Cookie Law Explained

Cookies may collect personal data such as a user’s name, age, gender, location, email, IP address, online shopping details, website preferences, etc. The new cookie law was created to protect online privacy, by making website users aware of how their personal data is collected and for what purposes, and giving them a choice to allow or reject the personal data collection and processing.

What is the Cookie Law (ePrivacy Directive)?

The ePrivacy Directive was the first EU legislation to regulate the use of cookies and trackers and process personal data from website users inside the European Union. There are other technologies, like Flash and HTML5 Local Storage that collect personal data, which are also covered by the ePrivacy Directive, but as cookies are the most common technology used today, the ePrivacy Directive become known as the Cookie Law, the Cookie Banner Law, or the Cookie Consent Law.

The ePrivacy Directive, commonly called the Cookie Law, was passed in 2002 and was amended in 2009. It supplements the General Data Protection Regulation (GDPR). The ePrivacy Directive along with the GDPR makes up the world’s strictest data privacy regime.

The purpose of the Cookie Banner Law is to protect consumers' privacy rights by providing the choice to accept or reject the consent for companies to collect, store, and use website users' personal information. The Cookie Consent Law requires to obtain the explicit consent of website users before cookies are allowed to be activated on the website.

What is the EU Cookie Law?

The ePrivacy Directive, commonly called the Cookie Law, was passed in 2002 and was amended in 2009. It supplements the GDPR, which was passed in 2016 and became effective in 2018. The ePrivacy Directive was supposed to be passed and become the ePrivacy Regulation in 2018, at the same time as the GDPR came into force. In the EU, a directive must be incorporated into national law by European Union (EU) countries making it more flexible while a regulation becomes legally active for all EU countries automatically on the date it comes into force. The EU missed to pass the ePrivacy Regulation in 2018, but there is a draft of the document online, and it is scheduled to be finalized in the near future. The updated ePrivacy Regulation has almost the same regulations for cookies as the Directive, but the ePrivacy Regulation promises to have broader coverage: it should address browser fingerprinting in ways that are similar to cookies, create stricter protections for metadata, and take into account new methods of communication, like WhatsApp, Tinder, etc.

Since The EU Cookie Banner law is an ePrivacy Directive and not a Regulation, each European Union member state implements it through its own national legislation. Different EU countries could have slightly different requirements for the Cookie Law (ePrivacy Directive). However, EU countries must follow the directive’s provisions. The EU Cookie Law (ePrivacy Directive) is enforced by each EU member state’s data protection authority according to national laws. The European Data Protection Board, consisting of representatives from all national data protection authorities, is responsible for the overall guidelines, interpretation, and enforcement of the EU Cookie Law.

The EU Cookie Law (ePrivacy Directive) regulates the processing of personal data in the form of the electronic communications. More specifically, it regulates the use of cookies and other tracking technologies on websites.

The ePrivacy Cookie Law covers any kind of technology that processes website users' personal data. However, strictly necessary cookies are exempt from receiving the consent to use cookies.

The EU Cookie Law (ePrivacy Directive) also regulates the confidentiality and data protection of internet networks, e-communications services, and unsolicited commercial messages, called spam.

The rules regulating cookies are still being set, and cookies themselves are continually evolving, which means website owners should continuously update their current Cookie Policy and properly inform website users about the cookies your website uses. CookieScript Consent Management Platform automatically updates your Cookie Consent and keeps your website GDPR compliant.

How to Comply With the Cookie Law?

To comply with the regulations managing cookies under the GDPR and the Cookie Consent Law, websites must:

• Receive website users’ consent to use cookies before any cookies are used.
• Provide clear and comprehensive information about the purpose of collecting and processing the personal data, the data each cookie tracks, and for what reasons.
• Provide an easy option to withdraw website user Cookie Consent to use cookies at any time. The Cookie Consent withdrawal should be as easy for users as it was for them to give their consent.
• Allow website users to access website services even if they opt-out of certain cookies
• Document and store the Cookie Consent received from website users.

Along with this information, to ensure the EU cookie law compliance it is also recommended to include a link to legal documents such as the Privacy Policy or the Cookie Policy where the website users can find details about the cookie usage and personal data management in depth.

There are cookies, which are exempt from the ePrivacy Cookie Law:

• Strictly necessary cookies, that are necessary for websites to provide a service;
• Cookies, used solely to facilitate or carry out the transmission of communications over a network explicitly requested by the user.

The ePrivacy Cookie Law also provides regulations for third-parties on how to collect, process, and store personal data from website users' devices:

• Website users should be informed in a clear and comprehensive manner if Third-Party Cookies are used and for what purposes.
• Website users should have the right to refuse Third-Party Cookies.
• The method for refusing Third-Party Cookies should be user-friendly as possible.
• The exception to the right to refuse cookies should be limited just to strictly necessary cookies, needed for services explicitly requested by the user.

