Cookie Laws 101: What should you be doing and why?

What is a cookie?

Unfortunately it’s not a tasty snack. It’s a small piece of data stored in your browser that allows a website to remember your preferences over time. Most websites need them in order to function. But they can also help with analytics and targeted advertising. 

There’s heaps more information about the different types of cookies here.

So what’s this Cookie Law I keep hearing about?

One important thing you need to know straight up is that there is no EU Cookie Law. But there is an EU Cookie Directive.

What’s the difference? I’m glad you asked. The EU Cookie Directive is basically a mandatory requirement that all countries in the EU need to enforce. But here’s the kicker – they all get to enforce it by passing their own laws on how to deal with cookies.

What does this mean? 

Every EU country has it’s own law regarding exactly what needs to be addressed regarding cookies on a website, how you need to go about addressing them, and how you might be punished if you don’t comply. 

But why?

Because cookies can track your activity. And nobody likes being tracked. More importantly, cookies can be used to create a profile of things you’re interested in. This is how targeted online advertising works – and nobody likes being a target. They see it as an invasion of their privacy.

The law is designed to protect the right to privacy by making people aware of what information is being collected by them and how it is being used and stored, while also allowing them to choose whether to allow this. 

Annoying 90% of the internet and stressing out 100% of developers is just a magnificent side-effect.

Let’s start at the beginning with the EU Cookie Directive…

The EU Cookie Directive in a nutshell (the one that isn’t a law) 

Firstly, there’s a lot of information out there to sift through and it’s hard to know what’s true and what’s not. I’m referring to this document here, which outlines the amendments to what’s become known as the Cookie Directive.

The basic gist of this directive is that any website may use cookies only if ‘the user concerned has given his or her consent, having been provided with clear and comprehensive information’ about the process. 

sourced from the above linked document.

In plain words, you need to tell people clearly about the cookies being used on your site and provide a clear way for them to consent to the use of said cookies.

Should I be worried about asking for cookie consent?

Currently, any person or business that runs a website within the EU needs to comply with some sort of cookie law because your country is required to crack down on this under the EU Directive.

How do I make sure users consent to cookies?

This is where a lot of confusion lies because each country within the EU has its own laws in place to enforce the Cookie Directive. 

Some countries allow implied consent through the user’s browser settings, and others require users to be explicitly informed about any cookies used on the site. To be safe, I’d go with the latter option wherever you are. 

Some countries require an opt-in model, where all unnecessary cookies are turned off unless users choose to allow them. Other countries allow an opt-out model, where cookies are automatically turned on unless users decide otherwise. 

If you really want to display the bare minimum information on your site, we advise looking up your country’s specific laws and interpretation of the Cookie Directive.

What happens if my site doesn’t comply?

Again, that depends on which country you’re in. There are places users can go online to complain about cookies being used on websites without their consent. This is the UK’s version. If you can find the relevant office in your country, that’s probably the best place to check.

Simply saying you use cookies may not be enough. Some laws require that users be allowed to opt out of any cookies that are not necessary to make your website function.

Punishments can range from fines to apparently five years imprisonment (French law) for not complying – although we’re don’t think the imprisonment sentence has actually been enforced. Fines have definitely been handed out already. This blog describes some fines that have been handed out by the Spanish Data Protection Authority.  

What’s the safest option for my site?

1) Investigate: Follow the crumbs

Unfortunately, you’re going to have to know what cookies are active on your site. A good place to start reading about cookies is Cookiepedia. You’re going to have to know exactly which cookies are active on your site.

It’s probably also a good thing to get rid of any stale cookies. After all, the less cookies you have, the less cookies you need to tell people about.

Either way, make sure you find all the cookies. You don’t want to be hit with a fine because someone found a surprise cookie on your site.

A lot of sites we’ve come across are using One Trust’s Cookie Consent solution. There’s also a heap of cookie compliance helping plugins on the WordPress Repo.

2) Inform: tell users you’ve got cookies

Make sure users are aware that you’re using cookies and be specific about their purpose and how they’re used. If you want to be super covered, explain to your users what cookies are as well.

Cookiepedia's privacy policy about cookies.
Cookiepedia’s cookie explaination of how cookies are used using One Trust

Some cookies are necessary for your site to run and cannot be switched off. Make sure users are aware that these are essential cookies.

