What is the Cookie Directive (the EU Cookie Law)?
The Data Protection Directives – also known nationally as the “Cookie Directive” – are a European Directive (ePrivacy Directive) from 2002 – revised in 2009 – which has been transposed into national law in the European member states.
If you own a website or online shop, you are subject to the requirements of the Privacy Directive, the interpretation of which is prescribed by your country of residence. This applies regardless of whether your website is privately owned or owned by a business or public authority.
The Data Protection Directives state that all websites in the EU must obtain consent from their visitors in order to store cookies on users’ computers or smartphones (terminals).
Who does the Cookie Directive affect?
If your website uses cookies (first-party and third-party cookies), you are responsible for informing your website visitors about your use of cookies. You must do this explicitly in a cookie consent banner.
In addition, you must collect and securely store your users’ consent to cookies (up to 5 years).
The storage of consents is required and must be verifiable in case you are subject to an inspection or have to comply with a request for access to personal data from the state data protection authority.
Remember that the requirements for collecting and processing personal data have been tightened with the General Data Protection Regulation (GDPR).
This is what the EU Cookie Directive says
In the European Union, Directive 2009/136/EC aims to ensure and strengthen the protection of personal data during website visits. The EU Cookie Directive, adopted in 2009, was supposed to be implemented by all member states by 2011 at the latest – but this did not happen.
The Cookie Directive essentially stipulates that visitors to a website must be informed about the use of cookies in an easily understandable form and must consent to their storage. According to the directive, cookies may only be set without being asked if they are technically necessary – for example, to implement a service desired by the user. These include, for example, session cookies for storing language settings, log-in data and the shopping basket, or Flash cookies for playing media content.
However, website operators require user consent to use most cookies. This applies to all cookies that are not technically necessary for the functioning of the website. Above all, advertising cookies used for retargeting, but also analysis and social media cookies count among these. However, the EU Directive does not specify how exactly the above-mentioned requirements are to be implemented. Above all, there is uncertainty regarding the declaration of consent by website visitors.
Contents of the current EU Cookie Directive
With the Cookie Directive, the European Union wants to protect the personal data of internet users more strongly. Basically, the EU distinguishes between technically necessary and non-necessary cookies:
Technically necessary cookies: necessary data storage includes cookies that are absolutely necessary for the functions of a website. This means, for example, the storage of log-in data, the shopping basket or the language selection by so-called session cookies (which are deleted when the browser is closed).
Technically not necessary cookies: In contrast, text files that do not solely serve the functionality of the website but also collect other data are regarded as not necessary cookies. These include the following:
Tracking cookies
Targeting cookies
Analysis cookies
Cookies from social media websites
According to the Cookie Directive, necessary cookies may be set from the outset, i.e. even without prior consent by the user. In contrast, website visitors must consent before the cookies store non-essential data. Thus, according to general understanding, the EU Cookie Directive requires a so-called opt-in solution for non-essential cookies.
This is the difference between opt-out and opt-in:
Opt-out: Cookies are set from the beginning – users can only object to the data storage afterwards.
Opt-in: Cookies are not set from the beginning, but only when the user agrees to the data storage.