Non-compliance with the EU Cookie Law (ePrivacy Directive) can lead to fines issued by national data protection authorities. The highest fines under the GDPR can reach up to €20 million or 4% of annual global turnover, whichever is higher.

The Cookie Banner law (ePrivacy Directive) requires obtaining website user consent to use cookies. It is the reason why you’re required to implement a Cookie Banner on your website that EU visitors can use to either accept or refuse consent to the non-necessary cookies that process users' personal data on your website. CookieScript allows you to create your personalized cookies, which comply with the privacy laws.

Does EU Cookie Law Apply to US Websites?

There is a difference between the Cookie Law (ePrivacy Directive) and GDPR in the territorial scope of the laws. ePrivacy Directive applies just to organizations that process personal data in the European Union and provide services over electronic communication. The GDPR is much broader and it applies to all companies and organizations, independently of their place of origin, which offer goods and services to the consumers in the EU, or collects and processes personal data of the website users', located in the EU.

Thus, if a US-based company does not conduct any business with the EU residents, it is not required to comply with EU Cookie Law.

If a US-based company does business with EU residents and collects and processes their personal data, the EU Cookie Law surely applies to the company.

Any website, regardless of where in the world it is located, must comply with the EU Cookie Law (ePrivacy Directive) if there are EU residents among its visitors, and the website collects and processes their personal data.

 The cookie law compliance is not just a global legal requirement to control your website’s cookies and the personal data they process, but it has become a consumer demand since the majority of consumers say that data privacy is a buying factor for them. Thus, the EU cookie law compliance helps establish long-lasting customer relations.

The proposed ePrivacy Regulation’s territorial scope is supposed to be similar to the GDPR. Thus, the ePrivacy Regulation, when it comes into effect, should be different from the ePrivacy Directive from the territorial scope of view.

Scan your website for free to see all cookies in use:

Is There a US Cookie Law?

There is not a general cookie law in the US. However, some states have privacy laws that regulate website users' personal data management and cookie usage as it relates to their residents. US state privacy legislation tracker shows that as of 2022, four US states have signed data privacy laws, which are already active or go into effect in 2023.

California Consumer Privacy Act (CCPA) came into effect on January 1st, 2020. Virginia Consumer Data Protection Act (VCDPA) was signed on March 2, 2021, and will go into effect on January 1, 2023. VCDPA will make Virginia the second state after California to officially instrument comprehensive consumer privacy legislation and cookie usage.

Besides California’s CCPA and Virginia's CDPA, there is Colorado Privacy Act, which will go into effect on July 1, 2023, and Utah Consumer Privacy Act, which will go into effect on December 31, 2023. Other states' data privacy laws are in different legislative processes and are supposed to take effect in a near future.

Experts say that the remaining US states will take one of the first two US data privacy laws, either the CCPA or the VCDPA, as a basis for their privacy laws. Virginia’s CDPA is undoubtedly a better fit for business. VCDPA, being just eight pages long, contrasts sharply with the extensive, highly detailed obligations presented at the CCPA and with additional requirements. The VCDPA introduces a plain approach to comprehensive (i.e., non-sectoral) privacy legislation.

The CCPA or “California Cookie Law”

The California Consumer Privacy Act (CCPA) is a strict, highly detailed privacy regulation that governs website cookies in the US state of California. Like the EU cookie law, the “California cookie law” regulates how websites should use cookies to collect and process California consumers’ personal data.

Consumers' rights under the CCPA or the “California Cookie Law”

Under the CCPA, Californian consumers have the following rights:

1. Right to know what personal information is collected.
2. Right to know whether personal information is sold and to whom.
3. Right to opt-out, or reject the sale of personal information.
4. Right to delete and access personal information at any time.
5. Right to extended protection for consumers under the age of 16.
6. Right to equal price and service, independently if you accepted or rejected cookies.

Website owners must also create an easy-to-read Cookie Policy that website users can get whenever they want to opt-in or opt-out of cookies.

California residents also have the right to request a detailed account of what information companies have collected on them over the span of the last 12 months.

How to comply with the CCPA or the “California Cookie Law”

To comply with the CCPA or the “California Cookie Law”, website owners must perform the following actions:

• Create a data inventory. Collect the data on what consumers' personal information you have collected and especially how you use the data you collected. Companies should note how and why the personal information was collected and in which way this data was used, and to whom this data was shared or sold.
• Train your employees. Take time to train employees to get used to the CCPA compliance.
• Consider all-embracing protections. Depending on your type of business, it may be easier to implement CCPA-like protections for all consumers handled by your business or organization, regardless of their residency status.

