There are a number of rules affecting how cookies can be used in the EU. They are:
The EU Cookie Directive regulates the definition of cookies (which also other forms of online tracking technology) and how cookies can be used. The definition of cookies also includes device fingerprinting. The EU Cookie Directive therefore applies to more than just cookies. In the EU Cookie Directive it is stated that a person must not store or gain access to information stored in a person’s computer, without specific requirements being met. This includes, that they (a) give clear and comprehensive information about the purpose of the storage of, or access to, that information; and (b) obtain consent from the person to the use of the specific cookies.
The ePrivacy Directive is set to be replaced with the ePrivacy Regulation. It was supposed to be passed and come into effect in 2018, but is yet to be passed. The focus in the new law was supposed to “...address browser fingerprinting in ways that are similar to cookies, create more robust protections for metadata, and take into account new methods of communication, like WhatsApp.” (gdpr.eu).
In the EU, it is the job of the data protection authorities in each EU country to enforce the cookie rules and issue guidelines regarding cookie compliance. Below you can find a list of some of the European data protection authorities who have issued relevant cookie guidelines:
In the following we have provided more information about different types of cookies.
There are different types of cookies, which all have different legal requirements, depending on whether they are necessary or non-necessary cookies. This is an important factor to whether you need to obtain consent from your users before cookies can be set.
The purpose of necessary cookies are to secure and ensure the core functionality of your website. You do not need consent from a user to use these. These are also known as essential cookies. These are not the same as helpful cookies that give the user a better experience. Necessary cookies, are cookies that:
There are a number of different non-necessary cookies. Also known as non-essential cookies, they are used for things such as collecting personal data for marketing, remarketing and analytical purposes. To ensure compliance, you need to obtain consent from a user before you can legally begin to track them with the use of non-necessary cookies. Here are some examples of non-necessary cookies:
In the table below, you can see a description of the different cookie categories and whether they are necessary or non-necessary.
|Cookie category||Necessary or non-necessary||Description|
|Cookies that are strictly necessary for your website to work||Necessary cookies||These types of cookies remember the goods a user wishes to buy when they go to the checkout, or add goods to their shopping basket. |
These are also cookies that are essential in order to comply with security requirements in regards to an activity a user has requested, e.g. in connection with online banking services
|Statistics cookies||Non-necessary cookies||Helps to collect data about how users’ are using your website, web traffic and other stats.|
|Preference cookie||Non-necessary cookies||Cookies can be used to recognise a user when they return to your website so you can tailor the experience they receive.|
|Marketing cookies||Non-necessary cookies||Advertising cookies|
|Remarketing cookies||Non-necessary cookies||Advertising cookies|
It is not only important to know what type of cookies you are using. You also need to know:
When we are talking about first and third party cookies the focus is on whether a cookie is placed by the website being visited by a user or a third party.
First-party cookies are set directly by the website that a specific user is visiting. This means that when a user is visiting a website that specific website is placing a cookie.
Third-party cookies are set by another domain than the website / URL that the user is visiting. These types of cookies are for example social media plugins, images or advertising so when a user is visiting website A which has a social media plugin then the social media will place a cookie in that user’s browser. Google, Safari and Firefox have all announced that they either are or in the near future will be blocking third-party cookies in their web browsers.
From a privacy standpoint third party cookies are seen as more privacy-intrusive than first party cookies but both types of cookies are regulated by the EU Cookie Directive and the GDPR.
Session cookies - Temporary cookies that expire when you close your browser, or your session ends. Typically session cookies are used to remember what a user put in their basket when they are browsing your website. As session cookies expire after the browser is closed or the session ends, these types of cookies are often seen as less privacy intrusive than the other category of cookies, e.g., persistent cookies.
Persistent cookies - Cookies that keep tracking your users for a period of time longer than a session. In theory they can be set for a long time, years even, but there is no guarantee that they will last that long, as a user can reset their cookie settings as often as they would like to. This means that these types of cookies continue to work after the session ends. They often work across different sites and make it possible for a user’s preferences to be remembered after the user leaves the site.
The cookie rules, including the GDPR and the EU Cookie Directive, apply to both session and persistent cookies.
It's important that you know who your cookie providers are. The reason is that you are responsible for any cookies you place on your website and this also entails being accountable for your cookie providers, including how they are processing and handling data collected via the cookies.
The maximum amount of time a cookie can be set can vary. This is also known as expiry and depends on the type of cookie, the usage of the cookie, the purpose for which you are using the cookie and the consent you obtained from the user.
Many cookie providers have a standard consent expiration, e.g. 30 or 90 days, but this doesn’t mean that this duration is appropriate. You as the website owner need to review and assess each cookie’s duration and determine the correct expiration period. Remember to document your decision, including why you came to the conclusion of e.g. 30 days being the right duration for the specific cookie.
Furthermore, you should also think about the design of your policy. Many authorities, including the ICO and the Danish authorities, are recommending that policies be split up into sections so that each section can be “unfolded” making it easier for the user to read and understand the content of the policy - instead of being a 10 page wall of text.
A cookie banner is used by many websites as a way to inform its users about cookies and give the users the ability to accept or reject non-necessary cookies.
So your cookie banner is the way you can get your users to consent to or reject your cookies, and provide them with the required information (see below).
Your cookie banner should present your users with:
To be compliant, your banner must not include pre-ticked buttons or fields. The user needs to make the decision themselves as to whether they want to give consent to non-necessary cookies or not.
If you start to use new cookies or if you are changing the way you are using your current cookies significantly, you need to obtain consent from users. This means that if you are adding new cookies or changing the purposes for the cookies you are already setting on your website, you need to make sure that your users (who have already given consent) are asked to consent or reject your cookies. I.e. your consent banner should reappear and users asked to make an informed choice about this new activity.
Keep track of your cookie consents and documentation easily, with a cookie consent system. Also known as a consent management platform or consent management solution.
With Legal Monster you can collect and document consent for the cookies you use on your site. We use geotargeting to ensure that you collect the right consent in specific markets depending on the jurisdiction of the user or customer. Our solution scans your website and detects which cookies you use. With Legal Monster you get a full audit trail, so you can prove consents to a data authority if you need to.
One way of keeping track of consents and the evidence you need is through a consent management solution that tracks your cookie consents.
With Legal Monster you can collect and document consent for all cookies used on your site. We use geotargeting to ensure that you collect the right consent in each of your markets, depending on the jurisdiction of the user or customer. Our solution detects which cookies you use and collects compliant consents for those. With Legal Monster you get a full audit trail, so you can prove consents to a data authority if you need to.