The cookie laws (ePrivacy Directive)

Disclaimer: This is not legal advice. The authors of this tool are not laywers. We recommend the english version of this site as it is the authors first language. There are several parts that needs to be handled to reach GDPR Compliance, cookies are only a small part. Please consult with a laywer before implementing any solution.

The Directive covers cookies and technological relatives

The ePrivacy Directive from which all the cookie laws derive from also applies to similar storing mechanism as well. This includes eTag, Flash locally stored objects, HTML5 local storage etc. They are called the cookie laws because cookies are the most common of these storage objects.

An important notice about GDPR and ePrivacy

It is important to clarify that The General Data Protection Regulation does not mention Cookies in any way. GDPR applies to the processing of personal data, which include cookies that include personal data. Other types of cookies are regulated under the ePrivacy / Cookie Laws.

An upcoming ePrivacy Legislation is on the way

The European Commission is currently working on a new ePrivacy regulation which will repeal the current ePrivacy Directive. The goal of this legislation is to provide a clear, more defined rule book of how organization should handle tracking and advertisements online. This European legislation are expected in the end of 2018, but may be postponed again.

The ePrivacy Regulation is just that, a regulation. This means that it is a law itself and will become enforceable as law directly.

Enforcement & Fines

The enforcement activities up to this date have varied a lot between countries but there have been severe fines for non-compliance in Spain and The Netherlands. The new regulation proposed that non-complying organizations could be fined up to €20m or 4% of the annual worldwide turnover, whichever is highest.

In the last years cookie consent and cookie policy information have became more common and usually seen on all large websites. These cookie consent banners may look the same to a lot of the visitors but can be divided into different types of consent groups.

Different types of cookie consents

The ePrivacy directive and each member states own cookie laws on how organizations should handle users consent have lead to a wide variety of cookie consent solutions. This article won’t go into the details about the interpretation of the laws and the common solutions. However, a quick glance at each of them in bullet points will help.

Categorization of cookies

Cookies can be categorized into different groups, based on their intended purpose. We have not noticed a standard yet but three different categories of cookies that are commonly used. These groups are:

The group of cookies that are Strictly Necessary are exempted from the cookie laws and does not require consent under the law and can be set as needed. They include:

user‑input cookies (session-id) such as first‑party cookies to keep track of the user's input when filling online forms, shopping carts, etc., for the duration of a session or persistent cookies limited to a few hours in some cases
authentication cookies, to identify the user once he has logged in, for the duration of a session
user‑centric security cookies, used to detect authentication abuses, for a limited persistent duration
multimedia content player cookies, used to store technical data to play back video or audio content, for the duration of a session
load‑balancing cookies, for the duration of session
user‑interface customisation cookies such as language or font preferences, for the duration of a session (or slightly longer)
third‑party social plug‑in content‑sharing cookies, for logged‑in members of a social network.
According to: ec.europa.eu

The other three groups should have information and details about why they are being used and also the ability to opt-in and opt-out for one or all of these groups whenever the user pleases. If the data in the cookie is personal they should follow GDPR law.