A Guide to European Privacy Laws

If GDPR has your head spinning, this guide should clear things up.

You know that sinking feeling you get when you navigate to a website and a cookie notice appears? The result of this avalanche of cookie banners is that website users have reached "peak cookie". For many people, these notices seem completely pointless. But are they? And what are these cookie notices about anyway?

In an era where concern over online privacy has become important to everyone, the European Union has stepped in and created laws to protect our privacy. These laws include how cookies are collected, consented to, and used.

A short history of cookies and the laws that bake privacy in

Cookies are useful for making websites easier to use because they capture visitor behavior and use that to improve the experience when using a website. Cookies are data, and by capturing data, such as holiday website browsing data, these little snippets of data can intrude on your privacy.

Some cookies are essential to help websites to function properly. Others are not so necessary and are more useful for the provider than the consumer. To understand why cookies are used, it's useful to know a little bit about the types of cookies in use today.

Breaking up the cookies

Cookies vary in sophistication and purpose. Typically, a cookie is downloaded to a device on the first visit to a website. They collect many types of data from length of time on a page to recording what products are in your shopping cart.

There are several types of cookie used for different purposes:

First-party cookies

These are very useful cookies that help to make the online experience better and provide seamless shopping experiences. First-party cookies are created by the domain that a user is visiting, e.g., Amazon.com. The act of visiting the domain begins a process that checks that it is the true Amazon domain, and if this checks out, a first-party cookie is stored under that domain on the local device browser.

If you disable these cookies, then making purchases (for example) becomes onerous as shopping carts cannot be updated. First-party cookies also make logging into websites a lot easier.

Going beyond the first-party cookie approach is how marketers use targeted ads. You know those annoying ads you see pop up, even after you have purchased from an online store, well, the blame for those lies with the third-party cookie. Third-party cookies are placed on a website visitor's device by a company other than the site of interest, aka, a third-party associate site. Third-party cookies may collect sensitive personal data including behavioral data. These data are then shared with any third-party that is associated with the cookie ecosystem.

It is the third-party cookie that is behind much of the privacy debate as this is the cookie that can be used to track users across the internet.

Google announced in 2020 that it will phase out third-party cookies in an attempt to abide by cookie privacy laws. An initiative termed "Privacy Sandbox" will be used by the company to "sustain a healthy, ad-supported web in a way that will render third-party cookies obsolete".

Cookies can also be:

Session cookies

These cookies are the least concerning as they are only held during a specific session on a website. These temporary cookies are removed from your browser history as soon as you leave the website. They are typically used for storing shopping cart data.

Persistent cookies

These cookies are more persistent, but usually have an expiration date attached by the issuer. However, until that date, even when you close your browser, the cookie remains in your browser folder. If you go back to the issuer website the relevant cookie data will be retrieved. If you click the "remember me" check box on a site, this creates a persistent cookie. However, it also makes for easier internet use. Google analytics cookies are persistent cookies.

Persistent cookies are also part of the privacy debate.

Cookies have long been a thorn in the side of privacy advocates. In the UK, for example, the Information Commissioners Office (ICO) decided that the Adtech industry was operating illegally by not taking proper consent when sharing cookie data. The UK ICO stated in a blog post in 2020 that there was a "significant lack of transparency due to the nature of the supply chain and the role different actors play." The ICO continues to investigate the Adtech industry.

Privacy regulations across the world have attempted to legislate around any privacy impact that cookies have on an individual. The European Union has been an ardent supporter of an individual"s right to online privacy, and to this end, the EU has created laws to uphold these rights.

Timeline of the EU Cookie Law

The following timeline shows the approach to cookie privacy across the EU from 2002 to the present:

2002: The ePrivacy Directive (ePD) is enacted.

This was to eventually become known as the "The Cookie Law" when the law was updated. The legislation was designed to enforce data privacy for citizens of the European Union. The directive covered online activity as well as mobile and landline privacy. The law covered the processing of personal data, notification of personal data breaches, and confidentiality of communications, including unsolicited communications.

2009: The ePD is amended by the Citizens" Rights Directive (2009/136/EC).