Cookiepedia's description of necessary cookies
Cookiepedia’s explanation of strictly necessary cookies using One Trust

Tell them how to prevent these cookies – even if that means they don’t get the full functionality of your site, or worse, they can’t use your site at all. That’s just the way the cookie crumbles.

3) Choice: let users say no to cookies

Allow users to switch off any cookies that are not necessary to the functionality of your site. Explain that you use analytics to help monitor and improve the content of your site. Give users the choice to opt out before agreeing.

Cookiepedia's cookie settings screen allowing analytics to be turned off
Cookiepedia’s cookie section allowing users to turn off Google Analytics cookies

Unfortunately, this means you can’t properly analyze the performance of your site, but these kinds of cookies can’t be forced on people.

This also applies to any other third-party cookies, such as those used for advertising.

Description of third-party cookies used on Fieldfisher using One Trust
Description of third-party cookies used on Fieldfisher using One Trust

4) Consent: silence does not mean yes

Make sure your users are consenting to cookies through a clear action. Simply using your site is not enough. The safest option is to have an ‘I agree’ or ‘I accept’ box in one of those annoying little popups or banners.

One Trust's cookie notification banner with an accept button and easy access to settings
One Trust’s cookie notification banner with an accept button and easy access to settings

However, if you’re REALLY against the banner, feeling a little bit risky, and your country’s laws allow it, you might get away with simply making sure users have a clear and easy to access way to enable and disable cookies somewhere on your website. 

Let’s compare cookies!

Since we’re all going to have to be open about our cookies, it makes sense to take a look at how people have gone about it.

The massive cookie notice

These are the giant cookie signs. Generally we just want them out of our face, so we click something, anything, just as long as it lets us through to see what we’re actually there for.

Example of cookies on the ICO website
Example of the cookie notification on the ICU website

It should be noted though that all that text coupled with a hard to ignore notification means that nobody can deny they knew about cookies when they visited your site.

Annoyance level: 100%
Usefulness: 90%

The persistent, yet discreet cookie notice

These are the sites you can still use almost like normal. You only notice something is in the way if you’re searching for the scroll bar or contact details.

The discreet cookie notice banner used by our friends at Brandweb

This makes for the most user friendly site, but could also be missed more easily than the other options. You might risk people using your site without clearly indicating their consent.

Annoyance level: 10%
Usefulness: 70%

The hard to ignore up-sized cookie banner

These ones are a bit harder to ignore. Sometimes we stay on a site and keep scrolling and getting more and more frustrated without realizing why. Then we notice the giant banner that has been covering half the screen the whole time.

These larger banners mean users either have to click agree or do a lot of scrolling

This is good because it provides the user with an option to read more or even better, gives them quick access to modify cookie settings, such as those for analytics and third-party cookies.

Annoyance level: 50%
Usefulness: 85%

The old fashioned pop up cookie box

I’m sure they still exist, but I struggled to find one on an actual site. So, here’s an example of what it might look like.

Pop up cookie notification example for maximum user annoyance.
Pop up cookie notification example for maximum user annoyance.

These pop ups are extremely annoying and probably will result in users just navigating away because who wants to click accept before even knowing if the site is worth looking at?

Annoyance level: 100%
Usefulness: -5%

A note for those outside the EU…

And if you’re lucky enough to live outside of the EU, like we do, maybe it’s time to think about standing in solidarity with our EU counterparts and including a cookie banner or pop up on your site. It’s definitely something we’re going to look into.

Who knows, maybe with our combined efforts, we’ll annoy the internet so much that the Cookie Directive will be reversed. If not, at least you’re getting in early before your country also introduces a cookie law, which will probably happen. Sometimes it pays to live in a backwards country, am I right?

Disclaimer: please note that we are not lawyers or politicians. Although a lot of effort has gone into this post, we advise that you seek professional advice or at least read your local laws before initiating your own cookie notification protocol.

Avatar photo

Hi, I'm Lari.
I hope what I've written here is easy to understand and you find it useful. Feel free to drop a comment if you've got any questions or topics you want me to look into and write about! Catch you in the next one 😊

Leave a Reply

Your email address will not be published. Required fields are marked *