When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

​

What are cookies?
Cookies are small text files that are placed on your computer by websites that you visit. They are widely used to make websites work, or work more efficiently, as well as to provide information to the owners of the site. E.g., if you allow your browser to remember your login details, this cookie will be stored and then used when you return to the site.

​

Cookies work by assigning your computer a unique identification number (an ID) that allows the website to remember things about you as you move around the Internet. When you visit a site that uses cookies, your browser will tell the site which cookie (if any) it has stored for that site. The site can then use that cookie to determine whether you have visited before and what information you may need to complete a task or access certain services. For example, a cookie can contain your user name and password, so you do not have to re-enter them each time you visit the site.

​

Cookies do not harm your computer, but some people find them annoying because they cannot control what type of cookies the website stores on their device or how their browser uses them.

​

What is a cookie law?
A cookie law is a set of guidelines governing the use of cookies on websites. When you visit a website, some cookies are used to track you and your browsing habits to provide a better experience for you. However, not everybody wants to be tracked by cookies. So, certain laws were created which make it illegal for websites to store cookies without the user’s knowledge or consent.

​

The reason why these laws have been introduced is to protect the users’ privacy and prevent the misuse of information collected by cookies. Most of the time, companies use the user information for marketing purposes, which could mean that the users get unsolicited advertising.

​

What is the EU cookie law?
ePrivacy Directive, introduced in 2002 and later amended in 2009, is an EU regulation that protects the confidentiality of electronic communications within the European Union (EU). It applies to all electronic means of communication, including but not limited to e-mail, instant messaging, SMS messages, and phone calls. The Directive regulates how advertisers and other third parties may use electronic communications. It includes provisions that restrict monitoring and blocking of communications, as well as requirements for consent before storing and collecting personal data. It gave the EU member states a framework to make their own laws to implement the Directive. All EU member states have since adopted the Directive in 2011 and implemented their laws.

​

It was revised to include rules on cookies, tracking, and other similar forms of online tracking, which gave its name “the EU Cookie Law.” The Directive introduced new requirements for websites to gain prior consent from visitors to store or retrieve information on their devices. Additionally, the law dictates that website owners must inform users of the cookies they use and how they will be used. This applies to all websites, no matter where they are hosted.

​

The law exempts strictly necessary cookies from this. It agrees that cookies are a useful technology; however, it can also affect user privacy. It mandates that a website must:

• Provide clear and precise information about the cookies (including strictly necessary ones) and their purpose when users visit a website.

• Get prior consent from users to store the cookies on their devices.

• Make available an option for users to deny consent to use the cookies.

• Make the means of providing cookie information, opt-out option, and requesting consent as user-friendly as possible.

• Access to the specific website content may be conditional on the informed user consent if it is used for a legitimate purpose.

In 2017, the EU proposed a regulation known as ePrivacy Regulation (ePR), which will repeal ePD. Unlike the Directive, it will become a mandatory law across all member states once it comes into effect. The final draft is expected to address some concerns regarding cookie consent. One main difference from the Directive is that its websites can longer use ‘legitimate interest’ as the basis for using cookies under the ePrivacy Regulation.

​

As per the recent developments, the final effective date still remains unknown, and with the 24-month transition period, it is unlikely to be before 2023. 

​

Another law from the EU that regulates the use of cookies is the General Data Protection Regulation (GDPR). Compared to the cookie law, the GDPR has broader applicability. The Directive targets personal data collected over an electronic communication service or network and that are publicly available; whereas the Regulation seeks to implement rules for personal data that are not publicly available.

​

Read more ePrivacy vs. GDPR.

With the exceptions of these and a few other differences, they both have similar clauses, particularly in the case of cookies. Like the ePrivacy law, the Regulation requires websites to get well-informed (all necessary details about cookies and their purpose) GDPR cookie consent from users before storing cookies on their devices, and give them the choice to opt out and withdraw consent. However, unlike The Directive, the GDPR is not lenient about conditional access to websites upon user consent. 

​

What are other major cookie laws outside the EU?
The ePrivacy Directive may have formed the blueprint for the cookie law. However, other laws also regulate cookies and play an important role in shaping the privacy landscape in the world. We will discuss the former EU member, UK’s laws as well as the US laws that form the basis for cookie laws in their respective regions. 

​

Cookie law in the UK
Before Brexit, the UK data privacy landscape included the EU GDPR, ePrivacy Directive and the UK Data Protection Act 2018. 

