The cookie laws (ePrivacy Directive)
Disclaimer: This is not legal advice. The authors of this tool are not laywers. We recommend the english version of this site as it is the authors first language. There are several parts that needs to be handled to reach GDPR Compliance, cookies are only a small part. Please consult with a laywer before implementing any solution.
The Directive covers cookies and technological relatives
An important notice about GDPR and ePrivacy
It is important to clarify that The General Data Protection Regulation does not mention Cookies in any way. GDPR applies to the processing of personal data, which include cookies that include personal data. Other types of cookies are regulated under the ePrivacy / Cookie Laws.
An upcoming ePrivacy Legislation is on the way
The European Commission is currently working on a new ePrivacy regulation which will repeal the current ePrivacy Directive. The goal of this legislation is to provide a clear, more defined rule book of how organization should handle tracking and advertisements online. This European legislation are expected in the end of 2018, but may be postponed again.
The ePrivacy Regulation is just that, a regulation. This means that it is a law itself and will become enforceable as law directly.
Enforcement & Fines
The enforcement activities up to this date have varied a lot between countries but there have been severe fines for non-compliance in Spain and The Netherlands. The new regulation proposed that non-complying organizations could be fined up to €20m or 4% of the annual worldwide turnover, whichever is highest.
Different types of cookie consents
The ePrivacy directive and each member states own cookie laws on how organizations should handle users consent have lead to a wide variety of cookie consent solutions. This article won’t go into the details about the interpretation of the laws and the common solutions. However, a quick glance at each of them in bullet points will help.
Categorization of cookies
Cookies can be categorized into different groups, based on their intended purpose. We have not noticed a standard yet but three different categories of cookies that are commonly used. These groups are:
- Strictly Necessary
The group of cookies that are Strictly Necessary are exempted from the cookie laws and does not require consent under the law and can be set as needed. They include:
user‑input cookies (session-id) such as first‑party cookies to keep track of the user's input when filling online forms, shopping carts, etc., for the duration of a session or persistent cookies limited to a few hours in some cases authentication cookies, to identify the user once he has logged in, for the duration of a session user‑centric security cookies, used to detect authentication abuses, for a limited persistent duration multimedia content player cookies, used to store technical data to play back video or audio content, for the duration of a session load‑balancing cookies, for the duration of session user‑interface customisation cookies such as language or font preferences, for the duration of a session (or slightly longer) third‑party social plug‑in content‑sharing cookies, for logged‑in members of a social network. According to: ec.europa.eu
The other three groups should have information and details about why they are being used and also the ability to opt-in and opt-out for one or all of these groups whenever the user pleases. If the data in the cookie is personal they should follow GDPR law.