Europe’s Cookie Laws: ePrivacy Directive Implementation Center

ATsmall

Austria

BEsmall

Belgium

BGsmall

Bulgaria

CHsmall

Switzerland

CYsmall

Cyprus

CZsmall

Czech
Republic

DEsmall

Germany

DKsmall

Denmark

EEsmall

Estonia

ELsmall

Greece

ESsmall

Spain

FIsmall

Finland

FRsmall

France

HRsmall

Croatia

HUsmall

Hungary

IEsmall

Ireland

ITsmall

Italy

LTsmall

Lithuania

LUsmall

Luxembourg

LVsmall

Latvia

MTsmall

Malta

NLsmall

Netherlands

NOsmall

Norway

PLsmall

Poland

PTsmall

Portugal

ROsmall

Romania

SEsmall

Sweden

SIsmall

Slovenia

SKsmal

Slovakia

UKsmall

UK


Index

Overview

The Cookie Provision

Methods of Consent

 

Overview

The ePrivacy Directive (Directive 2002/58/EC) primarily focuses on securing privacy in the telecommunications sector, however in Article 5(3) of the directive it provides that for the storing of or access to information stored on a user’s device, a user has to give their consent after being informed about the purposes of processing the data.

This means that, for the use of cookies or similar technologies, a website publisher has to inform a user about the use of cookies and obtain their consent for their use. However, the directive does not specify any specific degree of consent, and simply refers to the Data Protection Directive’s definition.

As the ePrivacy Directive is a directive it does not in itself create obligations for private entities; Member States first had to implement it into their national law. This resulted in some varied interpretations of the law, and presents the problem that it the details, for example on how consent must be obtained, laws differ among the different national markets.

On this page, you can find a simple explanation of how you can comply with the cookie consent standards of each Member State as well as any useful links where available. Simply click on the flag of your choice and you will get a basic explanation, with links to further information. Below the table, you can find an explanation of the common methods used in EU Member States the get consent, as well as an explanation of the Article as it appears in the Directive.


 

The “Cookie Provision”

Article 5(3) of the ePrivacy Directive created, in 2002, an obligation for providers of information society services to both inform users about cookies or similar technologies as well as provide them an option to refuse. The issue is not the technology itself, but the fact that the service provider is storing information, or later accessing information that they have stored on the user’s device. As devices are considered to form part of the private sphere of a user, the directive considers that such storing or accessing needs to be notified. This version of the article thus has a clear opt-out approach. By default, users only needed to be informed and this type of data processing is allowed, unless the user wishes to refuse.

In 2009, a Directive which amended several legal instruments, the Citizens Rights’ Directive (PDF), changed the wording of Article 5(3) so that it went from an opt-out provision to an opt-in. Specifically, the prior, informed consent of the user is required. The storing or access to information that has been stored on user devices thus became conditional on the user having been informed and giving their consent to this. In addition, the Citizens Rights’ Directive also included in recital 66 a new method of providing consent: it provides that where it is technically possible and effective, consent can be expressed through browser settings. However, the recital also states that this method must be made more effective by way of enhanced powers given to national authorities. As a result, some DPAs have stated that browser settings cannot provide a valuable consent method, such as the French CNIL and the UK’s ICO. However, in other Member States the DPA has interpreted this differently way and users accept cookies via their browser settings, even if they are using a default setting.

The other important feature of Article 5(3) is that it provides two exceptions to the rule on consent. The first is for storage or access for the sole purpose of carrying out a transmission over an electronic communications network. The second exception applies to storage or access strictly necessary in order to provide a service explicitly requested by the user. This is understood to include technical cookies which remember settings or serve a function technically necessary for a service to function, such as a shopping cart feature on a website, or a cookie which sets language preferences and remembers them. There is hardly divergence in the area of exceptions when it comes to the national implementations of the exceptions to Article 5(3), although in the Netherlands the legislator amended the relevant law in 2015 to include an additional exception for certain analytics cookies.

The only area where we can observe significant divergence in the transposition is in the practical realisation of the consent model that was introduced in the 2009 amendment. As Member States had a 2-year implementation period, we started to see a change in websites in 2011, with the introduction of so-called cookie banners and cookie walls.


 

Methods of Consent

  • A ‘cookie banner’: the most common approach, where a banner pops up at the top or bottom of the page that informs users about cookies being used and their purpose
    • Consent is given through this method as the user is made aware of the fact that cookies are in use, and they are usually informed that clicking on a link on the page  or browsing further indicates their agreement
    • Thus, the user only has to continue browsing to consent, which is considered in most Member States as an action indicating consent
    • The amount of information required on a banner varies depending on Member States; in the UK and Ireland, for example, the information requirements are quite low, but in countries like Belgium and Italy they are higher
    • In some Member States, the banners only serve the purpose of informing users as consent is given through other means, such as browser settings
  • A ‘cookie wall’: a less common approach but more firm – users are confronted either with a splash page or a large window covering the site which gives information about what cookies are used and ask the user to click ‘Accept’
    • Another variation is a larger banner with an accept button, which persists until users have clicked accept or rejected cookies
  • Implicit consent: in some Member States, consent can be implied
    • This is especially the case where the national legislator has decided that browser settings can be used for consent
    • The Directive states in Recital 66 that browser settings can be used “where technically appropriate and effective” – a few DPAs don’t consider current web browsers capable of giving meaningful consent as it can never be specific enough
    • In these cases, an opt-out for cookies has to be provided on the website, as well as a cookie policy page
    • Germany has an opt-out approach, so long as data collected by cookies immediately undergo pseudonymisation and are kept in a pseudonymised state
X

Thank you for your interest in our article. We’d love to get in touch with you to find out how you are using our research. If you don’t mind us sending you an email to ask you if the article was helpful, then please enter your email address and download the report.

We promise we won’t spam you!

Login

Become a Member Lost your password?