EU Requirements
The rise in the number of cookie policy alerts was primarily the result of having to comply with two different regulations in Europe: the General Data Protection Regulation (GDPR), a sweeping data privacy law enacted in the EU in 2018, and the European Cookie Directive, otherwise known as either the EU Cookie Law or the ePrivacy Directive — first passed in 2002 and updated in 2009.
If you have users in the EU, the GDPR requires you to present a privacy policy that includes a section on what personal information is being collected by cookies. However, as long as the information is presented to consumers in the privacy policy, you don’t need a separate cookie policy.
Technically, cookies are mentioned only once under GDPR Recital 30. Despite that limited reference, the regulations regarding cookies affect any business that uses personal cookie identifiers to track browser activity. When cookies keep data that can identify an individual, it is considered personal data, and you must inform users of their rights regarding cookie collection.
If you use cookie identifiers, the GDPR requires that you:
- Inform your users that your website or application uses cookies.
- Identify any third-party services that may collect cookies.
- Clearly explain what and how cookies work.
- Explain why and how you use the cookies.
- Provide information on adjusting or opting out of cookies.
- Obtain informed consent before storing those cookies on the user’s device.
The GDPR requires consent from website users to use cookies. It defines consent as freely given, specific, informed, and unambiguous — and must be supplied through an explicit affirmative action.
Having pre-ticked boxes or accepting a user’s silence is insufficient to obtain consent.
All users in the European Economic Area (EEA) must consent to non-essential cookies before a site can use them. Websites risk enormous fines if they are subject to the requirements of the EEA or GDPR and do not get a user’s consent or permission before they collect cookies that can personally identify them.
In the EU, consent for cookies is also required by the European Cookie Directive (known as the EU Cookie Law or the ePrivacy Directive). The Cookie Law requires websites to get consent from visitors to store or retrieve any information on a smartphone, computer, or tablet. The Cookie Law was designed to protect online privacy by making consumers aware of how their information is collected and used online and giving them a choice whether or not to consent.
