Understanding and complying with EU cookie laws remains a major obstacle for many businesses, with two-thirds of organizations in a recent Usercentrics survey reporting that they were unsure if their data practices meet regulatory standards.
This lack of certainty is understandable. Businesses operating within the EU must comply with the combined requirements of the General Data Protection Regulation (GDPR) and the ePrivacy Directive (ePD), as well as country-specific and often industry-specific regulations.
To help you face this web of requirements, this guide serves as an EU cookie policy breakdown. We cover the main laws and guidelines, ways that companies frequently fall short, and what steps you can take to help avoid violations and foster trust with your audience.
Cookies explained
Cookies are small data files placed on a visitor’s browser that help you monitor user behavior on your website and beyond. Cookies can help support essential website functions, such as remembering user preferences or saving shopping carts, as well as your ability to run retargeting ads.
Generally there are four main types of cookies based on what kind of data they collect and how they function:
- Strictly necessary: Also known as essential cookies, these enable core website features like secure login and site navigation. You don’t need consent to activate them, but you must still notify visitors and explain why you use them.
- Preferences: These cookies remember user choices, such as language and regional settings. While they improve website functionality, EU laws consider them non-essential and require you to obtain explicit consent to activate them.
- Statistics: These collect data on how users interact with your website. For example, which links they click and how long they stay on each page. Statistics cookies may improve website performance, but they also require consent, even if they’re aggregated and anonymized.
- Marketing: This type of cookie tracks visitors’ browsing activity across websites and platforms to collect personal data. Businesses can use this information to refine their marketing efforts and personalize the website experience. However, EU laws require businesses to collect informed consent prior to the use of marketing cookies processing personal information.
What are the EU rules for cookies?
Two main regulatory frameworks shape cookie compliance across the EU: the ePrivacy Directive and the GDPR. They work together to cover different areas of cookie use.
ePrivacy Directive
The ePrivacy Directive requires you to obtain prior consent before enabling non-essential cookies to store or access information on user devices. In order to be valid, this consent must be freely given, informed, and specific. For example, you can’t use analytics cookies that process personal data until visitors have explicitly agreed to them.
Under the ePD, users are also free to withdraw their consent at any time, and you must instantly disable cookies upon request.
Because it’s a directive and not a regulation, individual member states incorporate the guidelines into their own regulations. This leads to EU country-specific data laws, some of which take a stricter approach than others.
GDPR
The GDPR determines how you can collect, process, and store personal data. Through its definition of “personal information,” Art. 4 GDPR specifies that its reach extends to details that can be used to identify users, such as IP addresses, device IDs, and browser activity.
Since many cookies collect personal data, they fall within the GDPR’s scope. So, any organizations that target individuals within the EU and use this tracking technology must meet the GDPR’s standards. You’re generally required to:
- Inform users of their data privacy rights and how to exercise them
- Explain which cookies your website or app uses
- Request explicit and informed consent
- Keep detailed records of user consent
- Provide access to, correct, or delete personal data upon the user’s request
The GDPR is an EU-wide regulation, so all member states follow its requirements. That means interpretations of the GDPR and cookies are consistent between countries. However, data protection authorities that enforce the GDPR are country-based.
How do companies violate EU cookie regulations?
Although the GDPR and the ePD set high-level requirements, some rules leave room for interpretation and potential errors.
But EU cookie compliance has high stakes. “Failing to comply with EU cookie regulations can have serious repercussions that go well beyond fines,” says Usercentrics CMO Adelina Peltea. “Operationally, penalties can also include suspension of certain operations or requirements to delete data, which makes it hard to run marketing activities and other functions.”
Peltea adds that even if your company can absorb the initial cost, violations can have a long-term impact. “[They] damage brand reputation, undermine existing customer trust, and make it harder to attract new customers. They can also scare off potential advertisers, investors, and other partners, limiting opportunities for growth.”
How do these infringements happen? Here are some common ways businesses violate EU cookie regulations.
| Assuming user consent | Omitting third-party tracking disclosures | Using vague or misleading banners | Making consent hard to decline or withdraw |
| One company assumed it could automatically collect personal data from customers who visited its online shop. But under EU law, users must give explicit consent through an affirmative action, like clicking a box. This violation led to a fine of EUR 40,000. | GDPR transparency requirements give users the right to know who accesses and uses their data. So if you use third-party cookies to process personal data, you must obtain explicit consent before activating them in order to avoid fines and penalties. | Consent notices that bury options, downplay tracking, or use ambiguous wording don’t meet EU requirements for obtaining informed consent. Using vague language like: “We use cookies to improve your website experience,” without also stating what the cookie use implies can lead to penalties. | EU law requires you to make consent as easy to decline or withdraw as to give. Websites can’t bury these settings or nudge visitors to continue allowing cookie usage. For example, Belgian company Mediahuis was ordered to change its banners, as they were found to have hidden the “reject all” button while highlighting the “accept” button. |
7 EU cookie compliance effective practices
The following approaches can help keep your cookie use compliant with EU data privacy laws. Incorporate these simple strategies into your processes to build trust with your audience and reduce the risk of costly penalties.
1. Provide clear and specific information about your cookie use
Notifying users about your cookie usage is the first step to meeting EU requirements for informed consent. “The biggest and best tip is transparency,” Peltea says. “It’s a legal requirement, but also the best thing companies can do to build trust with their customers.”
Cookie pop-ups tell visitors about your website’s cookie use. Include the following to keep them fully informed:
- What types of cookies your website uses
- How you process user data
- Who you share user data with
- How users can accept, reject, or withdraw consent
- A link to your full privacy notice for further details
- A link to how users can exercise their rights under applicable EU laws
Information about your cookie use must be consistent to prevent errors and potentially costly violations.
