EU Cookie Directive Compliance

Richard C. Gruber Jr.

Pasky Gruber Scatchell LLC
ric@paskygruberscatchell.com
The following is an update on the status of the implementation of cookie laws by EU
member states as stated in the EU Cookie Directive (the Directive),1 effective May 25th,
2011. The Directives purpose is for member states to implement their own laws within
the Directives general framework in order to protect the privacy of individuals in the EU.
However, the Directive is not law and to analyze compliance one must look to each
member state, in certain instances the guidance provided are more specific.
Most importantly, the Directive has introduced new rules for online service providers that
require consent to be obtained from website visitors before serving cookies and other
tracking devices to users computers.
A status chart has been attached in order to address which member states have specifically
implemented Article 5(3), the status of the implementation, whether opt-in consent is
required, as well as any other legal requirements provided by member state law(s).
Step 1- Cookies Audit
Whether attempting compliance with a single member state or multiple member states, a
thorough audit2 of cookie use (website operator and third parties) needs to be undertaken
to determine what cookies and similar technologies the website is using3 and how they are
being used. Doing so will give you the information you will need to provide users for
compliance with even the most demanding member state laws implementing the
Directive. Then analyze which cookies are strictly necessary, because several member
states as indicated on the Status Chart vary the consent required based upon this factor.
Where consent is needed, decide what solution to obtain consent will be best under the
circumstances and member state requirements.
Lastly, the audit process serves as a useful opportunity to clean up your web page and
eliminate the use of any unnecessary cookies.4 For example, asking any of the following
additional questions may be helpful:
o Whether the cookie is linked to other information held about users- such as
usernames,
1

Originally implemented in 2003 as a European Directive- 2002/58/EC and amended in 2009 by

Directive 2009/136/EC.
2
For a helpful example of information that should be included in a audit of cookie use:
http://www.foolproof.co.uk/eu-cookie-directive-and-your-users/
3
Helpful definitions for various types of cookies located at: http://eucookiedirective.com/
4
Information Commissioners Office (ICO)(UK), Guidance on the rules on use of cookies and
similar Technologies, version 2, December 13th, 2011, pg. 9, 12-13.

o
o
o
o

What data each cookie holds

The type of cook- session or persistent
If it is persistent, how long is its lifespan
Is it a third party cookie, and if so, who is setting it5

What does the Directive state?

The language of the Directive is critical because as the Status Chart indicates, many
member states have either adopted the language of the Directive verbatim or close to it.
Article 5(3) of the Directive states [a] person shall not store or gain access to information
stored, in the terminal equipment or a subscriber or user unless the requirements of
paragraph (2) are met... those requirements being that the user is provided with clear
and comprehensive information about the information and the purposes of the storage of
or access to, that information, and has given his or her consent.67
There are common exemptions member states have adopted from the requirement to
provide information and obtain consent such as non-applicability to cookies whose
purpose is for the sole purpose of carrying out the transmission or a communication over
an electronic communications network; or where such storage or access is strictly
necessary for the provision of an information society service requested by the subscriber
or user.89
Examples of the types of exempted cookies in certain member states (without exclusion of
other possibly exempted cookies):
Secure login session, designed to identify the user once he/she has logged-in to an
information society service and is necessary to recognize him/her, maintaining the
consistency of the communication with the server over the communication
network.10
User session, (SessionID) that allows tying together the actions of a user when this
is necessary to provide the service he/she requested.11
Shopping basket, used to store the reference of items the user has selected by
clicking on a button (e.g. add to my shopping cart). This cookie is necessary to
provide an information society service explicitly requested by the user.12
5

Information Commissioners Office (ICO)(UK), Guidance on the rules on use of cookies and
similar Technologies, version 2, December 13th, 2011, pg. 13.
6
Article 29 Data Protection Working Party, Opinion 16/2011 on EASA/IAB Best Practice
Recommendation on Online Behavioral Advertising, 02005/11/EN/ WP 188, adopted on 08
December 2011, pg. 8: http://ec/europa.eu/justice/data-protection/article29documentation/opinion-recommendation/files/2011/wp188_en.pdf
7
Privacy and Electronic Communications (EC Directive) Regulations 2003, no. 2426, Reg. 6.
8
5(3) of the revised e-Privacy Directive, 2002/58/EC.
9
Id. at Article 29 Data Protection Working Party, Opinion 16/2011, pg. 8.
10
Id. at pg. 9.
11
Guidance from the French DPA CNIL (Translated into English), are all cookies concerned,
December 20th, 2011: http://www.cnil.fr/english/news-and-events/news/articles/whate-thetelecoms-package-changes-for-cookies/

