Contact us Today!

EU Cookie Directive Law

Here is an overview of the EU Cookie Directive, Directive 2009/136/EC, the European law reinforcing protection for users on electronic communication networks and services on cookies.

The European Union amended the ePrivacy Directive in 2009 to require companies to obtain informed consent for storage or access of data on electronic devices. The requirement applies to all types of information on the terminal device even though the majority of the discussion has been on its implications for the usage of cookies.

Specifically, Article 5.3 says:

“Member states shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an onformation society service explicitly requested by the subscriber or user.”

In other words, the user must get:

1. clear and comprensive information about the purposes of processing
2. the right to refuse such processing

Why adopt the Cookie Law?

Recital 24 (in relevant part) explains:

“Terminal equipment of users of electronic communications networks and any information stored on such equipment are part of the private sphere of the users requiring protection under the European Convention for the Protection of Human Rights and Fundamental Freedoms. So-called spyware, web bugs, hidden identifiers and other similar devices can enter the user’s terminal without their knowledge in order to gain access to information, to store hidden information or to trace the activities of the user and may seriously intrude upon the privacy of these users.”

In other words, the EU Cookie Law helps fulfills the intent of the ePrivacy Directive, which is to maintain the protection of privacy in the electronic communications sector.

What are Cookies?

Websites use cookies to identify users, remember preferences and help complete taks without re-entering information. They can also be used for other online tracking, such as showing relevant advertising based on past user searches. They are placed on a computer or mobile device by the web server offering the page and can be retrieved to alter the content of pages as a result of the values. They are typically classified according to their lifespan and the domain placing them.


Session Cookies: Erased when the browser is closed.

Persistent Cookies: Remains for a pre-defined period of time on the device or computer.


First-party cookies: Set by the web server of the visited page and sharing the same domain with it.

Third-party cookies: Stored by a different domain then the domain visited, through a reference on the page to the file from another domain.

Do you need a solution to capture consent for cookies? Consider our Cookie Consent Manager.


Exempted Cookies

Despite the breadth of the law, consent is not required under it for certain types of cookies that are used solely to carry out the transmission of a communication or are necessary to provide an information society service explicitly required by the user. These exemptions are set forth in Article 5.3.

First Exemption

To meet the first exemption, the communication’s transmission must not be possible without the cookie in order to avoid the informed consent requirement. If it merely assists or speeds up the electronic communication, consent must be captured as it is not sufficient. Additionally, the necessity of the cookie must be its “sole purpose”.

The Article 29 Working Party determined that there are at least three elements that are strictly necessary for communications:

1. The ability to route the information over the network.
2. The ability to exchange data items in their intended order.
3. The ability to detect transmission errors or data loss.

Cookies that fulfill one of the above purposes, without containing other purposes, would meet the exemption.

Second Exemption

There is a two-part test for cookies to meet the second exemption:

1. The information society services has been explicitly requested by the user.
2. The cookie is strictly needed to enable the information society service.

In other words, the user must take a positive action to request the service and the service must not be able to work without the cookie. Additionally, Recital 66 requires a clear link betwen the service requested and the cookie. A cookie is not strictly necessary if it does not provide a specific function requested by the user.

Common Cookie Notice Exemptions

The Article 29 Working Party has set out certain cookies which are exempt under these standards, including user-input cookies, authentication cookies, user-centric security cookies, multimedia content player cookies, load-balancing cookies, user-interface customization cookies, and third-party social plug-in content sharing cookies. However, there are limitations.

User-Input cookies: These session cookies are used to track user inputs in a series of message exchanges with a service provider. They track user input during online forms or the items in a shopping cart. They are exempt under the second exemption as an explicitly requested information service tied to user action.

Authentication cookies: These cookies are used to identify a logged in user (on a website or other program). They allow successive visits without re-authentication and permit access to authorized content. If these cookies were not used, the user would have to provide a username and password on each page request. However, the exemption does not apply if the cookie engages in other purposes such as monitoring behavior or tracking for advertising. It also does not apply to persistent login cookies which store authentication across browser sessions.

User centric security cookies: Cookies which solely increase the security of the service requested are also exempt (even if they are persistent). However, they are not exempt if they also bolster security of other websites or third party services not requested by the user.

Multimedia player session cookies: These cookies store technical data for video playback or audio content. They are exempt under the second exemption if the user explicitly requests the text and video contents of a website, there is no other information on the “flash” cookies, and it expires once the session ends.

Load balancing session cookies: Cookies are sometimes necessary to ensure that all requests from a specific user are forwarded to the same server in a pool to maintain consistency.

UI customization cookies: These cookies store user preferences across pages without a link to a username. Examples include language preference cookies and result display preference cookies (such as the order or number of results on a page). Short term session cookies are exempt under the second exemption.

Social plugin content sharing cookies: The cookies used to allow social media users to share content from other websites are exempt for logged in users. However, they are not exempt for non-users, logged-out users, if they do not expire on log out / browser close, or if they are used for other purposes.

The Article 29 Working Party also identified a few different cookies which do not meet either exemption, such as social plug-in tracking cookies, third-party advertising cookies or first party analytics cookies.

Here is the link to the April 2012 Opinion on Cookie Consent Exemption from WP29 for more on the exemptions.

Improve Data Privacy for GDPR or CCPA with Clarip

The Clarip team and enterprise privacy management software are ready to meet your compliance automation challenges. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.

If compliance with the California Consumer Privacy Act is your focus until 2020, ask us about our CCPA software. Handle automation of data subject access requests with our DSAR Portal, or provide the right to opt out of the sale of personal information with the consent management software.

Need to improve your GDPR compliance solution? Clarip offers modular GDPR software that can fill in gaps in your privacy program. Choose from the data mapping software for an automated solution to understanding your data collection and sharing, conduct privacy risk assessments with DPIA software, or choose the cookie consent manager for ePrivacy.

Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.

Related Content

ePrivacy News
GDPR Requirements for Cookie Consent Compliance
Cookie Banner Generator for Enterprise Businesses
Cookie Consent Manager for GDPR & ePrivacy
EU Cookie Directive Law
Cookie Consent and the ePrivacy Regulation (formerly ePrivacy Directive)
Cookie Compliance Tools: Consent Manager and Cookie Scanner
Full Text of Proposed ePrivacy Regulation from April 2018