You must comply with all the relevant cookie laws in your country or wherever the website operates if your website uses cookies to collect or track personal data. The cookie law means that the cookies on your website must be accepted by the visitor and the visitor must be informed about the usage of cookies. This article discusses cookie law and its implications for websites. It also provides steps to comply with the cookie laws in six easy steps.
What are cookies?
Cookies are small text files that are placed on your computer by websites that you visit. They are widely used to make websites work, or work more efficiently, as well as to provide information to the owners of the site. E.g., if you allow your browser to remember your login details, this cookie will be stored and then used when you return to the site.
Cookies work by assigning your computer a unique identification number (an ID) that allows the website to remember things about you as you move around the Internet. When you visit a site that uses cookies, your browser will tell the site which cookie (if any) it has stored for that site. The site can then use that cookie to determine whether you have visited before and what information you may need to complete a task or access certain services. For example, a cookie can contain your user name and password, so you do not have to re-enter them each time you visit the site.
Cookies do not harm your computer, but some people find them annoying because they cannot control what type of cookies the website stores on their device or how their browser uses them.
Read more about internet cookies.
What is a cookie law?
A cookie law is a set of guidelines governing the use of cookies on websites. When you visit a website, some cookies are used to track you and your browsing habits to provide a better experience for you. However, not everybody wants to be tracked by cookies. So, certain laws were created which make it illegal for websites to store cookies without the user’s knowledge or consent.
The reason why these laws have been introduced is to protect the users’ privacy and prevent the misuse of information collected by cookies. Most of the time, companies use the user information for marketing purposes, which could mean that the users get unsolicited advertising.
What is the EU cookie law?
ePrivacy Directive, introduced in 2002 and later amended in 2009, is an EU regulation that protects the confidentiality of electronic communications within the European Union (EU). It applies to all electronic means of communication, including but not limited to e-mail, instant messaging, SMS messages, and phone calls. The Directive regulates how advertisers and other third parties may use electronic communications. It includes provisions that restrict monitoring and blocking of communications, as well as requirements for consent before storing and collecting personal data. It gave the EU member states a framework to make their own laws to implement the Directive. All EU member states have since adopted the Directive in 2011 and implemented their laws.
It was revised to include rules on cookies, tracking, and other similar forms of online tracking, which gave its name “the EU Cookie Law.” The Directive introduced new requirements for websites to gain prior consent from visitors to store or retrieve information on their devices. Additionally, the law dictates that website owners must inform users of the cookies they use and how they will be used. This applies to all websites, no matter where they are hosted.
The law exempts strictly necessary cookies from this. It agrees that cookies are a useful technology; however, it can also affect user privacy. It mandates that a website must:
- Provide clear and precise information about the cookies (including strictly necessary ones) and their purpose when users visit a website.
- Get prior consent from users to store the cookies on their devices.
- Make available an option for users to deny consent to use the cookies.
- Make the means of providing cookie information, opt-out option, and requesting consent as user-friendly as possible.
- Access to the specific website content may be conditional on the informed user consent if it is used for a legitimate purpose.
In 2017, the EU proposed a regulation known as ePrivacy Regulation (ePR), which will repeal ePD. Unlike the Directive, it will become a mandatory law across all member states once it comes into effect. The final draft is expected to address some concerns regarding cookie consent. One main difference from the Directive is that its websites can longer use ‘legitimate interest’ as the basis for using cookies under the ePrivacy Regulation.
As per the recent developments, the final effective date still remains unknown, and with the 24-month transition period, it is unlikely to be before 2023.
Another law from the EU that regulates the use of cookies is the General Data Protection Regulation (GDPR). Compared to the cookie law, the GDPR has broader applicability. The Directive targets personal data collected over an electronic communication service or network and that are publicly available; whereas the Regulation seeks to implement rules for personal data that are not publicly available.
Read more ePrivacy vs. GDPR.
With the exceptions of these and a few other differences, they both have similar clauses, particularly in the case of cookies. Like the ePrivacy law, the Regulation requires websites to get well-informed (all necessary details about cookies and their purpose) GDPR cookie consent from users before storing cookies on their devices, and give them the choice to opt out and withdraw consent. However, unlike The Directive, the GDPR is not lenient about conditional access to websites upon user consent.
What are other major cookie laws outside the EU?
The ePrivacy Directive may have formed the blueprint for the cookie law. However, other laws also regulate cookies and play an important role in shaping the privacy landscape in the world. We will discuss the former EU member, UK’s laws as well as the US laws that form the basis for cookie laws in their respective regions.
Cookie law in the UK
Before Brexit, the UK data privacy landscape included the EU GDPR, ePrivacy Directive and the UK Data Protection Act 2018.
After Brexit, the UK is no longer conformed to the EU cookie law or GDPR unless any business there uses EU individuals’ personal data for offering goods and services or to monitor their behavior.
Organizations that deal with the personal data of UK individuals must comply with the UK-made version of the GDPR. Other than its regime about national intelligence and security, the UK GDPR is borrowed word-to-word from its EU version. So its requirements for cookie usage are the same as the EU GDPR.
To protect the personal data collected via electronic communication networks or services, the UK adopted the Privacy and Electronic Communications Regulations (PECR) derived from the EU ePrivacy Directive.
The Data Protection Act, along with UK GDPR and PECR, form the data privacy and protection landscape of the UK.
The PECR like its EU counterpart has some clauses for cookies. The law advises websites to inform users about cookies, and clearly explains what the cookies do and their purpose. Like the ePrivacy Directive, the PECR also requires websites to get prior consent to store cookies on user devices and the consent is only valid if it is freely given, informed, explicit, specific, and withdrawable.
Cookie law in the US
The United States does not have a cookie law. However, there are federal laws and some state laws that deal with cookie usage.
Children’s Online Privacy Protection Act (COPPA) is a federal law that regulates the use of cookies on a website that caters to children under 13 years of age
State laws like the California Consumer Privacy Act (CCPA) also regulated the use of cookies. The CCPA applies to business that caters to California consumers and meets one of the following thresholds:
- Earns over $25 million in annual gross revenue.
- Annually buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices for commercial purposes.
- Derives at least 50% of its annual revenue from selling personal information.
The definition of personal information under CCPA also expands to digital identifiers, such as cookies. It requires websites to inform users about cookies set by the site, its source, purposes, and whom you share the information with. The website must also provide an opt-out choice for users to deny the site from selling or sharing their personal information. This option must be easily accessible and user-friendly.
How to comply with the cookie law?
As we’ve seen many laws have almost the same requirements save for a few clauses. So, if you want your website to comply with these laws, there are some common best practices that you can adapt for it.
#1 Identify cookies
To understand which type of cookies you want to regulate, you must first identify the type of cookies your website uses. You need to understand which cookies need consent to move forward and to block until you receive them.
You can either do manual checking using your browser settings or use a free online cookie scanner.