​

After Brexit, the UK is no longer conformed to the EU cookie law or GDPR unless any business there uses EU individuals’ personal data for offering goods and services or to monitor their behavior. 

​

Organizations that deal with the personal data of UK individuals must comply with the UK-made version of the GDPR. Other than its regime about national intelligence and security, the UK GDPR is borrowed word-to-word from its EU version. So its requirements for cookie usage are the same as the EU GDPR.

​

To protect the personal data collected via electronic communication networks or services, the UK adopted the Privacy and Electronic Communications Regulations (PECR) derived from the EU ePrivacy Directive. 

​

The Data Protection Act, along with UK GDPR and PECR, form the data privacy and protection landscape of the UK.

​

The PECR like its EU counterpart has some clauses for cookies. The law advises websites to inform users about cookies, and clearly explains what the cookies do and their purpose. Like the ePrivacy Directive, the PECR also requires websites to get prior consent to store cookies on user devices and the consent is only valid if it is freely given, informed, explicit, specific, and withdrawable. 

​

Cookie law in the US
The United States does not have a cookie law. However, there are federal laws and some state laws that deal with cookie usage.

​

Children’s Online Privacy Protection Act (COPPA) is a federal law that regulates the use of cookies on a website that caters to children under 13 years of age.

​

State laws like the California Consumer Privacy Act (CCPA) also regulated the use of cookies. The CCPA applies to business that caters to California consumers and meets one of the following thresholds:

• Earns over $25 million in annual gross revenue.

• Annually buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices for commercial purposes.

• Derives at least 50% of its annual revenue from selling personal information.

The definition of personal information under CCPA also expands to digital identifiers, such as cookies. It requires websites to inform users about cookies set by the site, its source, purposes, and whom you share the information with. The website must also provide an opt-out choice for users to deny the site from selling or sharing their personal information. This option must be easily accessible and user-friendly.

​

How to comply with the cookie law?
As we’ve seen many laws have almost the same requirements save for a few clauses. So, if you want your website to comply with these laws, there are some common best practices that you can adapt for it.

​

#1 Identify cookies
To understand which type of cookies you want to regulate, you must first identify the type of cookies your website uses. You need to understand which cookies need consent to move forward and to block until you receive them. 

​

#2 Update your privacy/cookie policy
A privacy policy tells the website users all about the site’s data collection, use, or disclosure practices. They let the users know about what type of personal data the site collects, from where and why. It tells them how they can manage it, what they can do to exercise their data rights, like the right to access, correct, or delete. The privacy policy also discloses where the website shares the data for its services and how users can contact the site admin to register their complaints or for further queries. 

​

A cookie policy is part of a privacy policy and sometimes, a separate page. You can add details about cookies, and all the other relevant details mentioned above in the privacy policy itself. Or you can add a separate page to share details about cookies. 

​

#3 Inform users
The website must inform users about the cookies used by your website and its purposes. Usually, this should be done before the point of collection of data, i.e. the first time the users visit the site. The information should be given in plain and simple language so that the users can make an informed decision about proceeding with the data collection or monitoring by cookies. 

• Cookie banner to inform users about cookies - one of the cookie law requirements

• Easy-to-understand and clear message about why the site uses cookies and what users can do to manage them (Source)

• The cookie notification is usually implemented via a cookie banner. 

​

#4 Cookie consent
Additionally, the website must also give the option for cookie consent. It must give users the choice to opt in or opt out of cookies. They can select either of these and the website must implement it. That is, if the users choose to opt in, the site can load the cookies. However, if they opt out, the site should not load the cookies.

​

There is also one more option that the banner must provide for setting user preferences. It will be used by users to give consent to the type of cookies that they want the site to load and block others. You must ensure that the website loads cookies only when the users explicitly give their consent. E.g., by clicking a button or link. Implied consent, i.e. scrolling the website without taking any action or closing the cookie banner is not an indication of opt-in consent.

​

#5 Allow users to withdraw consent
There are times when the users may change their minds and want to withdraw their cookie consent. The website must allow users to do that any time they wish. This allows for a user-friendly system and gives them more control over the privacy of their data. Once they withdraw consent, the website must immediately cease collecting or tracking any personal data using those cookies.

​

#6 Record cookie consent
Laws like GDPR require websites to be able to prove that they received consent. To do that you must document all the consents users give to your site in case the users ask for it.