The Must-know Guide to the EU Cookie Directive
As a business owner, not only should you understand what a cookie actually is and have a Cookies Policy in place, you're also required to make sure your business website adheres to privacy legislation such as the EU Cookie Directive.
If you own or operate a website or mobile app, you're bound to have come across the term 'cookies' at some point. But while they're frequently mentioned, they're often misunderstood.
We go into detail on the purpose of cookies, what the Directive is, why it was created, and how it's relevant to you as a business owner (even if you're not in Europe). It aims to explain further by informing business owners about the ins and outs of the EU Cookie Directive.
- 1. What are Cookies?
- 2. Understanding the EU Cookies Directive
- 3. What does the EU Cookies Directive require?
- 4. Who is Impacted by the EU Cookies Directive?
- 5. Understanding Google Analytics
- 6. How to Comply with the EU Cookie Directive
- 6.1. The Cookie Compliance Checklist
- 7. Examples of Cookies Notifications
- 8. Create Compliant Cookie Consent
In this article you'll also be provided with a Cookie Compliance Checklist, so you'll be able to ensure that you're complying with the Directive by checking off each step.
What are Cookies?
In technical terms, a cookie is a small computer file that contains data relating to the different sites you visit online. They can be accessed by web browsers (such as Google Chrome, Microsoft Edge, Firefox and so on), or by the owner of the individual website.
A cookie's main purpose is to hold data that it recognizes as useful. It then uses that data to automatically fill in the blanks each time you visit a site. The aim of a cookie is to provide a quicker browsing experience for web users, and as a business owner, they can do a lot in your favor.
Cookies can tell you:
- How each visitor found you (whether through another website, an organic searchquery, Pay Per Click and so on),
- How many times each page on your site is viewed by each customer,
- And even notify you when a particular visitor accesses your site.
Cookies are specific to each different browser. This means that cookies stored on a Google Chrome browser will not be able to access or view cookies stored in Firefox.
They're also site-specific so they vary depending on each website visited, and aren't shared between them.
One of the most common uses of cookies is the storing of usernames and passwords so frequent visitors don't have to input them every time they go to the same site.
Cookies are also behind the custom advertising that appears in sidebars and headers as you browse. This is a great example of cookies hard at work by taking previous search history stored as cookies, and reapplying them to advertising.
But there's a lot more to cookies than meets the eye, especially from a legal point of view. So, let's get started.
Understanding the EU Cookies Directive
The EU Cookie Directive is an adaptation of the EU e-Privacy Directive, the legislation that forms part of Europe's endeavor to provide online privacy for its people.
Adopted in May, 2011, this Directive applies to all countries within the EU, as well as websites that are owned by EU companies, and international sites that cater to EU citizens. In other words, even if your business website or app is not located in the EU, you are subject to enforcement if any EU residents visit your site.
According to the Directive, each time someone visits a site they must be informed if cookies are being used, and they should also have the option to refuse to allow it.
This can be done with the use of a simple browser notification or pop-up window that provides information about the site's cookies policy, as well as the choice to opt-out.
What does the EU Cookies Directive require?
The EU Cookie Directive holds a few minimum requirements that all businesses must uphold, whether they're based in the EU or deal with EU customers.
We expand further on these requirements below, but briefly, they are:
- Informed, specific, voluntary consent being received before cookies are used
- The choice for users to opt-out
Who is Impacted by the EU Cookies Directive?
The EU Cookie Directive applies to everyone running a website within the EU. It's also applicable to businesses that cater to EU residents, even if the business is based elsewhere in the world.
Understanding Google Analytics
As a business owner, you'll no doubt be aware of how important it is to track the metrics of your site(s).
It's the most effective way to do a number of things, like following company performance, making sure goals are being achieved and monitoring Key Performance Indicators.
Google Analytics (GA) is one of the most popular tracking systems currently available that provides an insight into these metrics.
As a business owner, it's beneficial to understand what the GA cookies can do for you.
There's also a fifth cookie that can be activated through opt-in, which shares traffic information with Google directly. These cookies each have a different purpose, but all are very valuable to business owners.
- The __utma cookie, once written, will stay on the computer until the cache is cleared or the cookie itself expires. This cookie tracks visitors, including first and returning visits.
- The __utmb and __utmc cookies track the length of time spent on each page, and expires if 30 minutes passes with no new activity recorded.
