Are cookie warnings still required under the EU cookie law?

cookie eu-cookie-law
23,974

Solution 1

As a European (Dutch) and a web builder:

Yes, this is still required (if you have tracking/3rd party cookies). But now the cookie storm is over, and the dust has settled, most sites only show a small banner "we use cookies" and stick to that. Unless you're in the big league, there's not much to worry about, with just that notification you're already doing better than most sites. I have yet to encounter an actual court case about this.

Dutch law requires opt-in, but that rarely happens. European law says opt-out should be possible, but most websites just tell the user they use cookies and keep it to that.
This applies to EVERY website targeting europeans, no matter where you host or where the company originates.

This website has plenty of info about EU legislation on cookies

Might be nice to know, you no longer need to place the notification if you only use Google Analytics (you had to because GA uses a cookie to check for returning visitors) and cookies specific for the website. Because of this, most small common websites don't need a notification to the user.

The reason GA is allowed, is because they don't track you from site to site, only if you come back. This is considered acceptable because it is basic information which is useful for a webmaster and not privacy invasive for visitors. These cookies are available for the visited domain only and therefor seen as first party.

FYI, it's called cookie law, but this doesn't only apply to cookies. Session.storage and similar functionalities fall under the same rules. Everything that tracks users for the purpose of tracking users.

Solution 2

Unless you do some sort of tracking, most cookies are exempt from that law. From the "EU Internet Handbook":

Cookies clearly exempt from consent according to the EU advisory body on data protection include:

  • user‑input cookies (session-id) such as first‑party cookies to keep track of the user's input when filling online forms, shopping carts, etc., for the duration of a session or persistent cookies limited to a few hours in some cases
  • authentication cookies, to identify the user once he has logged in, for the duration of a session
  • user‑centric security cookies, used to detect authentication abuses, for a limited persistent duration
  • multimedia content player cookies, used to store technical data to play back video or audio content, for the duration of a session
  • load‑balancing cookies, for the duration of session
  • user‑interface customisation cookies such as language or font preferences, for the duration of a session (or slightly longer)
  • third‑party social plug‑in content‑sharing cookies, for logged‑in members of a social network.

This means you only have to show such an alert for tracking or third-party cookies.

Solution 3

If you are in Europe then you need to ask users before using cookies. The law is the European Cookie Directive.

Outside of Europe, there is no need for any cookie warning or opt in.

Many third party services you use such as Google AdSense require that you have a privacy policy that includes a section about how you use Cookies and how third party cookies are used on your site.

Share:
23,974

Related videos on Youtube

Double Clicked
Author by

Double Clicked

At Double Clicked our aim is to make digital marketing simple. For over 10 years we’ve watched the digital marketing industry make itself more and more complicated and to little benefit – this doesn’t have to be the case! We do your marketing. Simple as that. We are Digital Marketing Consultants, based in Brighton.

Updated on September 18, 2022

Comments

  • Double Clicked
    Double Clicked over 1 year

    Is it still required to provide a cookie warning offering users the ability to opt in/out of cookie tracking?

    I cannot find any official advice on what we are supposed to be doing.

    I'm not looking for answers along the lines of "to be on the safe side", but official guidelines. Does the cookie warning need to be on the homepage / every page / privacy policy page etc.

    It seems most companies have implemented solutions based on best guesses, I can't see a consistent trend.

