There are a number of rules affecting how cookies can be used in the EU. Read this guide to get an overview of the different Cookies laws you need to be aware of when working with cookies.
The EU Cookie Directive regulates the definition of cookies and how they can be used. This includes other forms of online tracking technology, and technology like device fingerprinting.
The EU Cookie Directive therefore applies to more than just cookies. In the EU Cookie Directive it is stated that a person must not store or gain access to information stored in a person’s computer, without specific requirements being met. This includes, that they (a) give clear and comprehensive information about the purpose of the storage of, or access to, that information; and (b) obtain consent from the person to the use of the specific cookies.
The ePrivacy Directive is set to be replaced with the ePrivacy Regulation. It was supposed to be passed and come into effect in 2018, but is yet to be passed. The focus in the new law was to “...address browser fingerprinting in ways that are similar to cookies, create more robust protections for metadata, and take into account new methods of communication, like WhatsApp.” (gdpr.eu).
When using cookies on a website a lot of information is collected. For example the user’s IP address, tracking data etc. This collection of data entails that the general data protection rules - the GDPR - also applies. There are thus two sets of rules regulating at the same time; the ePrivacy Directive and the GDPR.
It is the job of the data protection authorities in each EU country to enforce the cookie rules and issue guidelines regarding cookie compliance. Below you can find a list of some of the European data protection authorities who have issued relevant cookie guidelines:
The [ICO](http://www.ico.org.uk/) has a lot of valuable information on their website regarding cookies.
They are the UK public authority monitoring UK companies’ compliance with the cookie rules. The data protection agency is one of the most powerful data protection agencies in the EU. They are also a very good source of information and guidelines.
In February 2020, they issued guidelines regarding collection of personal data on websites and in that regard they also came out with recommendations on how to collect lawful consent to cookies.
The Danish Business Authority has issued guidelines on cookies and how companies should be implementing cookie pop-ups and banners. Also, they have issued guidelines on the differences between necessary cookies and non-necessary cookies and when a company should be capturing consent to what.
Click here to see their guidelines and legislation
CNIL is the French data protection agency and is regarded as one of the most powerful data protection agencies in the EU. They for example issued the EUR 50 mio fine against Google and they have also made it clear that they will enforce non-compliant cookie pop-ups. On their website there are good guidelines, for example on cookies.
The Spanish competent data protection authority is the Agencia Española de Protección de Datos (“AEPD”). They issued new cookie guidelines which came into force on October 31th 2020.
The Belgian Data Protection Agency is monitoring the data protection in Belgium. They also have issued cookie guidelines.
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) is the supervisory data protection authority and supervises compliance with the GDPR in the Netherlands.
The Irish data protection agency regulates many international companies as they are located in Ireland. The reason is due to the principle in the GDPR regarding “one-stop shop”.
The European Data Protection Board (EDPB) is also a relevant authority. The reason is that they issue a lot of guidelines related to the GDPR. The EDPB is an independent European body and consists of members from each data protection authority.
As an example they have issued guidelines on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects. They have also issued a working paper regarding consent. This paper was created when the Board was called the “Article 29 Working Party Group”.
Many of the national data protection agencies are often referring to the working papers and guidelines when they are writing and issuing papers on GDPR matters.
Another relevant decision was issued by the Danish Data Protection Agency in February 2020. On the basis of a complaint, the Danish Data Protection Agency expressed serious criticism of DMI's processing of personal data in connection with the display of banner advertisements on the Danish Meteorological Institute’s website.