The ePrivacy Directive 2002/58/EC (or Cookie Law) was established to put guidelines and expectations in place for electronic privacy, including email marketing and cookie usage, and it still applies today. You can think of the ePrivacy Directive as currently “working alongside” the GDPR in a sense, rather than being repealed by it.
Directives set certain agreed-upon goals and guidelines in place with member states being free to decide how to make these directives into national legislation.
Regulations, on the other hand, are legally binding across all Member States from the moment they are put into effect and they are enforced according to union-wide established rules.
The Regulation is expected to maintain values similar to the Directive with much of the same guidelines applying.
Who is subject to the Cookie Law?
The implementation of the Cookie Law depends on the legislation under which the website operates. In general, websites that use third-party cookies as well as their own cookies for tracking and analytics must comply with the law and to do so are required to obtain the user’s express consent.
What does the Cookie Law require?
Under the Cookie law, organizations that target users from the EU must inform users about data collection activities and give them the option to choose whether it’s allowed or not.
In practice, you’ll need to:
show a cookie banner at the user’s first visit;
allow the user to provide consent. Prior to consent, no cookies — except for exempt cookies — can be installed.
Further information about Cookie Law
For further details on the Cookie Law, we invite you to read our documentation and the official statements from the country you might be affiliated with or targeting. Great guidance can be accessed through the Article 29 Working Party (which is a group comprised of various data protection regulators that aim to simplify Europe’s diversity):
The iubenda Cookie Solution allows you to manage all aspects of the Cookie Law, in particular:
obtain and save cookie consent settings;
preventively block scripts prior to consent; and
keep track of consent and save consent settings for each user for up to 12 months from the last site visit.
You can collect consent via multiple mechanisms including continued browsing, scrolling, and/or specific clicking actions. Keep in mind though thatallowed consenting actionsmay differ depending on the Member State law.
Below you will find all necessary steps to use iubenda to make sure you comply with the Cookie Law.
How to add the cookie consent banner
Click on Generate now under Dashboard > [Your website/app] > Cookie Solution:
This will take you directly to the configuration panel of your cookie banner:
Simply copy and paste it before the end of the HEAD tag of your pages. Alternatively, you can use one of our plugins: currently we have plugins available for WordPress, Joomla!, PrestaShop and Magento.
How to request consent to EU users only
The Cookie Solution also allows you to indicate whether or not you’d like to apply GDPR protections to the following:
All your users. In this case, consent will be requested to all users of your site. This is the default setting.
Only your EU users. In this case, consent will be requested to EU users only.
Here’s an example: a US-based e-commerce site has different sections available to users in the US and in Europe. They want to apply GDPR protections (i.e. show the cookie banner) to just their EU-based users.
We’ll soon add a dedicated option in the Cookie Solution configurator, in the meantime you can set gdprAppliesGlobally:false and countryDetection:true to request consent to EU users only:
If you choose to request consent to EU users only, but prefer to implement your own country detection system, you’ll have to set gdprApplies:false on pages where consent is not required.
For more details about consent collection settings, see our advanced guide.
If you are EU-based, it is mandatory that you apply the protections to all users and not just users based in the EU.
How and when to preemptively block codes/cookies
According to the Data Protection Working Party, a European think tank and advisory body on data protection and privacy, few categories of cookies are exempt from the consent requirement. Therefore, all other codes that install or can install cookies must be preemptively blocked before consent is obtained.