  • Double Clicked
    Double Clicked about 8 years
    I believe the site is hosted in the U.S although it sits behind a CDN (Akamai). Does that make a difference?
  • Stephen Ostermiller
    Stephen Ostermiller about 8 years
    See Does the EU cookie law apply to an EU site that is hosted outside of the EU? for advice about whether the EU cookie law applies to your site.
  • Double Clicked
    Double Clicked about 8 years
    Thanks but another fuzzy answer with words like 'Likely', also the source of that answer has moved with no redirect.
  • Stephen Ostermiller
    Stephen Ostermiller about 8 years
    Another answer also says that it is impossible to get more clarity without court cases that test it. I'm not based in Europe, so I don't follow it that closely so I don't know if that has happened or not. If so, it would be useful to update the answers on that question or submit new answers.
  • MrWhite
    MrWhite about 8 years
    Regardless of where the site is physically hosted, if you are serving content to a European audience then you should be displaying said message to European visitors.
  • Stephen Ostermiller
    Stephen Ostermiller about 8 years
    @w3dk I'm not sure that is true. My understanding is that there are no possible penalties for anybody outside the EU.
  • Martijn
    Martijn about 8 years
    Foreign sites have to notify just as much. In theory you could be blocked because you don't conform to EU law (allthough I'd be surprized if that would actually happen).
  • Stephen Ostermiller
    Stephen Ostermiller about 8 years
    Blocked by what? There is no great firewall of Europe.
  • Martijn
    Martijn about 8 years
    Well yeah, that's the 'problem', there isn't really any way to block a website. ISP will not be eager to block a website and blocking a complete website is a bit overdoing it for a cookie warning, but theoretically they're in their right to do so.
  • Stephen Ostermiller
    Stephen Ostermiller about 8 years
    I've started a 50 point bounty on Does the EU cookie law apply to an EU site that is hosted outside of the EU? to get updated answers.
  • Double Clicked
    Double Clicked about 8 years
    Thanks Stephen - I was going to do the same when this question becomes eligible.
  • SnakeDoc
    SnakeDoc about 8 years
    Probably should note, if you're a US company/website, feel free to ignore these half-baked EU laws, they aren't enforceable unless you have a physical EU presence. (yes, technically the EU says their law applies globally, but that's not how law works).
  • Matti Virkkunen
    Matti Virkkunen about 8 years
    Whoa, where does it say you don't need the cookie warning if you use Google Analytics? I thought that (visitor tracking) was exactly the reason they came up with the silly law. I only heard that benign and "necessary" cookies like login session IDs and shopping cart tracking and such were exempted (but I'm not a lawyer).
  • Martijn
    Martijn about 8 years
    Updated that part of my answer
  • MrWhite
    MrWhite about 8 years
    @StephenOstermiller Whether you'd suffer penalties/prosecution is another matter. (TBH it's very unlikely that you'd suffer any penalties even if you are in Europe - nobody has.) The fact of the matter is that if you are serving content to an EU visitor you are "supposed" to comply.
  • Stephen Ostermiller
    Stephen Ostermiller about 8 years
    Yes the law was written broadly, but the EU lacks jurisdiction to tell me what I'm supposed to do on my website in the United States, even if I get European visitors. Since the law can't apply, they would need to start blocking my site to get me to pay attention to their dubious requirements.
  • Simon Hayter
    Simon Hayter about 8 years
    @StephenOstermiller need to ask users before using cookies, this is no longer the case. You only need to display that your site uses cookies, for example by continueing to use this website you agree to our cookie policy... and then hide after X seconds is prefectly acceptable.
  • Stephen Ostermiller
    Stephen Ostermiller about 8 years
    I don't think the law has changed, only the agency responsible for enforcing the law has changed what they plan to enforce? It all seems very confusing.
  • Baard Kopperud
    Baard Kopperud about 8 years
    This is what happens when people with little to no knowledge about computers and and how web-pages work are set to make laws! Hello, almost all sites uses cookies!! If some people are that afraid of cookies, they should stay off the web! Really, they ought to put warnings on pages that didn't use cookies... because that - like some people not having a Facebook-profile - certainly is suspicious!
  • SnakeDoc
    SnakeDoc about 8 years
    @BaardKopperud Maybe if we just changed the name of cookies... call them brownies or something, and instantly everything is OK again ;)
  • user253751
    user253751 about 8 years
    @BaardKopperud Didn't the law have an exception for cookies that are actually required for the website to function? (such as remembering who you're logged in as)
  • Andrea Ligios
    Andrea Ligios over 7 years
    I've registered to this site just to upvote this answer.
  • SnakeDoc
    SnakeDoc about 7 years
    @ClaudiuCreanga That may be what the EU says, but go ahead and try to enforce that. If you have no physical presence in the EU, there is little-to-nothing the EU can do to you as enforcement. A website is on the internet, and the internet doesn't have natural borders. Unless the EU builds a "Great Firewall" and blocks your site, they are powerless to stop you. Finally, as a US Citizen, I don't have to follow EU laws when I'm in the US - your laws do not apply globally.
  • Claudiu Creanga
    Claudiu Creanga about 7 years
    @SnakeDoc enforcement is a totally different discussion. Of course individual persons and small companies can disregard it. But if you are a big corporation, even without EU presence, they might go after you. Just to be clear, your site must be dedicated to an European audience, like German Bundesliga, not to a US audience, then of course you have no connection with the law. And by the way, some US laws do apply to businesses that have no presence in the USA, for example the restrictions against Iran.
  • SnakeDoc
    SnakeDoc about 7 years
    @ClaudiuCreanga That's untrue. Any non-US business is free to conduct business with Iran as they see fit - they break no laws in doing so (so long as their own country hasn't imposed sanctions) - however, then turning around and attempting to conduct business with the US Gov't or large US-based corporation might be a different story. Laws made up in a country do not apply to the world (even though us Americans often think they do). The only laws that apply to the world are ones that have been agreed upon internationally - which this "Cookie Law" has not.
  • Sam Olesen
    Sam Olesen over 6 years
    Google Analytics and similar services are NOT exempt from the EU cookie law. Source: Section 4.3 ec.europa.eu/justice/data-protection/article-29/documentatio‌​n/…
  • Markus Laire
    Markus Laire over 6 years
    It seems that e.g. semipermanent "user‑interface customisation cookies" also needs alert, e.g. saving language preference for longer than a session?
  • Sunil
    Sunil over 4 years
    I edited the answer to clarify about GA; I have not found any exemption

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Why I can't access google products like google.com and youtube.com?
Where can I get cookies of Chrome web browser in Ubuntu 14.04?
Google Chrome does not keep cookies.
What are the problems of httponly and secure cookies?
Logged Out Too Soon; PHP Sessions Expire Too Quickly. Is this a Linux, CentOS, Cookies, CPanel problem?
What is the percentage of users that block cookies in their web browser?
Setting cookies only on the naked domain
Apache server not able to read cookies from Browser
Do iframes have access to the cookies of the hosting domain?
How can I tell Google Analytics to not use cookies for my sub domain?