The EU Cookie Law, or ePrivacy Directive, requires websites to obtain consent from users before storing, using, or retrieving cookies from their devices. This law applies to every website with visitors from the EU, regardless of the business's location. US-based websites must comply with the EU Cookie Law if they have EU-based users and are running cookies on their site. If a US website does not conduct any business with EU residents and does not have any cookies running on its site, it may not be required to comply with the EU Cookie Law.
Characteristics | Values |
---|---|
Does the EU cookie law apply to US websites? | If a US-based website has EU-based users, then informed consent must be freely given by those EU-based users before any cookies are run. This typically means having a cookie notice in place and blocking cookie scripts from executing until consent is collected. If the user refuses to grant consent, then cookies should not be run. All relevant disclosures related to the use of cookies should be made available to users via an up-to-date cookie policy. |
Does the GDPR apply to US websites? | If a US-based website has or targets EU-based users, GDPR protections will apply to those users. In such cases, the website must comply with GDPR requirements, but only as it relates to its EU-based users. Keep in mind that a website has EU-based users as long as EU-based users can access the site – as even an IP address is considered to be personal data under the GDPR. |
What You'll Learn
The EU Cookie Law and its Requirements
The EU Cookie Law, also known as the ePrivacy Directive, is a privacy legislation that requires websites to obtain consent from visitors before retrieving or storing their personal information. It was passed in 2002 and amended in 2009. The law aims to protect the privacy rights of consumers by giving them the right to refuse consent if a company wants to collect, store, and use their information.
The EU Cookie Law applies to every website with visitors from the EU, regardless of where the business is located. This means that a website must comply with the EU Cookie Law if:
- It uses cookies
- It processes and stores the data of EU citizens
- Refrain from placing trackers and cookies on users' browsers until they have given their consent.
- Ask users for consent for all trackers and cookies on the site.
- Provide users with detailed information about all trackers and cookies used on the site.
- Allow users to withdraw or opt out of consent as easily as they opted in.
It is important to note that these requirements only apply to non-essential cookies, such as advertising and social media cookies. Essential cookies, which are necessary for the website's core functions, are exempt from these rules.
To comply with the EU Cookie Law, websites commonly use a consent management platform (CMP) to scan for cookies and trackers, block them until consent is given, provide information to users, and securely store consent records.
Failure to comply with the EU Cookie Law can result in fines and criminal charges, with penalties varying depending on the local government's decision.
Men's Legal Responsibilities: Unique Laws for Men?
You may want to see also
Who Needs to Comply with the EU Cookie Law?
The EU Cookie Law, or the ePrivacy Directive, applies to every website with visitors from the EU, regardless of where the business is located. This means that if your website uses cookies and you process and store the data of EU citizens, you must comply with the EU Cookie Law.
Even if you don't currently have any EU visitors, it is recommended that you follow the EU Cookie Law rules since you may receive traffic from the EU in the future.
The EU Cookie Law requires you to:
- Refrain from placing trackers and cookies on users' browsers until they've given their consent for you to do so.
- Ask users for consent for all trackers and cookies on your site.
- Give users detailed information about all trackers and cookies on your site.
- Allow users to withdraw or opt out of consent as easily as they can opt in.
These rules do not apply to essential cookies, which are necessary for providing an online service or are used to carry out the transmission of communications over a network.
It's important to note that the EU Cookie Law is not a binding law but rather a guideline for EU member states to create their own laws. However, non-compliance can result in criminal charges and fines, which can vary depending on the jurisdiction and the severity of the violations.
Antitrust Laws: Do Earned Monopolies Get a Pass?
You may want to see also
How to Comply with the EU Cookie Law
The EU Cookie Law, or the ePrivacy Directive, requires websites to obtain consent from visitors before storing or retrieving their personal information. Here are some steps to comply with this law:
Use a Managed Solution:
- Utilise tools and applications that can help you comply with the EU Cookie Law automatically.
- Ensure that users only have cookies on their browsers that they consented to.
- Detect, categorise, and block scripts from running based on users' unique cookie settings.
- Create a cookie policy tailored to your business.
- Collect user consent through fully customised cookie banners in the language depending on each user's location.
Manual Implementation:
If you don't want to use a managed solution, you can manually implement the requirements. However, this is a more time-consuming method, and you should only attempt it if you have a good understanding of data privacy laws and the technical capabilities.
Don't Use Cookies at All:
You can choose not to use cookies, but this may be challenging if your site uses more than just static HTML. You may have to sacrifice certain functions such as comments or embedded videos.
Conduct a Cookie Audit:
Identify all cookies and trackers in use on your website to know what cookies are set on users' devices. Categorise cookies as essential (strictly necessary) or non-essential, and determine their purposes.
Develop Clear Policies:
Cookie Policy:
Create an accessible cookie policy detailing the cookies used, their purposes, and their lifespan. Link this policy to your cookie banner.
Privacy Policy:
Maintain a privacy policy explaining how users' personal data collected via cookies is processed, their data rights, and other requirements. Link to this policy where consent is requested or at points of data collection.
Implement a Cookie Banner:
Use a cookie banner to inform users about the cookies, their purposes, legal basis for processing, expiration periods, and third-party providers. Provide clear options for users to accept or reject each type of cookie, and avoid using cookie walls that block access until consent is given.
Document and Store Consent Records:
Keep records of users' cookie consent choices to demonstrate compliance, including both accepted and rejected cookies.
