Cookie laws in Europe - a complete overview

Camilla Lassen
Written by
Camilla Lassen
on
November 11, 2020
Guide to cookie laws

There are a number of rules affecting how cookies can be used in the EU. Read this guide to get an overview of the different Cookies laws you need to be aware of when working with cookies.

The Cookies laws in Europe

The EU Cookie Directive - an amendment to the E-Privacy Directive

The EU Cookie Directive regulates the definition of cookies and how they can be used. This includes other forms of online tracking technology, and technology like device fingerprinting.

The EU Cookie Directive therefore applies to more than just cookies. In the EU Cookie Directive it is stated that a person must not store or gain access to information stored in a person’s computer, without specific requirements being met. This includes, that they (a) give clear and comprehensive information about the purpose of the storage of, or access to, that information; and (b) obtain consent from the person to the use of the specific cookies.

ePrivacy Regulation (pending)

The ePrivacy Directive is set to be replaced with the ePrivacy Regulation. It was supposed to be passed and come into effect in 2018, but is yet to be passed. The focus in the new law was to “...address browser fingerprinting in ways that are similar to cookies, create more robust protections for metadata, and take into account new methods of communication, like WhatsApp.” (gdpr.eu).

The General Data Protection Regulation

The GDPR is the biggest and most comprehensive law protecting the privacy of individuals’ data in the EU. Although the use of cookies is mentioned only once in the GDPR (Recital 30), it relates to how cookies may retain personal information; it states that cookies that are used to identify users may qualify as personal identifiers, and therefore be subject to the GDPR. And the GDPR also regulates the requirements for obtaining a compliant consent. For this reason, it is a requirement that consent be obtained before you are legally permitted to process website users’ data. In general the law states that legal consent should be; given freely, revocable, informed and explicit.

When using cookies on a website a lot of information is collected. For example the user’s IP address, tracking data etc. This collection of data entails that the general data protection rules - the GDPR - also applies. There are thus two sets of rules regulating at the same time; the ePrivacy Directive and the GDPR.

Cookie authorities in Europe

It is the job of the data protection authorities in each EU country to enforce the cookie rules and issue guidelines regarding cookie compliance. Below you can find a list of some of the European data protection authorities who have issued relevant cookie guidelines:

The UK Information Commissioner's Office (ICO)

The [ICO](http://www.ico.org.uk/) has a lot of valuable information on their website regarding cookies.

They are the UK public authority monitoring UK companies’ compliance with the cookie rules. The data protection agency is one of the most powerful data protection agencies in the EU. They are also a very good source of information and guidelines.

The Danish Data Protection Agency

In Denmark, there are two public bodies governing the cookie rules. The Danish Data Protection Agency regulates personal data and as personal data is also captured via the use of cookies, they are responsible for that part of the legislation.

In February 2020, they issued guidelines regarding collection of personal data on websites and in that regard they also came out with recommendations on how to collect lawful consent to cookies.

The Danish Business Authority

The Danish Business Authority has issued guidelines on cookies and how companies should be implementing cookie pop-ups and banners. Also, they have issued guidelines on the differences between necessary cookies and non-necessary cookies and when a company should be capturing consent to what.

Click here to see their guidelines and legislation

Commission Nationale de l'Informatique et des Libertés (CNIL)

CNIL is the French data protection agency and is regarded as one of the most powerful data protection agencies in the EU. They for example issued the EUR 50 mio fine against Google and they have also made it clear that they will enforce non-compliant cookie pop-ups. On their website there are good guidelines, for example on cookies.

Agencia Española de Protección de Datos

The Spanish competent data protection authority is the Agencia Española de Protección de Datos (“AEPD”). They issued new cookie guidelines which came into force on October 31th 2020.

The Belgian Data Protection Agency (BDPA)

The Belgian Data Protection Agency is monitoring the data protection in Belgium. They also have issued cookie guidelines.

 

Autoriteit Persoonsgegevens (Netherlands)

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) is the supervisory data protection authority and supervises compliance with the GDPR in the Netherlands.

The Data Protection Commission (Ireland)

The Irish data protection agency regulates many international companies as they are located in Ireland. The reason is due to the principle in the GDPR regarding “one-stop shop”.

The European Data Protection Board (EDPB)

The European Data Protection Board (EDPB) is also a relevant authority. The reason is that they issue a lot of guidelines related to the GDPR. The EDPB is an independent European body and consists of members from each data protection authority.

As an example they have issued guidelines on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects. They have also issued a working paper regarding consent. This paper was created when the Board was called the “Article 29 Working Party Group”.

Many of the national data protection agencies are often referring to the working papers and guidelines when they are writing and issuing papers on GDPR matters.

Important cookie rulings

The European Court of Justice issued a ruling in October 2019 on the requirement of consent to the use of cookies (Case C-673/17). The judgment has affected the design of the cookie box on companies’ websites all around Europe

Another relevant decision was issued by the Danish Data Protection Agency in February 2020. On the basis of a complaint, the Danish Data Protection Agency expressed serious criticism of DMI's processing of personal data in connection with the display of banner advertisements on the Danish Meteorological Institute’s website.

Further reading

We have compiled an in-depth article about website compliance, where you can find out more about the compliance elements and legislation you need to comply with as a website owner.