The VCDPA or “Virginia Cookie Law”

The Virginia Consumer Data Protection Act (VCDPA) was signed on March 2, 2021, and will go into effect on January 1, 2023. VCDPA applies to Virginia residents or website users and gives Virginia residents the ability to access and control personal data that the business collects about them.

Virginia consumers have six main rights under the VCDPA:

• Right to access. Consumers have the right "to confirm whether or not a controller is processing the consumer's personal data and to access such personal data."
• Right to correct. Consumers have the right to correct inaccuracies in their personal data, regarding the nature and the purposes of the personal data.
• Right to delete. Consumers have the right to delete the personal data provided by them or obtained about them.
• Right to data portability. Consumers have the right to obtain a copy of the consumer's personal data in a usable format and to the extent technically feasible.
• Right to opt-out. Consumers have the right to choose between explicit or implied consent modes for the processing of their personal data for purposes of targeted advertising, the sale of personal data, and profiling in decisions that produce legal or other significant effects concerning the consumer.
• Right to appeal. Consumers have the right to appeal a business's denial to act within a reasonable time. Under the law, an entity controlling personal data must respond to a consumer request within 45 days of receipt of the request. Where reasonably necessary, the entity may extend the response deadline by an additional 45 days as long as it notifies the consumer within the initial response window.

Is There a UK Cookie Law?

Yes, there is a UK cookie law. The Data Protection Act 2018 is the UK’s version of the European Union's GDPR and ePrivacy Directive and regulates how you can collect, store, and process cookie consents and personal data from UK and EU visitors.

The Data Protection Act 2018 has four sections regarding the personal data protection:

1. The first section incorporates GDPR and ePrivacy Directive into domestic UK law.
2. The second section extends the GDPR and ePrivacy Directive and modifies them to fit into UK law.
3. The third section regulates law enforcement.
4. The fourth section creates new regulations for UK intelligence services.

Data Protection Act is similar to the GDPR and the EU Cookie Consent law regarding the usage of cookies. As with the GDPR and the EU cookie law, the UK’s Data Protection Act requires you to obtain consumers’ explicit consent to use cookies and collect personal data before processing their personal data. Consumers have the right to opt-out of their consent at any time, to get their personal data, and to correct inaccurate data about them.

Frequently Asked Questions

What is the EU Cookie Law?

The ePrivacy Directive, commonly called the EU Cookie Law, or the Cookie Banner Law, is a legal document of the European Union that regulates the processing of personal data in the form of electronic communications. More specifically, it regulates the use of cookies and other tracking technologies on websites. Any website, regardless of where in the world it is located, must comply with the EU Cookie Banner Law if there are EU residents among its visitors, and the website collects and processes their personal data. Follow up CookieScript privacy laws for updates on the cookie laws and the EU cookie law compliance.

What is the Cookie Law?

The ePrivacy Directive commonly called as the Cookie Law, or the Cookie Consent Law, was passed in 2002 and was amended in 2009. It supplements the General Data Protection Regulation (GDPR). The ePrivacy Directive along with the GDPR makes up the world’s strictest data privacy regime. The purpose of the Cookie Law is to protect consumers' privacy rights by providing the choice to accept or reject the Cookie Consent for companies to collect, store, and process website users' personal information. The Cookie Consent Law requires obtaining explicit cookie consent from website users before cookies are allowed to be activated on the website. CookieScript can help to make your website ePrivacy and GDPR compliant.

Does the US have a cookie law?

There is not a general cookie law in the US. However, some states have privacy laws that regulate website users' personal data management and cookie usage as it relates to their residents. As of 2022, four US states have signed data privacy laws, which are already active or go into effect in 2023. The California Consumer Privacy Act (CCPA), or “California cookie law” was the first law of such kind to regulate the use of cookies and personal data. CCPA is a strict, highly detailed privacy regulation that governs website cookies in the US state of California. Like the EU cookie law, the “California cookie law” regulates how websites should use cookies to collect and process California consumers’ personal data. CookieScript can help to create your cookies and make your website CCPA compliant.

How to comply with the cookie law?

To comply with the regulations managing cookies under the GDPR and the Cookie Consent Law, websites must: receive website users’ consent to use cookies before any cookies are used; provide clear and comprehensive information about the purpose of collecting and processing the personal data, the data each cookie tracks, and for what reasons; provide an easy option to withdraw website user consent to use cookies at any time; allow website users to access website services even if they opt-out of certain cookies; document and store the Cookie Consent received from website users.

Who needs to comply with the EU cookie law?

Any website, regardless of where in the world it is located, must comply with the EU Cookie Law (ePrivacy Directive) if there are EU residents among its visitors, and the website collects and processes their personal data. Follow up CookieScript privacy laws for updates on the cookie laws and the EU cookie law compliance.