The Must-know Guide to the EU Cookie Directive

The Must-know Guide to the EU Cookie Directive

As a business owner, not only should you understand what a cookie actually is and have a Cookies Policy in place, you're also required to make sure your business website adheres to privacy legislation such as the EU Cookie Directive.

If you own or operate a website or mobile app, you're bound to have come across the term 'cookies' at some point. But while they're frequently mentioned, they're often misunderstood.

We go into detail on the purpose of cookies, what the Directive is, why it was created, and how it's relevant to you as a business owner (even if you're not in Europe). It aims to explain further by informing business owners about the ins and outs of the EU Cookie Directive.

In this article you'll also be provided with a Cookie Compliance Checklist, so you'll be able to ensure that you're complying with the Directive by checking off each step.

What are Cookies?

In technical terms, a cookie is a small computer file that contains data relating to the different sites you visit online. They can be accessed by web browsers (such as Google Chrome, Microsoft Edge, Firefox and so on), or by the owner of the individual website.

A cookie's main purpose is to hold data that it recognizes as useful. It then uses that data to automatically fill in the blanks each time you visit a site. The aim of a cookie is to provide a quicker browsing experience for web users, and as a business owner, they can do a lot in your favor.

Cookies can tell you:

  • How each visitor found you (whether through another website, an organic searchquery, Pay Per Click and so on),
  • How many times each page on your site is viewed by each customer,
  • And even notify you when a particular visitor accesses your site.

Cookies are specific to each different browser. This means that cookies stored on a Google Chrome browser will not be able to access or view cookies stored in Firefox.

They're also site-specific so they vary depending on each website visited, and aren't shared between them.

One of the most common uses of cookies is the storing of usernames and passwords so frequent visitors don't have to input them every time they go to the same site.

Cookies are also behind the custom advertising that appears in sidebars and headers as you browse. This is a great example of cookies hard at work by taking previous search history stored as cookies, and reapplying them to advertising.

But there's a lot more to cookies than meets the eye, especially from a legal point of view. So, let's get started.

Understanding the EU Cookies Directive

Understanding the EU Cookies Directive

The EU Cookie Directive is an adaptation of the EU e-Privacy Directive, the legislation that forms part of Europe's endeavor to provide online privacy for its people.

Adopted in May, 2011, this Directive applies to all countries within the EU, as well as websites that are owned by EU companies, and international sites that cater to EU citizens. In other words, even if your business website or app is not located in the EU, you are subject to enforcement if any EU residents visit your site.

According to the Directive, each time someone visits a site they must be informed if cookies are being used, and they should also have the option to refuse to allow it.

A user who refuses cookies will experience a less-personalized browsing experience, however, the law requires this option to be available.

This can be done with the use of a simple browser notification or pop-up window that provides information about the site's cookies policy, as well as the choice to opt-out.

What does the EU Cookies Directive require?

The EU Cookie Directive holds a few minimum requirements that all businesses must uphold, whether they're based in the EU or deal with EU customers.

We expand further on these requirements below, but briefly, they are:

  • Informing users that the site uses cookies
  • A notification that makes the use of cookies clear, like a banner in the header
  • Informed, specific, voluntary consent being received before cookies are used
  • The choice for users to opt-out

Who is Impacted by the EU Cookies Directive?

The EU Cookie Directive applies to everyone running a website within the EU. It's also applicable to businesses that cater to EU residents, even if the business is based elsewhere in the world.

Thanks to the Directive, consumers can be aware of what personal information is being collected from them, how it's collected and what is done with it. They can then choose whether to consent to the use of cookies or refuse. This gives consumers a safer and more empowered browsing experience.

Understanding Google Analytics

Logo of Google Analytics - 02

As a business owner, you'll no doubt be aware of how important it is to track the metrics of your site(s).

It's the most effective way to do a number of things, like following company performance, making sure goals are being achieved and monitoring Key Performance Indicators.

Google Analytics (GA) is one of the most popular tracking systems currently available that provides an insight into these metrics.

And while you might think that by using Google Analytics you're exempt from complying with the necessary legislation, this is not the case. Given that GA also relies on the use of cookies to record how each user interacts with a website, if you use their services, then by default you are required to abide by the EU Cookie Directive.

As a business owner, it's beneficial to understand what the GA cookies can do for you.

There are four different cookies that are automatically set by the GA service. These are embedded into the pages you wish to track by being written into the JavaScript code.

There's also a fifth cookie that can be activated through opt-in, which shares traffic information with Google directly. These cookies each have a different purpose, but all are very valuable to business owners.

  • The __utma cookie, once written, will stay on the computer until the cache is cleared or the cookie itself expires. This cookie tracks visitors, including first and returning visits.
  • The __utmb and __utmc cookies track the length of time spent on each page, and expires if 30 minutes passes with no new activity recorded.
  • The __utmx cookie takes note of where a user has come from; like a social media page or search engine query, as well as the geolocation of the visitor. This cookie is endlessly useful if you're trying to find out more about where your traffic comes from.
  • The final Google cookie is the __utmv cookie, which is considered to be 'persistent' because it never expires.

It's not necessary to provide explicit detail about the exact use of each GA cookie to your consumers.

But having some knowledge of them will assist you in better understanding what personal data your cookies will be collecting from your customers, and why it's so important to abide by specific legislation.

How to Comply with the EU Cookie Directive

So now you know what the EU Cookie Directive is, and whether it applies to you or not.

But here's the important part: how do you ensure you're complying with it properly?

