EU cookie laws and how they affect your business

“This website uses cookies” – an expression that most internet users are very familiar with. Cookies have been around for some time, but some website users and operators alike are still confused by exactly what they do and what the data protection and privacy laws that govern them are. The EU recently clarified the issue, bringing out comprehensive guidelines in 2009 declaring that all EU member states should give individuals living in the EU the right to refuse the use of cookies to protect their online privacy. Now, it is necessary for website operators to provide an opt-in service, at least when it comes to tracking cookies. The European Court of Justice has also confirmed this in a recent ruling: Users must actively consent before cookies can be set-up.

In May 2018, the General Data Protection Regulation came into force and changed the way many regulations work in terms of storing sensitive user data within the EU. It also applies to US businesses, because it applies to the location of the person browsing your site, rather than the location of the site itself. In fact, the new ePrivacy regulation, a draft of which the EU officially presented on 10 January 2017, was to become legally binding at the same time. When it comes to applications of cookies, it is regarded as a detailed supplement to the GDPR, however, its development has stalled. The European Parliament has not yet been able to agree on a draft, which means the law will not come into force in the foreseeable future. For this reason, the EU Cookie Directive will remain in place. But what is the current state of this law? In this article, we take a closer look at what cookies are, and discuss what new ePrivacy regulations mean for cookie usage for EU visitors browsing your website.

As a result of a recent court case in Germany that eventually made it to the European Court of Justice, the ECJ ruled in favor of data protection, stating that an opt-in in the case of cookie-settings must take place. The user must be able to check a box to provide consent. Additionally, the court found that users need to be informed about the cookies being used. Website operators should provide information on how long the files are valid for and which purpose they are being stored for.

Following an appeal, in 2020 the Federal Court of Justice in Germany handed down its verdict on the issue and declared the gambling operator guilty of the following:

The court ruling demonstrates that user consent must be active, voluntary, and must take place from an informed position. This means that visitors to a website must be required to check the approve cookies box themselves (active). At the same time, a lack of consent must not prevent the user from being able to visit the site (voluntarily). Finally, visitors must be able to understand what they are agreeing to by display information using clear language, not hiding options, or adding long legal texts (informed). The German judiciary is also acting against Dark Patterns, whereby a website is designed to be as unclear as possible to impose a condition on the user (such as consent to advertising cookies).

Yet, it remains unclear what the ramifications of these legal questions are to US website operators with German visitors, but anyone operating a website with international users is well-advised to keep abreast of the current legal situation regarding data protection within the EU.

Cookies are text files that are stored by your browser on your computer when you load a web page. The text file consists of data from your website visit and aims to improve user friendliness: your browser will notice login data and language settings, speeding up and streamlining your browsing experience. Typical cookie data contains a statement about the life of the text file and a randomly generated number that’s unique to your computer. Cookie data is normally stored anonymously, and the data stored in the text file can only be read on the web server that issued the cookie. Cookies tend to avoid personal data too, usually only requiring it for login information. Their main responsibility is to create this personalized, interactive online world as we know it today.

But despite the user-friendly aspect to cookies, many critics see them as an invasion of privacy. Cookies can be used to create what’s known as “behavioral profiles”, which use your online habits to display certain ads or certain targeted content. They do so because it’s useful for companies to be able to display tailored content depending on whether a user is visiting a website for the first time or the 100^th time.

In some cases, cookies stay on your computer between page visits, gathering more information to build up a clearer picture of other interests you might have. In these circumstances, companies can target ads even when you visit external pages, often displaying tailored images (like the pair of shoes you were viewing on their website, or the new kitchen appliance you’ve been searching for). This is an integral tactic for online businesses battling the dense e-commerce market. But there are concerns that cookies may sometimes be misused to supply information about personal internet use to unknown companies.

The truth about cookies for users is that you don’t really know how your data is being used without an explanation by the website you’re visiting. And this is the fundamental reason for the EU’s revolutionary regulations from 2011.

In 2002, the European Union initiated their ‘Directive on Privacy and Electronic Communications’, with further ammendments to cookie usage made in 2009. Despite coming under criticism for its structuring and difficult interpretation, the EU set a deadline for their directive to be adopted by all member states by May 2011.

