click it in order to give consent to the website's use of cookies.

Here's an example from GoDaddy's UK website:

GoDaddy cookies notification with Accept and Decline buttons and Manage Settings link


5. Provide an Easy Opt-out Method

Providing an opt-out method is just as important as acquiring the user's explicit consent for your use of cookies. However, unlike obtaining the user's consent, you don't have to give the visitor an option to opt out of your use of cookies from your cookie notice.

In fact, most website owners simply add a clause to the end of their Cookies Policy that either (1) explains how to opt out, or (2) links to resources that explain how to opt out of cookies.

Most resources will explain how to see which cookies have been set on a device and the steps to manage cookie preferences or delete (or disable) cookies from a device.

For instance, The New York Times has a section in its Cookie Policy titled How Do I Manage Cookies that includes links to instructions to follow to disable cookies on all major web browsers.

The New York Times Cookie Policy: How Do I Manage Cookies clause excerpt

Compliant Cookies Notices

Compliant Cookies Notices

Remember, your Cookies Notice needs to satisfy four requirements to comply with the EU Cookies Directive:

  1. It must be prominently displayed to website visitors immediately when they reach your website. It needs to be on every page so first time visitors are presented with it no matter how they enter your website.
  2. It must disclose that your site uses cookies and explain that the user has the right to accept or refuse your use of cookies.
  3. It must require the user to actively click to provide informed consent for your use of cookies before you place cookies on the device.
  4. It must give users a clear and simple way to access your Cookies Policy, where they'll be given information about adjusting their settings.

Examples

Let's take a look at some examples and their components that make them successful and compliant.

Here's a Cookies Notice pop-up from The Original Tea Towel Co.:

The Original Tea Towel Company Cookies Notice with Accept button

In this example, users must click to accept cookies before the site will place cookies on their device. The notice is very informative and briefly explains cookies, mentions third parties, and includes links for learning more and deleting cookies.

This approach complies with the EU Cookies Directive.

Additionally, the same site provides a link in the website footer that navigates to the dedicated Cookie Notice page. The Cookie Notice link is particularly easy to find because it is underlined.

The Original Tea Towel Company website footer links

This is another good example of a compliant pop-up Cookies Notice from The Atlantic:

The Atlantic Cookies Notice

It gets the user's attention because it fills most of the page, and it gives users the options to either click "I Agree" or set preferences to accept or reject specific data processing categories. The Privacy Policy is linked.

Remember

In order to comply with the EU Cookies Directive you must:

  1. Have a Privacy Policy clearly posted.
  2. Have a Cookies Policy in place and clearly posted.
  3. Present a link to your policies in a conspicuously placed banner or pop-up as well as in the website footer/app About/Legal menu.
  4. Acquire informed consent from each user before using cookies.
  5. Provide an opt-out method.

By following these guidelines, you can position yourself to meet the requirements of the EU Cookies Directive and limit your legal liabilities with regulators and consumers.