It's easy to get lost in the technical jargon of it all, so we've simplified it into these five simple steps.

In order to comply with the EU Cookie Directive, your website/mobile app needs to:

1. Have a Privacy Policy

A Privacy Policy is a detailed statement or legal document that aims to inform people of all the ways their personal information is collected, used and stored by a company, whether it's through a website, a mobile app or third-party software (like Google Analytics).

Personal information relates to anything that could potentially identify an individual, including but not limited to their first and last names, email address, device ID, any billing/shipping information, date of birth, marital status, credit information and even places where they've traveled or are traveling to.

Even though a Privacy Policy is placed in the footer of a website, the Directive requires websites to make it conspicuous. A tiny typeface, camouflaged colors or any other method for making it hard to find is a violation of the law.i

As a business owner, you have a responsibility for what happens to your customer's privacy and personal information, and this is not something to take lightly.

Let's take a look at the Huffington Post's site. Their Privacy Policy is behind a small, nondescript and hard-to-find link in the footer of their website.

Highlighted Privacy Policy link in footer of Huffington Post website

There are several things to consider when creating a Privacy Policy for your website, but it can be narrowed down to three simple principles. These are:

  • Transparency

    Users who visit your site have the right to know what you will do with their information. This needs to be explained in a clear and concise manner.

    As the business owner, you're also required to provide easily accessible, current contact information for yourself, should any visitors need to contact you regarding your use of their personal information.

  • Legitimacy

    Any personal data collected through your website must have a legitimate purpose, and must not be used for any other purpose aside from those specified unless additional consent is sought and received from the consumer.

  • Proportionality

    The personal information that is collected should not be excessive or irrelevant. It should also be up-to-date and completed.

    Any incorrect, out-of-date or incomplete personal data should be deleted from site servers.

Privacy Policy requirements differ from country to country. But generally, all countries have laws that dictate data privacy and the necessity of a Privacy Policy on any website/mobile app that collects data.

2. Have a Cookies Policy

Along with a Privacy Policy, the EU Cookie Directive also requires a Cookies Policy.

This policy should be a detailed description that notifies customers about which cookies are used, how they're used, what sort of personal data they collect and who they might share that data with.

Many Cookies Policies also describe, in simple terms, what cookies are. This definition should be easily understandable by anyone who reads it.

A good Cookies Policy might also list the different types of cookies that are used by the website, such as site performance cookies, registration cookies and advertising cookies.

Note that this level of detail is not required, but can still be largely helpful and informative for your customers.

So again, even if your business is based outside of the EU, your website must fulfil these requirements if your business targets customers in the EU.

3. Have a banner (or pop-up notification) that details the use of cookies

When users visit your web page or mobile app, they should be informed immediately that your site uses cookies, as well as:

  • What cookies will be used
  • What they are used for, and
  • How they are used

And there are requirements for such a notification, which include:

  • Easy to understand language
  • Placement in an obvious location, and
  • A link to the detailed Cookies Policy and/or Privacy Policy pages

Here is an example of a sufficient cookies notification, including a link to further information from Under Armour:

Under Armour UK Cookie Consent notice

When someone visits your website, you are required to get their informed, specific and voluntary consent before cookies can be used.

Use a simple clickable button or checkbox that isn't pre-ticked, known as affirmative action/explicit consent:

Example of a Cookies Consent in a banner notification

5. Provide an opt-out method

Even though cookies are generally nothing for users to be concerned about, oftentimes they still might be. So, in compliance with the EU Cookie Directive, you must provide users with an option to opt-out of cookies being used.

This can be done in a number of different ways such as directly through your Content Management System (CMS), by coding it into your site theme/php files, or by offering it as a link on your site.

See this example from YuMe:

YuMe: Cookie Policy page

By checking your website/mobile app against these five steps, you can make sure your site is fully compliant with the EU Cookie Directive.

And if you find you're missing one or two of these steps, by adding them to your website as soon as you can you'll be compliant with the current legislation.

Failure to comply with the EU Cookie Directive leaves you open to the risk of enforced action from your country's regulation body, with a potential monetary fine. Furthermore, failure to advise users about what you aim to do with their personal data can create distrust across your customer base or lead to potential civil litigation.

This can cause knock-on negative effects like lower levels of consumer engagement and loss of potential customers.

Examples of Cookies Notifications

The examples below show you how you can properly display the minimum requirements of the Directive on your website.

They vary from discrete to highly prominent, but each is compliant with the EU Cookie Directive.

Coca-Cola displays its Cookies notification on its website. It's quite a small banner but it's compliant with the Directive because it notifies visitors that the site uses cookies, provides a link to the Cookie Policy and gets clear consent with an "Accept Cookies" button.

Coca-Cola UK Cookie Consent banner notice

The BBC uses a noticeable fixed header to display a large amount of information regarding their Cookies policy. In this header the company provides details on cookie usage, including third-party cookies and their purpose.

BBC: Example of Cookies Notification

The BBC also provides users with an option to continue browsing (which implies user consent), or to turn cookies off and change their personal settings entirely, as well as a link to more information.

eBay's UK website uses a noticeable banner to display cookie information and a link for how users can learn more and adjust settings. In this notice, eBay provides details on cookie usage including third-party cookies and their purpose:

eBay UK Cookie Consent banner notice

Your cookie notification can be very personalized and customized for your website's style and aesthetics. Just remember to get clear consent, provide information and links within the notice and to not place any cookies that require consent before you obtain it.