Security, provide security that are essential to comply with the security
requirements of Directive 95/46/EC13 or other legislation for an information
society service explicitly requested by the user. For example, a cookie may be used
to store a unique identifier to allow the information society service to provide
additional assurance in the recognition of returning users. Attempted logins from
previously unseen devices could prompt for additional security questions.14
Users spoken language (for websites that are translated in several languages) or
other necessary preferences to provide the requested service.15
Flash cookies containing elements that are strictly necessary to make a media
player work (audio or video) for a content that has been requested by the user.16

Accordingly, cookies used for the primary purpose of analytics, advertisement related, and
per-user customization in several instances are not exempt from member states
implemented laws to comply with the Directive because they pose a higher risk to user
privacy.17
One requirement that several member states have included in their laws is for clear and
comprehensive information to obtain informed consent.
The law in the UK for example is not clear on what constitutes clear and
comprehensive, because the amount of information needed is subjective based upon the
knowledge level of the user. The current situation is unfortunate for website operators
because among broader consumers are those who use the internet less regularly, have a
generally lower level of technical awareness, and are less likely to understand the way
cookies work and how to manage them.18
However, the ICO (UK) has provided significantly more guidance than the other member
states that at a minimum will demonstrate a reasonable effort to comply with UK law:

Alert users that the cookies are there,19

Explain what the cookies are doing, and2021

12

Id. at Article 29 Data Protection Working Party, Opinion 16/2011, pg. 9.

Directive 95/46/EC of the European Parliament, protection of individuals with regard to the
processing of personal data, Official Journal L 281, 31995L0046, pg. 31-50, October 24th, 1995:
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML
14
Id. at Article 29 Data Protection Working Party, Opinion 16/2011, pg. 9.
15
Id. at ICO Guidance on the rules on use of cookies and similar Technologies, pg. 12-13.
16
Id.
17
Id. at pg. 10.
18
Id. at ICO Guidance on the rules on use of cookies and similar Technologies, pg. 3 (Where
41% of those surveyed were unaware of any of the different types of cookies, only 13% indicated
that they fully understood how cookies work, and 37% said they did not know to manage cookies
on their computer).
19
Id. at ICO Guidance on the rules on use of cookies and similar Technologies, pg. 8.
20
Id. at pg. 8.
21
Id. at French DPA CNIL (Translated into English), are all cookies concerned.
13

Obtain consent to store a cookie on their device.22

The information provided with the respect to alerting and explaining the cookies must be:
o Correct and complete as stated in Article 10 of Directive 95/46/EC23
In order to do so the information must inform users at a minimum:
1) Who (i.e. which entity) is responsible for serving the cookie and
collecting the related information
2) The cookie will be used to create profiles;
3) What type of information will be collected to build such profiles;
4) The fact that the profiles will be used to deliver targeted
advertising and
5) The fact that the cookie will enable the user's identification across
multiple web sites.24
o Given directly to users, in a clear and understandable form before cookies
are placed,
Step 2- Compliance Options
The European Advertising Standards Alliance (EASA) and the Internet Advertising
Bureau Europe (IAB), adopted a self-regulatory Best Practice Recommendation on online
behavioral advertising ("EASA/IAB Code") which may be helpful in certain member
states such as Germany. Under the EASA/IAB Code, an icon will be used as an
information notice for behavioral advertising. In the current implementation of the Code,
the icon is linked to an information website, www.youronlinechoices.eu. On this website,
users can signal their willingness to opt out by selecting specific company names from a
list of different advertising networks. Moreover, wording along side the ad or icon should
at a minimum contain the language personalized advertising.25
o Before informed consent is possible.
According to the ICO, none of the above mentioned clear and comprehensive information
and notices are sufficient alone to grant consent, [y]ou must obtain consent to store a
cookie on a user or subscribers device.26 In order to have an agreement or consent
22