This updated law presented new measures such as a requirement for providers to report personal data breaches. Also, importantly, this law introduced the need to obtain consent from users to process web cookies. Since then, the ePD has been known as "The Cookie Law".

2016: The European Commission leads a public consultation on an update to the ePD.

The older legislation was expected to be replaced by the ePrivacy Regulation (ePR) in line with the enactment of the General Data Protection Regulation (GDPR) in 2018. However, to date, the ePR is still in draft and may not come into effect until the mid-2020s. It is expected that when the new version is enforced it will bring more stringent requirements that provide for data deletion and anonymization.

One of the areas that this new directive looks at is the ease of use of cookie law application in an attempt to improve the user-friendliness of cookie consent, aka, the annoying pop-ups. For example, this would likely mean that consent will not be needed for "non-privacy intrusive cookies" used to improve the web-experience of the user.

Further details can be found on the progress of the ongoing process in the enactment of the ePR on the EU"s EUR-Lex website.

The EU Cookie Law today

While organizations and individuals alike, await the update of the ePR, the current laws stand. Once enacted, the ePrivacy Regulation will be in line with the GDPR's rules on personal data processing and map to rules governing electronic communications.

Where both laws apply, the ePR will take precedent.

For now, the ePrivacy Directive (ePD) is the law that organizations need to take note of.

A recent court case brought to light an important aspect of the ePD and set a precedent for cookie consent. The case was held at the European Court of Justice, involving the use of cookie sharing across gaming sites. The ECJ ruling that "opt-in" must be used when using cookie-settings. The court press statement notes that:

"consent must be specific so that the fact that a user selects the button to participate in a promotional lottery is not sufficient for it to be concluded that the user validly gave his or her consent to the storage of cookies."

Opt-in means that a check box, set as unchecked by default, must be used to collect explicit consent. This is in line with GDPR requirements around explicit consent.

For cookie use in the EU and any organization that has a website accessed by a European citizen, this means that specific permission from the user is required for all cookies other than those deemed as being "necessary".

Is cookie consent part of respectful technology?

Consumers are beginning to be savvier about their privacy rights. They are also more aware of security and how the two are often intrinsically linked. The movement towards a more respectful technology landscape is gaining momentum. Privacy plays a large part in the future of tech and how software products impact us in our daily lives.

As far as a consumer-facing organization is concerned, respectful technology choices translate into customer retention and the building of good customer relations. Surveys into privacy and attitudes demonstrate this: A survey by UK watchdog Ofcom found that 60% of respondents agreed with the statement "people who buy things online put their privacy at risk". Following on from this, a Ponemon Institute study found that 31% of consumers would stop using an organization if a data breach occurred.

Bearing this in mind, the drive towards respectful technology that cares about consumers has the potential to create a win-win for all. Legislation such as the Cookie Law works to enforce this.

How does the EU Cookie Law affect me?

If you own a business with a website, cookie laws affect you. Here are some areas that should be looked at when designing a website:

Start with the following exercise:

1. Perform an audit of your cookies; what cookies does your site collect and use?

2. Work out how you will let visitors know which cookies are created and which require explicit consent - transparency in cookie generation is a best practice

3. Use a cookie consent tool to capture consent - this may be built into your web package, if not there are several tools available

4. Have a mechanism in place to ensure that cookies are not stored on a user's device if they refuse consent

Who is affected by the EU Cookie Law?

If your website can be accessed by European users and creates cookies you must tell the visitor what the cookies do and why you use them. There is an exemption to this rule if the cookies are required to make the website work correctly, e.g., to allow a shopping cart to be updated.

An important point to note is that if a user declines consent for cookies, this must not prevent the user from being able to visit the site. This is termed "prohibition of coupling" and is also a legal basis in the GDPR when taking consent.

What cookies do you need to take consent to use?

For web applications, you only need to obtain consent on the use of non-technical cookies, i.e., cookies such as third-party cookies that track a user. These cookies are deemed as "strictly necessary". Things that are not strictly necessary include tailoring a website or making product recommendations.

Cookies that are associated with security, such as authentication for user login, are strictly necessary.

Cookie banners

If you need to present a cookie banner, then you should make efforts to use a good design. Cookie banners are a nuisance by many, so reducing banner friction in the user experience is important to prevent site drop-off.