- The __utmx cookie takes note of where a user has come from; like a social media page or search engine query, as well as the geolocation of the visitor. This cookie is endlessly useful if you're trying to find out more about where your traffic comes from.
- The final Google cookie is the __utmv cookie, which is considered to be 'persistent' because it never expires.
It's not necessary to provide explicit detail about the exact use of each GA cookie to your consumers.
But having some knowledge of them will assist you in better understanding what personal data your cookies will be collecting from your customers, and why it's so important to abide by specific legislation.
How to Comply with the EU Cookie Directive
So now you know what the EU Cookie Directive is, and whether it applies to you or not.
But here's the important part: how do you ensure you're complying with it properly?
It's easy to get lost in the technical jargon of it all, so we've simplified it into these five simple steps.
The Cookie Compliance Checklist
In order to comply with the EU Cookie Directive, your website/mobile app needs to:
Personal information relates to anything that could potentially identify an individual, including but not limited to their first and last names, email address, device ID, any billing/shipping information, date of birth, marital status, credit information and even places where they've traveled or are traveling to.
As a business owner, you have a responsibility for what happens to your customer's privacy and personal information, and this is not something to take lightly.
Users who visit your site have the right to know what you will do with their information. This needs to be explained in a clear and concise manner.
As the business owner, you're also required to provide easily accessible, current contact information for yourself, should any visitors need to contact you regarding your use of their personal information.
Any personal data collected through your website must have a legitimate purpose, and must not be used for any other purpose aside from those specified unless additional consent is sought and received from the consumer.
The personal information that is collected should not be excessive or irrelevant. It should also be up-to-date and completed.
Any incorrect, out-of-date or incomplete personal data should be deleted from site servers.
2. Have a Cookies Policy
This policy should be a detailed description that notifies customers about which cookies are used, how they're used, what sort of personal data they collect and who they might share that data with.
Many Cookies Policies also describe, in simple terms, what cookies are. This definition should be easily understandable by anyone who reads it.
A good Cookies Policy might also list the different types of cookies that are used by the website, such as site performance cookies, registration cookies and advertising cookies.
Note that this level of detail is not required, but can still be largely helpful and informative for your customers.
So again, even if your business is based outside of the EU, your website must fulfil these requirements if your business targets customers in the EU.
- What cookies will be used
- What they are used for, and
- How they are used
And there are requirements for such a notification, which include:
- Easy to understand language
- Placement in an obvious location, and
Here is an example of a sufficient cookies notification, including a link to further information from Under Armour:
4. Receive consent from the user
When someone visits your website, you are required to get their informed, specific and voluntary consent before cookies can be used.
Use a simple clickable button or checkbox, known as affirmative action/explicit consent:
5. Provide an opt-out method
Even though cookies are generally nothing for users to be concerned about, oftentimes they still might be. So, in compliance with the EU Cookie Directive, you must provide users with an option to opt-out of cookies being used.
This can be done in a number of different ways such as directly through your Content Management System (CMS), by coding it into your site theme/php files, or by offering it as a link on your site.
See this example from YuMe:
By checking your website/mobile app against these five steps, you can make sure your site is fully compliant with the EU Cookie Directive.
And if you find you're missing one or two of these steps, by adding them to your website as soon as you can you'll be compliant with the current legislation.
Failure to comply with the EU Cookie Directive leaves you open to the risk of enforced action from your country's regulation body, with a potential monetary fine. Furthermore, failure to advise users about what you aim to do with their personal data can create distrust across your customer base or lead to potential civil litigation.
This can cause knock-on negative effects like lower levels of consumer engagement and loss of potential customers.
Examples of Cookies Notifications
The examples below show you how you can properly display the minimum requirements of the Directive on your website.
They vary from discrete to highly prominent, but each is compliant with the EU Cookie Directive.
The BBC uses a noticeable fixed header to display a large amount of information regarding their Cookies policy. In this header the company provides details on cookie usage, including third-party cookies and their purpose.
The BBC also provides users with an option to continue browsing (which implies user consent), or to turn cookies off and change their personal settings entirely, as well as a link to more information.
eBay's UK website uses a noticeable banner to display cookie information and a link for how users can learn more and adjust settings. In this notice, eBay provides details on cookie usage including third-party cookies and their purpose:
Your cookie notification can be very personalized and customized for your website's style and aesthetics. Just remember to get clear consent, provide information and links within the notice and to not place any cookies that require consent before you obtain it.