Known simply as “The Cookie Law”, the EU directive recognizes the need for cookies to create the personalized online universe we enjoy today, but also makes it clear that cookies could be considered an invasion of privacy and that users deserve the right to be made aware of the presence of cookies and their usage. Certain cookies that are considered “strictly necessary for the delivery of a service requested by the user” don’t have to be declared, because they are of far higher benefit to the user than the company. This includes cookies used to track shopping carts in e-commerce and to store important login information that the user requires.

For the use of most cookies, website operators in the EU now require permission from the user. This covers all cookies that don’t meet the requirement mentioned above of being “necessary”. This means that advertising cookies for retargeting, analysis, and social media cookies now require permission from the user. But the main issue that many companies have with these EU regulations is that the guidelines don’t clarify exactly how they should be implemented. There’s uncertainty when it comes to obtaining authorization from site visitors.

As of 2020, Germany is considering a new law: the telecommunications tele-media data security law (Telekommunikations-Telemedien-Datenschutz-Gesetz (TTDSG)) which aims to bundle data-relevant laws. However, as of right now, only a proposal of the law has been drafted. This is subject to changes. The law does contain an interesting point in relation to cookies: the proposal suggests that cookies which aren’t necessary to run a website could be auto rejected. In this way, users would no longer have to accept or reject a cookie declaration each time they access a website.

With the Cookie Directive, the European Union wants to provide greater protection for the personal data of Internet users. Basically, the EU distinguishes between essential and non-essential cookies:

1. Technically essential cookies: this includes cookies that are absolutely necessary for a website to function, including those that store log-in data, shopping carts, or language selection by so-called session cookies (which are deleted when the browser is closed).
2. Technically non-essential cookies: in contrast, text files that do not solely serve the functionality of the website but also collect other data are considered non-essential cookies. These include the following:
   • Tracking cookies, which collect data on a user’s location
   • Targeting cookies, which adapt advertisements to the Internet user
   • Analytics cookies, which provide information about the behavior of Internet users on a website
   • Social media cookies that link a website to platforms such as Facebook, Twitter, etc.

According to the Cookie Directive, essential cookies may be set from the outset, i.e., without the user’s prior consent. In contrast, website visitors must consent before the cookies store non-essential data. Thus, according to general understanding, the EU Cookie Directive requires a so-called opt-in solution for non-essential cookies.

• Opt-out: Cookies are set from the start, users can only object to data storage subsequently.
• Opt-in: Cookies are not set from the start, but only when the user agrees to the data storage.

Previous drafts of the ePrivacy Regulation provided for a general ban on technically unnecessary cookies, with the exception that users may agree to their use in advance. The initial draft of this regulation was solely concerned with web applications. The draft released on March 22nd, 2018 covers all kinds of machine-based communication like apps, email, and metadata collection for VoIP calls. It also covers inter-machine communication, like M2M communication.

The ePrivacy Regulation should also be of interest to international communication service providers, including those from the USA. The regulation stipulates that the rules apply as soon as a terminal is located within EU borders. It is irrelevant where data processing for a controlled service takes place.

Data protection here in the US, for example, is somewhat less stringent. Since the scope of the new ePrivacy Regulation applies as soon as a terminal in Europe accesses communication services, US companies will have to consider their use of cookies for European users and make decisions about whether to run targeted advertising, or whether to confront users with a paywall.

The first draft of the ePrivacy Regulation stipulated that the manufacturer should generally have the highest privacy settings pre-set in browsers. When operating with this setting checked, the browsers would not accept third-party cookies. As a result, cookie banners which are extremely popular would disappear since users would have to actively choose to accept cookies with each software installation. This requirement was based on the principle of “Privacy by Design”, as described in the GDPR. However, a more recent design has relaxed the rules for browser settings somewhat. Users can now choose whether to allow cookies according to the website again.