There are lots of suggestions for good and bad patterns in cookie banner design and it is worthwhile doing some research into the best design for your website.

It is also worth noting that things may change in the next few years in the feature requirements of cookie banners and associated user interaction. Noted from the current draft of the updated ePD is the following recommendation.

"Providers of software are encouraged to include settings in their software which allows end-users, in a user friendly and transparent manner, to manage consent to the storage and access to stored data in their terminal equipment by easily setting up and amending whitelists and withdrawing consent at any moment"

This suggests a more fluid approach to consent going forward.

Pop ups and similar techniques

Some have suggested using pop-ups to ask for consent. This might initially seem an easy option to achieve compliance – you are asking someone directly if they agree to you putting something on their computer and if they click yes, you have their consent - but it’s also one which might well spoil the experience of using a website if you use several cookies.

However, you might still consider gaining consent in this way if you think it will make the position absolutely clear for you and your users. Many websites routinely and regularly use pop ups or ‘splash pages’ to make users aware of changes to the site or

to ask for user feedback. Similar techniques could, if designed well enough, be a useful way of informing users of the techniques you use and the choices they have. It is important to remember though that gaining consent in this potentially frustrating way is not the only option.

Settings-led consent

Some cookies are deployed when a user makes a choice about how the site works for them. In these cases, consent could be gained as part of the process by which the user confirms what they want to do or how they want the site to work.

For example, some websites ‘remember’ which version a user wants to access such as version of a site in a particular language. If this feature is enabled by the storage of a cookie, then you could explain this to the user and that it will mean you won’t ask them every time they visit the site. You can explain to them that by allowing you to remember their choice they are giving you consent to set the cookie.

This would apply to any feature where you tell the user that you can remember certain settings they have chosen. It might be the size of the text they want to have displayed, the colour scheme they like or even the ‘personalised greeting’ they see each time they visit the site.

Feature-led consent

Some objects are stored when a user chooses to use a particular feature of the site such as watching a video clip or when the site remembers what they have done on previous visits in order to personalise the content the user is served.

In these cases, presuming that the user is taking some action to tell the webpage what they want to happen – either opening a link, clicking a button or agreeing to the functionality being ‘switched on’ – then you can ask for their consent to set a cookie at this point.

Provided you make it clear to the user that by choosing to take a particular action then certain things will happen you may interpret this as their consent. The more complex or intrusive the activity the more information you will have to provide.

Where the feature is provided by a third party you may need to make users aware of this and point them to information on how the third party might use cookies and similar technologies so that the user is able to make an informed choice.

Functional uses

You will often collect information about how people access and use your site and this work is often done ‘in the background’ and not at the request of the user. An analytic cookie might not appear to be as intrusive as others that might track a user across multiple sites but you still need consent.

You should consider how you currently explain your policies to users and make that information more prominent, particularly in the period immediately following implementation of the new Regulations.

You must also think about giving people more details about what you do – perhaps a list of cookies used with a description of how they work – so that users can make an informed choice about what they will allow.

One possible solution might be to place some text in the footer or header of the web page which is highlighted or which turns into a scrolling piece of text when you want to set a cookie on the user’s device. This could prompt the user to read further information (perhaps served via the privacy pages of the site) and make any appropriate choices that are available to them.

If the information collected about website use is passed to a third party you should make this absolutely clear to the user. You should review what this third party does with the information about your website visitors. You may be able to alter the settings of your account to limit the sharing of your visitor information.

Similarly, any options the user has should be prominently displayed and not hidden away.

Baking cookies into a privacy-respectful future

Cookies have been a minefield both for the user dealing with the avalanche of cookie banners and for the business attempting to meet the requirements of the EU's Cookie Law. Finding a way to capture the consent of the user in a friction-reduced way requires some thought and understanding of what and why you capture that consent. In doing so, however, you are working to create a user-centric experience that engages the customer in your business and demonstrates your appreciation of respectful technology.

As the privacy savvy consumer continues to understand the implications of their online data being shared, a business that recognizes the nuanced application of consent can turn this process into a positive experience. It is worth keeping an eye on this page for updates as the new ePR shakes out and how it impacts your business.