Conduct Regular Audits:
Perform periodic audits to identify any new cookies added to your site and update your policies and consent processes accordingly.
Libel Law Application to Reviews: Understanding the Legal Boundaries
You may want to see also
Penalties for Non-Compliance with the EU Cookie Law
The EU Cookie Law, or the ePrivacy Directive, requires websites to obtain consent from users before storing or retrieving their personal information. While the law does not specify the penalties for non-compliance, local regulators can take several actions, and penalties vary depending on the jurisdiction and the severity of the violation. Here are some examples of penalties for non-compliance with the EU Cookie Law:
- France's data protection watchdog, CNIL, fined TikTok €5 million ($5.4 million) in January 2023 for making it difficult for users to refuse cookies. TikTok resolved the issue by adding a "Refuse All" button to its site.
- Microsoft Ireland was fined €60 million ($65 million) by CNIL in December 2022 for not providing an easy option to refuse cookies on bing.com.
- In August 2022, Sephora became the first company publicly fined for violating California's Consumer Privacy Act (CCPA). They were fined $1.2 million and ordered to revise their online disclosures and privacy policies.
- Google was fined a total of €150 million ($162 million) by CNIL in December 2021 for not providing a simple way for users to refuse cookies on google.fr and youtube.com.
- Facebook Ireland Limited was fined €60 million ($65 million) by CNIL in December 2021 for making it difficult for users in France to refuse cookies.
- Amazon Europe Core was sanctioned with a fine of €35 million ($38 million) by the French data protection authority, CNIL, in December 2020, for placing advertising cookies on users' computers without obtaining consent or providing sufficient information.
- In November 2020, the CNIL fined Carrefour, a retail and wholesaling corporation, a total of €3 million ($3.23 million) for placing cookies on users' devices without obtaining their consent.
These examples demonstrate the potential consequences of non-compliance with the EU Cookie Law. While the law itself does not specify the penalties, local regulators have the authority to take action and impose fines, with amounts varying depending on the specific circumstances of each case.
Antitrust Laws: Microsoft's Friend or Foe?
You may want to see also
Cookie Laws in the US
In the US, there is no comprehensive federal cookie law. However, several states have enacted their own privacy laws that regulate the use of cookies and online tracking technologies. These laws vary in scope and provisions, with some being more comprehensive than others. Here is an overview of the relevant state cookie laws:
- California Consumer Privacy Act (CCPA)
- California Privacy Rights Act (CPRA) (amends and expands the CCPA)
- Colorado Privacy Act (CPA)
- Connecticut Data Privacy Act (CTDPA)
- Delaware Personal Data Privacy Act (DPDPA)
- Florida Digital Bill of Rights (FDBR)
- Indiana Consumer Data Protection Act
- Iowa Consumer Data Protection Act (ICDPA)
- Montana Consumer Data Privacy Act
- Nevada Privacy of Information Collected on the Internet from Consumers Act
- New Hampshire Privacy Act
- New Jersey Data Privacy Act
- Oregon Consumer Privacy Act
- Tennessee Information Privacy Act
- Texas Data Privacy and Security Act
- Utah Consumer Privacy Act (UCPA)
- Virginia Consumer Data Protection Act (VCDPA)
The CCPA, one of the strictest laws governing website cookies in the US, gives Californian consumers several rights, including the right to know what information companies are collecting about them, whether their information is being sold or disclosed, and the right to opt out of the sale of their personal information. The CPRA, which will replace the CCPA in 2023, expands the types of data protected and gives new rights to consumers, such as the right to rectification and restriction.
Virginia's CDPA, which also takes effect in January 2023, gives consumers the right to access, correct, and delete their personal data, as well as the right to opt out of the sale of personal data and consumer profiling.
Colorado's CPA, going into effect in July 2023, applies to data controllers who operate in or sell to Colorado residents, and it gives consumers the right to know if their data is being processed, to access and correct their data, and to opt out of processing data for targeted advertising and consumer profiling.
Utah's UCPA, effective December 2023, is more business-friendly and applies to data controllers or processors that do business in Utah or with Utah residents, with an annual revenue of over $25 million. Consumers have the right to access, copy, and request deletion of their data, and they can opt out of having their data processed for targeted advertising or sale.
Connecticut's CDPA, one of the more consumer-friendly privacy laws, takes effect in July 2023. It gives consumers the right to know whether a company is using their data, what it is being used for, and the ability to access, copy, correct, or request deletion of their personal data. Consumers must also be able to opt out of targeted advertising, consumer profiling, and the sale of their data.
While there is no comprehensive federal law, US companies that operate globally and process personal data need to be aware of global cookie laws and how they impact their data collection processes. This includes understanding the EU cookie law, also known as the ePrivacy Directive, which requires websites to obtain consent from visitors before storing or retrieving any information on their devices.
Securities Laws: Private Companies' Obligations and Exemptions
You may want to see also
Frequently asked questions
The EU cookie law applies to all websites with visitors from the EU, regardless of where the business is located. If a US-based website has EU-based users and runs cookies, informed consent must be freely given by those users before any cookies are run.
The EU cookie law is a nickname for the ePrivacy Directive (ePD), a piece of legislation that requires websites to get consent from users before storing, using, or retrieving their personal information.
There are three ways to comply with the EU cookie law: use a managed solution, don't use cookies at all, or manually perform all the functions of a cookie manager.