Id. at ICO Guidance on the rules on use of cookies and similar Technologies, pg. 8.
Id. at Article 29 Data Protection Working Party, Opinion 16/2011, pg. 5.
24
Article 29 Data Protection Working Party, Opinion 2/2010 on online behavioral advertising,
00909/10/EN WP 171, adopted on 22 June 2010, pg. 18,19:
http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp171_en.pdf
25
Id. at Article 29 Data Protection Working Party, Opinion 16/2011, pg. 3-5.
26
Id. at ICO Guidance on the rules on use of cookies and similar Technologies, pg. 8.
23

(depending upon the language translation) it must meet be all three of following
requirements:
Freely given
Specific
Informed (as mentioned above under clear and comprehensive information)27
Ways to obtain freely given, specific, and informed consent
The following options are not required in most member states but are available options
under a self-regulatory scheme, as well as options to err on the side of caution when a
member state a website operates in has implemented Article 5(3) of the Directive in some
form but has not given significant guidance.
Browser Option
There are various frequently discussed options that may satisfy the three requirements for
consent, including consent...signified by a subscriber who amends or sets controls on the
Internet browser which the subscriber uses.28 Additionally, the Directive which several
member states have chosen to adopt its language entirely, has the foresight to add ...or by
using another application or program to signify consent that could be, for example, a
browser plug-in or a web consent management platform.29 At this time, industries have
not properly educated users,30 therefore more is required of website operators than the
ideal browser settings option. The browser option is not yet viable31 to ensure compliance
due to the lack of technological sophistication of the majority of users and the uncertainty
of whether or not they had been prompted to consider their current browser settings.32
Text and Format
Other options to make information more prominent and therefore more likely to inform
the user include:
o Formatting (e.g. changing the size of a link to information or using a
different font. Key is distinguishing from the other links).
o Positioning (e.g. moving from the footer to somewhere more likely to
catch the attention of users).
27

EU Directive 95/46/EC, 2(h): http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML & Id. at FN 6.

28

Member states such as France, Hungary, Luxembourg, Spain, Sweden and the draft
language of both Greece and Italy allow browser settings for informed consent, however,
that is not the case in countries such as Lithuania and under the current status in the UK
according to the ICO.
29
Id. at French DPA CNIL (Translated into English), are all cookies concerned.
30

Id. at Article 29 Data Protection Working Party, Opinion 16/2011, pg. 3.

Id. at French DPA CNIL (Translated into English), are all cookies concerned.
32
Id. at ICO Guidance on the rules on use of cookies and similar Technologies, pg. 11, 12.
31

o Hyperlink text (e.g. rather than simply privacy policy, text would read
find out more about how our site works and how we put you in control).
These options are preferable for website operators simply because they do not pose as big
a nuisance on the user experience.33 This option certainly contrasts with the pop ups and
similar techniques options.
Pop-ups or Similar Techniques
While pop-ups or similar techniques seem to be an easy option to be on the safe side of
achieving compliance with even the most strict member state law, they might spoil the
experience of the user when they are not implemented carefully. The key factor is that
when a cookie is only enabled during certain functions, features, services, or pages etc,
only before the cookie is placed must the user be technically informed and provide
consent. Therefore, a pop-up screen that explains what cookie(s) are needed to continue,
and asking for express consent via click-box will provide you with informed consent to
proceed compliantly.34
Banners and Footers
Moreover, the website may contain a banner on the top of the page or a separate footer
that is specifically for obtaining the informed consent of users.35 The static information
banner on top of a website should request the users consent to set some cookies and
include a hyperlink to a privacy statement with a more detailed explanation about the
different controllers and purposes of placing specific cookies.36 To make it even more
likely to comply, the website can fix the banner or footer to remain on the page until
consent is given while the user scrolls.
Splash Screen
Upon entering the website, a splash screen explains what cookies the website will set,
by what parties, and for what purpose if the user consents.37 This is a useful option,
especially when the website targets users over a certain age because of other applicable
domestic laws.38
Default Settings