The prohibition of coupling declares that being able to access a website should not be dependent on whether a user consents to the use of cookies. However, there are legitimate purposes that may require the use of cookies. If, for example, a user has to authenticate a transaction while online banking or if they want to make use of an online store’s shopping cart, using cookies is necessary. If website operators inform users, and they can clearly understand the purpose, consent and use can be applied to cookies.

The body responsible for interpreting and enforcing The Cookie Law in the UK is the Information Commissioners’ Office (ICO). The ICO has chosen a general opt out strategy for UK website operators, meaning that site visitors just have to be informed that the cookies are being used. Many of these cookie notifications appear in the form of banners at either the top or bottom of a website’s homepage, and some require no direct interaction. Here are some examples of how certain well-known websites have displayed their cookie notifications:

Channel 4 gives a comprehensive explanation of what cookies are and how it uses them. This appears in a display bar at the top of the homepage, accompanied by a link to cookie management and an “Accept & Close” box. This box stays in its place until you click “Accept & Close”, but it doesn’t follow the page, disappearing if you scroll down.

The Football Association’s homepage features a banner display at the bottom of the screen, explaining the type of cookie used and when it will expire. The banner follows the page as you scroll, but as soon as you click any link on the website, it will disappear, taking your click to be an acceptance of the cookie policy.

Rolls Royce offer little information about their cookie policy, besides a link to a separate web page. They don’t feature an accept button, opting for a simple X instead. Their banner appears at the top of their homepage, moving with the page as you scroll up and down and staying on display until closed, no matter how many different pages of their website you go through.

Hotel Chocolat take a humorous approach to their cookie usage, displaying a small box in the bottom left corner of the screen with a joke playing on the double meaning of “cookie”. They also offer a link to their cookie usage guide and an X in the corner of the box to close it, although it disappears as soon as the user clicks elsewhere on the screen too.

The extent to which the EU ePrivacy regulation will affect your business in the US is slightly unclear and open to interpretation. The simple legal answer is that these laws won’t have much impact, because the US isn’t part of the European Union, so it has different restrictions and guidelines when it comes to online privacy. If you’re operating a website or online shop in the United States with content aimed at American citizens, you don’t need to worry about the EU cookie restrictions. But there’s a gray area for US website operators featuring content aimed at people in the EU.

For example, if you’re running a website about the Six Nations rugby tournament, played between England, Scotland, Ireland, Wales, France, and Italy, then you’re likely to get some website visitors from these countries. It’s possible that you could be violating EU law by not actively disclosing cookie information. And even if you’re not, it’s important to remember that EU citizens wishing to visit your site will now have an increased understanding and awareness of cookies and what they mean. So it makes sense to notify site visitors using the same methods we’ve suggested above. If you offer an alternate website for EU citizens, for example an Irish version of your online store, then you must follow the EU cookie law – and you must adhere to the guidelines set out in the EU GDPR anyway for all your sites, in case these want to be accessed by EU visitors.

For a full overview of cookie restrictions and other data protection laws in the US, you can refer to the usa.gov privacy, security, and accessibility policies page.

Cookies are becoming more and more integral to everyday internet use. Without them, website operators wouldn’t be able to offer users the stylized and personalized content that we’ve all grown accustomed to. This has even been recognized by the EU privacy directive, which has conceded that some cookies are now essential for user experience, for example login information and online shopping carts. But other cookies that are useful for retargeting and other forms of display advertising may frustrate and annoy the user, and so EU cookie law is designed to increase user awareness of cookies and give them the option to opt out and not have their website browsing tracked.

Website operators should keep a close eye on further developments concerning how the EU Cookie Directive will develop- because the legal situation will change with the new ePrivacy regulation, even if it is not yet quite clear how. The GDPR in the EU contains further guidelines for the security of personal user data. If the ePrivacy regulation is not yet legally binding, cookies will be considered to be related to personal data defined in Chapter 1 of the GDPR - as they collect data which make a user identifiable (identification numbers, user profile etc.).

With the introduction of the GDPR, stricter rules will also apply in this country and for your online business for processing and collecting the personal data of visitors from EU websites. Implementing these regulations precisely will also save website operators a good deal of work if the “new cookie directive” in the form of the ePrivacy regulation comes into action in the next few years.