The ePrivacy Directive, also known as the European Union (EU) cookie law, is a piece of privacy legislation that requires websites to obtain consent from European visitors before collecting their personal information.
It protects privacy rights by giving consumers the right to say “no” if a company wants to collect, store, and use their information.
Below, I explain the EU cookie law, who it affects, how to meet the requirements, and compare it to other cookie laws worldwide.
What Is The ePrivacy Directive (EU Cookie Law)?
The EU Cookie Law is a nickname for the ePrivacy Directive, a directive that requires websites to get consent from users before storing, using, or retrieving their personal information.
It entered into force in 2011 and was the first law requiring websites to obtain prior consent from EU-based users before activating trackers and cookies to process their data.
It works alongside the General Data Protection Regulation (GDPR).
Who Does the ePrivacy Directive Apply to?
Regardless of where your business is located, the EU cookie law applies to every website with visitors from the EU that also:
- Uses cookies or other trackers, and
- Processes and stores the data of people in the EU.
This means privacy laws like the ePrivacy Directive might impact your business if your site uses third-party tools like Google Analytics or Microsoft UET to gather and analyze data.
Requirements of the ePrivacy Directive
The EU cookie law requires you to:
- Refrain from placing trackers and cookies on users’ browsers until they’ve given their consent for you to do so
- Ask users for consent to all trackers and cookies on your site
- Give users detailed information about all trackers and cookies on your site
- Give users the ability to withdraw or opt out of consent as easily as they opt-in
The cookie law only requires you to do this for non-essential cookies like advertising and social media cookies.
You don’t need to follow these rules for essential cookies, which are the types of website cookies that are either:
- Necessary to provide an online service, such as your website or service on your website
- Used solely to facilitate or carry out the transmission of communications over a network
But keep in mind that the EU cookie law isn’t just for cookies.
Despite its nickname, the ePrivacy Directive is meant to apply to every type of technology that you can use to store and process user information.
That’s why it doesn’t name any technology explicitly: it wants to encompass all of these technologies, including technologies that haven’t been created yet.
It’s only referred to as the EU cookie law because cookies are currently the most common technology for storing user information on personal devices.
Who Does the ePrivacy Directive Protect?
The ePrivacy Directive protects people in the EU by giving them a choice over if and when cookies or other trackers are placed on their browsers.
It also promotes transparency online, which is an important aspect of data privacy, especially for website users.
Rather than browsing websites without knowing what’s happening to their personal information, they have a chance to interact with a consent banner and know which websites want to collect their data.
How Does the ePrivacy Directive Compare to the GDPR?
The ePrivacy Directive and the General Data Protection Regulation (GDPR) are different pieces of European legislation, but they work together to form a large portion of the privacy framework for the region.
They represent two different types of European laws.
- The ePrivacy Directive is a Directive: It requires national implementation from EU member states, who must create laws to implement the directive into their legal systems.
- The GDPR is a Regulation: It’s enforceable in all member states once it enters into force and does not require any national implementation or adoption of new laws.
They also focus on different specific aspects of personal data privacy.
The ePrivacy Directive focuses on cookies and tracking technologies while the GDPR focuses on processing personal data.
Fines and Penalties for Noncompliance
Penalties for violating the EU Cookie Law are determined by local governments, but most regulators take the following actions if you’re non-compliant:
- Request additional information: A local regulator might request additional information from your business, like your terms and conditions, cookie policy, a list of all cookies your site uses, or anything that will help them determine if you’re in compliance with the law.
- Request potential changes: If your regulator determines that your website isn’t compliant, they will ask you to make it compliant and provide you with a list of necessary changes you must implement within a certain timeframe.
- Enforcement: If you fail to comply with the EU cookie law after the request for changes, you could potentially face criminal charges and fines.
Fines vary depending on your jurisdiction and the severity of your violations, but they can go up to hundreds of millions.
For example, France recently fined Google a whopping $169 million and Facebook $67 million for requiring too many clicks for users to opt out of cookies.
How Termly Helps Businesses with the ePrivacy Directive
Need a consent banner to help your website align with the ePrivacy Directive? Use Termly’s Consent Management Platform.
Our comprehensive CMP includes a customizable consent banner with features like:
- Multi-language support
- Script auto-blocker
- Regional consent settings
- Preference center
- Consent logs
You also get access to a website scanner, cookie policy generator, and an embeddable Data Subject Access Request (DSAR) form.
The ePrivacy Directive is another law in Europe that makes up the data privacy legal landscape that protects the region, and it has a significant impact on most websites.
It requires sites to present visitors with a consent experience that allows them to accept or deny cookies and other trackers before anything is placed on their browsers.
It also obligates these websites to be more transparent about what information the cookies gather and why they want to deploy them.
You can simplify setting up your consent banner to meet the expectations of laws like the ePrivacy Directive by using Termly’s CMP.
More about the author
Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP
Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author