33

Id. at ICO Guidance on the rules on use of cookies and similar Technologies, pg. 14, 15.
Id. at pg. 16.
35
Id. at pg. 16.
36
Because the ICO is the authority in the UK on compliance with implementation of the
Directive, it is important to note this is the option that they have exercised on their website:
http://www.ico.gov.uk/Global/privacy_statement.aspx
37
Id. at Article 29 Data Protection Working Party, Opinion 16/2011, pg. 9.
38
For example, breweries have such splash screens that require age verification before entering
their sites. Reference: http://www.harpoonbrewery.com/
34

A default setting could be set to prohibit the transfer of data to external parties, requiring a
user click to indicate consent for tracking purposes, but would need to be accompanied by
appropriate information to provide for informed consent.39 This option is similar to the
aforementioned default browser settings options which website operators may inform their
users of; although legally insufficient at this point, they are effective in preventing the
collection of behavioral data when set properly by the user.40
Links to more information
Whichever format, layout, or technical structure is chosen, where more information is to
be provided to satisfy informed consent, having a single page41 that includes a table of the
cookie, its name, its purpose, and a link to more information if applicable because its set
by a third party is advisable.42
Consent with third party advertiser involvement
Importantly, if the website supports third party ads, the website operator is liable for their
tracking if neither the third party or the website operator has obtained informed consent.
However, if the third party has themselves obtained informed consent that can be attached
to a user, the website operator does not need to repeat the process of receiving informed
consent.4344 Practically speaking, from a technological standpoint it may be easier to not
differentiate and ask for consent because the process the website implements should be
done in such a way as to detract from the user experience as slightly as possible.45
Changes in cookies after consent
If the purpose of the cookie the website has been given informed consent to install has
significantly changed, the website operator must make the user aware of the changes and
allow them to make the choice regarding the new activities. Although, consent does not
need to be given for each individual cookie in this instance and could be given when the
purpose has been clearly explained and the cookies are performing a set of functions in
conjunction with one another.46
Refusal and Right to Revoke

39

Id. at Article 29 Data Protection Working Party, Opinion 16/2011, pg. 10.
Id.
41
Id.
42
Again the ICO is illustrative in providing an example table, however, it is included as a part of
their privacy policy and it may be better situated in a page of its own with reference and link
provided within the privacy policy. Reference:
http://www.ico.gov.uk/Global/privacy_statement.aspx
43
Id. at French DPA CNIL (Translated into English), are all cookies concerned.
44
Id. at ICO Guidance on the rules on use of cookies and similar Technologies, pg. 22.
45
Id. at Article 29 Data Protection Working Party, Opinion 16/2011, pg. 10, 11.
46
Id. at ICO Guidance on the rules on use of cookies and similar Technologies, pg. 22, 23.
40

Some member states such as Bulgaria have included the right to revoke. Generally
speaking, once a user is in a position to provide informed consent, the website operator
should allow for three options: accept the cookie, refuse the cookie and be asked again
next time, or refuse the cookie and memorize the refusal with the installation of a refusal
cookie. Most importantly, despite previously giving informed consent in any of the ways
discussed above, or valid but not foreseen herein, for example in France and Bulgaria the
right to revoke consent must always be made available.47
Summary
Once you have determined the Directive has been implemented in some form in a member
state a website operates in, based upon the above, the suggested course of action is to
attempt compliance by the date required under the local law. Doing nothing or waiting to
see is not advisable, but it is important that the enforcement approach is intended to be
practical and proportionate likely considering the size of an organization,48 its resources,
and the surrounding circumstances, however the Directive and many of the member states
attempts to implement it are not clear or explicit.
Therefore, a websites first steps should be to audit their cookie use and similar
technologies and then the website must provide clear and comprehensive information in
order to obtain informed consent in any of the ways mentioned above, or in similar ways
that are legally analogous when required.

47
48

Id. at French DPA CNIL (Translated into English), are all cookies concerned.

Id. at Article 29 Data Protection Working Party, Opinion 16/2011, pg. 24: practical and
proportionate approach.