Keeping Your Website EU Compliant Using Cookie Banners

August 13, 2024 / Web Design and Development

Keeping-Your-Website-EU-Compliant

If you run a website, there are various regulations that you need to comply with. While GDPR is the one that most people are aware of, another is the ePrivacy Directive, commonly referred to as the cookie law. In this post, we explain what the cookie law is, what your obligations are and how you can use cookie banners to ensure compliance.

What are cookies?

Before explaining the cookie law, it’s important to understand what cookies are. Essentially, cookies are small files generated by websites and sent to users’ browsers. Their function is to provide different types of information about the user and their behaviour. For instance, they can give data about what pages or products people look at, how long they spend on a page and what products they buy – all of which can help websites provide better and more personalised experiences. Other cookies are used to keep users secure, for instance with authentication.

Cookies come in different types. First-party cookies, for example, are those related to the actual website the user visits. Third-party cookies, on the other hand, are collected on behalf of other organisations. If you use Google Analytics, Google will use cookies on your site to provide you with the analytics data. If you place ads on your website, the advertising provider might use cookies to track the users’ behaviour so they can personalise the ads for individual visitors.


Take your website further, read: How to Track Your Website’s Analytics and Performance

What are the issues with cookies?

The big problem with cookies is that they can be used to track a user’s browsing activity. With third-party cookies, this means organisations can track browsing activity across multiple sites. This is why, when you look at a product on a website, you end up finding that all the online ads you see show similar products and you start receiving email marketing containing those products.

Domain Name

Third-party tracking, can, however, go beyond looking at shopping habits. Potentially giving organisations access to the user’s identity, location and behaviours, cookies can track everything from the health issues people look for online to what political sites they visit – activities they may wish to remain private. Moreover, third parties may also sell the information they gather from their cookies to other organisations. This leads to concerns that this private information can be used in unscrupulous ways, for instance, if someone has been visiting websites about debt management, finance companies holding that information might use it for credit scoring.

What is the cookie law?

For many years, websites created cookies without the knowledge or the consent of internet users. However, concerns about how they can be used led the European Union to introduce the ePrivacy Directive (ePD) in 2002 with further amendments in 2009. As a directive, the cookie law is not an EU-wide law, but rather it is used to direct how individual countries implement their own laws. In the UK, for example, this has led to the implementation of the Privacy and Electronic Communications Regulations (PECR), which besides cookies also regulates the use of electronic marketing, such as the restrictions on cold calling and unsolicited texts and emails. For countries still in the EU, the ePD is set to be replaced by a new ePrivacy Regulation that will be enforced across the bloc.

What does this mean for website owners?

In terms of how the cookie law works, it means a website is required to obtain a user’s consent before it is allowed to store, use or retrieve cookies from their devices. The only exceptions to this are for cookies that are used solely to transmit electronic communications and for those that are necessary to deliver a service a visitor explicitly requests.

With regard to using cookies, you can only do so provided that you give clear and exact details about why you are using them and have the consent of the user to do so. It also means that your visitors have the right to refuse to accept cookies on their devices and you must provide them with the means to do this. Furthermore, the way you provide information and enable visitors to accept or reject cookies should be user-friendly.

In terms of enforcement, the cookie law is administered by the data protection authorities of individual states. In the UK, for instance, this is the Information Commissioner’s Office (ICO), the same authority responsible for enforcing GDPR. UK websites failing to comply with the cookie law can, therefore, receive financial penalties from the ICO.

GDPR and cookies

The ePD is not the only regulation affecting the use of cookies, GDPR does too, as it regards them as personal data. This means cookie consent is also required to comply with GDPR. As with ePD, GDPR requires users to have a choice over giving consent, with websites having to inform them about what they are consenting to – in other words, what they are used for on your site. One difference with the ePD is that GDPR requires cookie consent to be asked for separately from other consents requested by a website. For this reason, websites cannot get away with burying cookie consent information in their general terms and conditions. This is why websites today have a separate privacy policy page that covers cookie information. With regard to giving consent, GDPR requires this to be done actively, for instance, by clicking on an agree banner or button.

In order to bring the ePD and GDPR closer together, the new ePrivacy Regulation will also require explicit consent to be given.

Get smart about GDPR – read: 15 Essential Facts about General Data Protection Regulation (GDPR)

Complying with the cookie law

To comply with both the ePD and GDPR aspects of the cookie law, websites should display a cookie banner when users first arrive. The easiest way to do this is by installing a cookie banner plugin or using an online provider. This should prevent cookies from being downloaded until consent has been given but must not block access to the website and thus force a user to accept cookies. Users should also have the option of withdrawing consent during their visit, even after the banner has disappeared.

The banner should give visitors the option to actively accept or reject cookies by clicking on a button, while providing a link to your privacy policy page where they can be informed about the cookies you use and their purposes. This information should include the name of each cookie provider, the cookie’s duration and a description of what it does.

The more advanced banners will give users the option to agree to or reject different types of cookies, for example, they can accept first-party cookies while rejecting those of third parties. Today, many banners have three options: reject, accept and select options. To comply, however, any options must not be pre-selected except for those cookies that are essential.

For peace of mind, you should retain your cookie consent logs in case you need to prove you have operated compliantly.

Are you complying with all regulations? Read: 8 Compliance Requirements for Website Owners

International regulations

It is important to remember that websites are accessible globally and that different countries around the world have different cookie regulations. The data of EU citizens, for example, is protected by GDPR, so even if you are not based in the EU, your website will still need to comply with the EU cookie law if it places cookies on EU citizens’ devices.

Conclusion

Website owners need to ensure that their use of cookies complies with both the ePD and GDPR aspects of the cookie law. This means ensuring that users are given clear information about the types of cookies used on your website and their purposes while having the means to actively accept or reject them. The easiest way to ensure you comply is to use a fully functional cookie banner that covers all these requirements.

Stay compliant with GDPR and other regulations by ensuring all your data is stored in UK data centres that comply with UK and EU data privacy regulations. For secure UK-based hosting solutions, including shared hosting, VPS, dedicated server and cloud, visit our homepage.

Author

  • Pooja Kulkarni

    I'm experienced SEO specialist. With a focus on the technical aspects of SEO, I work to enhance website's visibility and overall performance seamlessly.

    View all posts
Spread the love