What is the Cookie Law?

Europe in 2009 amended the ePrivacy Directive considering the technology changes and under article 5.3 made consent necessary for storage or accessing the information on terminal equipment like computers, phones. This article is popularly known as the EU cookie law.

e-Privacy Directive 2009, Article 5.3:

Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.’;

This specific article talks about all types of storage which include cookies, beacons, pixels, fingerprinting, etc. 

3 Steps to make your website compliant with the Cookie Law

  1. Give users a notice using a banner or pop-up with clear & comprehensive information on the purposes of cookies
  2. Set the cookies only when the user has given consent
  3. You should give an option to refuse cookies to the user

Please note Strictly Essential cookies don’t need user consent. For example, load balancing cookies will be Strictly Essential and don’t need consent. The criteria for deciding if a cookie is strictly essential(based on WP29 2012 report):

  1. Used for the sole purpose of transmission of a communication, cookies in any of the following categories fulfill these criteria
  • The ability to route the information over the network, notably by identifying the communication endpoints. 
  • The ability to exchange data items in their intended order, notably by numbering data packets
  • The ability to detect transmission errors or data loss.
  1. Strictly necessary to provide a functionality user explicitly requested. Cookies should pass the following two tests to qualify:
  • A cookie is necessary to provide specific functionality to the user (or subscriber), if cookies are disabled, the functionality will not be available. 
  • This functionality has been explicitly requested by the user (or subscriber), as part of an information society service

What changes after GDPR?

Cookies are still regulated by e-Privacy but the consent has to be the standard of GDPR. This means consent should be freely given, specific, informed, and given by positive action. Recently CJEU in the case of Planet 49, ruled that consent requirement for the e-Privacy directives should be read in conjunction with GDPR. We covered steps for creating a GDPR compliant cookie solution here.