The ePrivacy Directive (Directive 2002/58/EC) primarily focuses on securing privacy in the telecommunications sector, however in Article 5(3) of the directive it provides that for the storing of or access to information stored on a user’s device, a user has to give their consent after being informed about the purposes of processing the data.
As the ePrivacy Directive is a directive it does not in itself create obligations for private entities; Member States first had to implement it into their national law. This resulted in some varied interpretations of the law, and presents the problem that it the details, for example on how consent must be obtained, laws differ among the different national markets.
On this page, you can find a simple explanation of how you can comply with the cookie consent standards of each Member State as well as any useful links where available. Simply click on the flag of your choice and you will get a basic explanation, with links to further information. Below the table, you can find an explanation of the common methods used in EU Member States the get consent, as well as an explanation of the Article as it appears in the Directive.
Article 5(3) of the ePrivacy Directive created, in 2002, an obligation for providers of information society services to both inform users about cookies or similar technologies as well as provide them an option to refuse. The issue is not the technology itself, but the fact that the service provider is storing information, or later accessing information that they have stored on the user’s device. As devices are considered to form part of the private sphere of a user, the directive considers that such storing or accessing needs to be notified. This version of the article thus has a clear opt-out approach. By default, users only needed to be informed and this type of data processing is allowed, unless the user wishes to refuse.
In 2009, a Directive which amended several legal instruments, the Citizens Rights’ Directive (PDF), changed the wording of Article 5(3) so that it went from an opt-out provision to an opt-in. Specifically, the prior, informed consent of the user is required. The storing or access to information that has been stored on user devices thus became conditional on the user having been informed and giving their consent to this. In addition, the Citizens Rights’ Directive also included in recital 66 a new method of providing consent: it provides that where it is technically possible and effective, consent can be expressed through browser settings. However, the recital also states that this method must be made more effective by way of enhanced powers given to national authorities. As a result, some DPAs have stated that browser settings cannot provide a valuable consent method, such as the French CNIL and the UK’s ICO. However, in other Member States the DPA has interpreted this differently way and users accept cookies via their browser settings, even if they are using a default setting.
The other important feature of Article 5(3) is that it provides two exceptions to the rule on consent. The first is for storage or access for the sole purpose of carrying out a transmission over an electronic communications network. The second exception applies to storage or access strictly necessary in order to provide a service explicitly requested by the user. This is understood to include technical cookies which remember settings or serve a function technically necessary for a service to function, such as a shopping cart feature on a website, or a cookie which sets language preferences and remembers them. There is hardly divergence in the area of exceptions when it comes to the national implementations of the exceptions to Article 5(3), although in the Netherlands the legislator amended the relevant law in 2015 to include an additional exception for certain analytics cookies.
The only area where we can observe significant divergence in the transposition is in the practical realisation of the consent model that was introduced in the 2009 amendment. As Member States had a 2-year implementation period, we started to see a change in websites in 2011, with the introduction of so-called cookie banners and cookie walls.