“You want to ensure your teams are aligned, from legal and web to marketing and product. This helps ensure that communications, policies, product functionality, and other critical functions into which privacy is woven are consistent and kept up to date,” says Peltea.
2. Create a user-friendly interface with easily understandable language
Under EU law, cookie consent is only valid if users understand what they’re agreeing to. If the language you use makes it hard for them to understand what you’re doing, what their options are, and makes it harder to make an informed decision, you might not be following the law.
Use plain language to get your message across clearly. Where there are no simple equivalents for technical terms, briefly explain them. For example, visitors might not know what “data processing services” do.
You can clarify that those are the tools and technologies that enable you to set their language preferences, check out with their shopping cart, or see ads with products of interest.
A clear, accessible layout also helps visitors understand your website policy more easily. Keep banners minimalist and group cookies into categories to make the text easier to read. If you can’t cover everything in the banner, you can use expandable sections to give visitors optional access to more details without overwhelming them.
3. Obtain consent before activating non-essential cookies
The ePrivacy Directive states that you must obtain user consent before loading non-essential cookies on each visitor’s device. The challenge is that many tracking cookies are designed to run automatically when a web page loads. That means you — and your visitors — might not even realize that embedded videos or ads have placed cookies on your visitors’ devices without their consent.
One solution is to use a consent management platform (CMP) like the Usercentrics CMP, which can identify non-essential cookies and prevent them from running automatically.
The tool automatically registers user interactions with your cookie banner and applies their decisions across domains and devices. If someone never gives their consent, the CMP continues to block the cookies and other non-essential tracking technologies.
4. Enable granular control
Visitors must be able to decide which types of cookies they accept on your website to meet the ePrivacy Directive’s requirement for specificity. “User choice is a legal requirement, but also an ever-growing demand from consumers,” says Peltea. “It’s also a key part of Privacy-Led Marketing that helps grow engagement and deliver higher quality data.”
A CMP like Usercentrics’ enables you to offer granular consent options. You can split cookies into categories and add interactive features like buttons or checkboxes for each. The CMP registers these preferences and only runs the approved cookies.
The good news is you won’t lose a significant amount of data by giving visitors granular options. Research indicates that only 0.4 percent of users open the granular preferences center, and just 28.3 percent of those users save individual settings.
Plus, there’s nothing stopping you from including an “accept all” button. This gives visitors a quick and easy way to agree when they’re generally happy with sharing their personal data. And in fact, the same research indicates that over a quarter of users do accept all cookies on the first level of the cookie banner. But if you do present an “accept all” option, conversely, EU law generally requires a “deny all” option as well.
5. Maintain unlimited access regardless of user consent
Under EU law, valid consent needs to be freely given. That means businesses generally can’t make access to website content, features, or services conditional on visitors consenting to cookies.
Some businesses choose to implement the consent or pay model, in which visitors can either agree to the collection and use of their personal data or pay to access your website and its contents.
However, in a recent plenary, the European Data Protection Board (EDPB) said this model doesn’t give users a “real choice” as it compels them to consent when confronted “only with a choice between consenting to processing of personal data for behavioural advertising purposes and paying a fee”.
Tech giant Meta, for example, was found to have violated the EU’s Digital Markets Act (DMA) by obligating users to either allow their personal data to be used for targeted advertisements or pay a fee for advertising-free versions of Facebook and Instagram.
Besides the legal considerations, maintaining access to your website regardless of consent preferences demonstrates that you respect user choices. This builds long-term trust and lasting relationships with customers. As a result, you may find visitors are actually more inclined to consent to cookie use and share their data with your business.
6. Document proof of consent
Under Art 7. GDPR, websites that collect personal information bear the burden of proof for consent. This involves recording and keeping detailed logs of visitor consent choices and preferences. Here are the details that need to be documented:
- When the user gave consent
- How they gave consent
- The version of your consent information they consented to
- Which tracking technologies they agreed to
- Any updates to user consent preferences over time
“Companies that have been found in violation can be required to submit to regular reviews or audits,” says Peltea. “This is a significant burden on resources that, as a result, aren’t going to the core business and growth initiatives.”
Keeping detailed records helps ensure these processes go as smoothly as possible to minimize disruption to your operations.
A CMP like Usercentrics’ automatically generates these logs based on user interactions with your cookie consent banner. That means all you have to do is download them from the platform and present them to the relevant authorities. This information can also be provided in the event of data subject access requests.
7. Give users the ability to easily withdraw or change consent at any time
Enabling visitors to change their consent choices at any time helps you achieve and maintain compliance with both the GDPR and the ePD while fostering trust with your audience. It demonstrates that your business both respects user choices and takes privacy regulations seriously.
The first step is to make consent settings clearly visible and accessible on your website, even after users make their consent choices upon their first visit. You can include a link to these settings in your footer or use a persistent settings icon.
The next step is to make sure all changes take effect immediately. A CMP automates this step and minimizes the risk of delays and potential compliance issues. The software registers user interactions and blocks cookies based on these choices.
Achieve EU cookie compliance with an automated consent management solution
As data privacy regulations continue to evolve, EU cookie compliance remains a challenge for many businesses. But taking the right steps towards respecting users’ choices and protecting their privacy is essential for achieving compliance and building trust with your customers.
Automated consent management makes it easier to do just that. Usercentrics enables you to collect valid consent, manage user preferences, and maintain audit-ready consent logs. At the same time, our CMP helps you be more transparent with your audience about data usage to build trust and lasting relationships.
Join our growing community of data privacy enthusiasts now. Subscribe to the Usercentrics newsletter and get the latest updates right in your inbox.