Cookie Law: A Full Guide to the ePrivacy Directive

With the rise of the internet, data privacy laws have never been as vital as ever. Now, there is a consumer demand to protect online privacy and personal data

Website owners and online business websites must comply with cookie laws set by their respective national data protection authorities. 

Technology is a dangerous weapon prone to misuse, and one mistake can lead to a catastrophe. 

Today, we will discuss the EU cookie law/ePrivacy Directive and why it’s become such an important piece of legislation in various countries.

What Is the Cookie Law?

Cookie Law

The EU cookie law is one of the most important pieces of legislation today, created by the European Union. 

It serves as a measure to protect and preserve a consumer’s personal data. 

In essence, the EU cookie law protects people visiting different websites against unwanted disclosure of their personal data without their valid consent. 

Many websites today have a cookie consent banner or a pop-up message asking if you agree to the website’s cookie usage. 

You can allow or deny the cookies or manage your preferences on your settings.

You need to understand three important things when you accept the cookies, which we call the ABCs. 

Allow Personal Data Collection

When you accept the website’s cookies, you allow it to collect and store information about yourself. However, this isn’t just any kind of information but your personal data. 

The ePrivacy Directive identifies the information to include your name, email address, birthday, age, and other information that could identify you.

Today, website owners are urged to inform users about the storing and collecting of their data. 

The EU cookie law clearly requires websites and web publishers to obtain prior consent before engaging in data collection activities. 

Benefits From the Collection of Personal Data

One of the benefits of allowing cookies is that you get more personalized and targeted advertising on different platforms. 

You might have already noticed that your electronic communication platforms’ suggestions and recommended items are geared more toward your interests. 

Some people prefer it this way because they see less (or sometimes none at all) of the things they’re not interested in. 

However, only a few people share the same sentiments and opt out of this option. 

Collection of Personal Data

In most cases, it isn’t just the website you’re allowing to collect information about yourself. 

Most of the time, when you accept the cookies, you’re also allowing third-party websites to use the data gathered from you. 

So before you allow electronic communication platforms to store your information, always read the cookie banner and check the intended cookie usage.

Who Should Comply With the Cookie Law?

Websites and web publishers must comply with the EU cookie law. 

This is clear from the EU cookie law, ePrivacy Regulation, and other local legislation created by different countries.

Take the case of the UK cookie law, for example — or even the California cookie law, which is an all-encompassing and comprehensive law. 

Various countries now also have their own legislation on privacy laws, drawing inspiration from the EU cookie law. 

Today, it is as if integrating cookie law into national laws is already a global legal requirement

Websites must regulate cookies and allow users to opt-in and out of their information collection.

Without this move from the European Union, the future of common technology and the electronic communications sector is a big question mark. 

Users’ consent might not be a big deal now if it weren’t for the EU law and the ePrivacy Directive.

What Does the Cookie Law Say About Valid Cookie Consent?

If there’s one thing we should emphasize about the cookie law, it’s to always obtain consumers’ explicit consent on websites, especially for electronic communications platforms.

Before a website can engage in data-collecting activities, active consent by the user is required. But what exactly does active consent mean?

Is it enough that a cookie banner or pop-up is asking to allow cookies? No, it is not. Explicit consent must be understood in certain requirements, two of which are knowledge and exercise: 


Before a user can consent, one of the primordial requirements of the ePrivacy Directive is for users to know what they are consenting to. 

They should have clear and comprehensive information about what the data collection is for and how it affects their overall experience. 

The European data protection board has always been clear that prior consent can only be obtained if the users have proper and sufficient knowledge.

This means that websites and web publishers must put up specific and unambiguous terms their page visitors can fully understand. 


The next aspect of valid cookie consent is the exercise of such a decision. 

The ePrivacy Directive provides that users should have free reign of their choices if they want to opt in or out of the collection of their data whenever they visit a website. 

This is particularly important for websites that ask you to consent to third-party cookies. 

EU visitors enjoy this right, especially on e-communications services and other tracking technologies. 

Corollary to the right to allow cookies is the right in refusing cookies and withdrawing consent. Users should be able to refuse cookies if they desire, without consequences.

The choice to refuse consent should not be unduly burdensome on the user. Sometimes, refusing consent means they’ll have to go through a long and tedious process before accessing the website.

How Can I Comply With the Cookie Law?

Comply With the Cookie Law

Complying with the EU cookie law might seem challenging, especially for first-time website owners or businesses. 

Luckily, things don’t always have to be complicated, and you can comply with the EU cookie law yourself.

We’ve listed three effective ways to help you with EU cookie law compliance and why you should choose that option. 

Use a Cookie Consent Manager

For anyone unfamiliar with cookie consent law and yet to get their head around it, we highly recommend using a cookie consent manager. 

Essentially, a cookie consent manager is a tool that helps you comply with the EU cookie law without all the headaches. 

It is in charge of automatically collecting and storing users’ personal data. 

The cookie consent manager does the job for you, ensuring compliance with the EU cookie law and ePrivacy RegulationRegulation, without the headache. 

Several people choose this option because it is the most convenient. 

There are a bunch of cookie consent manager services that you can use to tailor-fit your needs, too (there are even convenient cookie banner generators to make things even quicker!).

It can help you comply with your local legislation and avoid fines and penalties in the near future. 

Do It Manually

If you already know the ins and outs of the EU cookie law/ePrivacy Directive, you can opt-out from a cookie consent manager and do the whole process yourself. 

Complying manually with the EU cookie law is a meticulous process that requires a lot of time, collaboration, and effort. 

It is time-consuming because you need to get all your bases covered. 

Legal Aspect

One of the first things you need to be equipped with when manually complying is knowledge of the EU cookie law. 

It can’t just be mere familiarity and must be actual knowledge of the contents of the ePrivacy Directive.

At the minimum, you should know what makes a good cookie consent policy and explain it in a clear and comprehensive manner on your website.

Technical Aspect

Besides knowing the law, your technical abilities will also be tested. How do you plan to inform your users of the cookie policy?

Will it be through a cookie consent banner, or will the terms pop up before users can view the page? 

Part of the technical aspect is also remembering to put an option where users can withdraw consent or opt out from collecting and processing their data by third-party cookies. 

Don’t Use Cookies

Don’t use cookies if you want to guarantee that you won’t get flagged for violating the EU cookie law or any privacy legislation. 

Yes, it’s as simple as that. If you only have a simple website and don’t envision yourself collecting, storing, and processing personal data, you don’t have to use cookies. 

However, this option has trade-offs, such as the user experience. You won’t be able to give your users an experience tailored exactly for them. 

Not only that, but you wouldn’t be able to collect data and analytics about your visitors and their interaction with the website. 

What Happens if I Don’t Comply With the Cookie Law?

Infographic With the Cookie Law

EU cookie law compliance is important. If you fail to comply with the ePrivacy Directive, then you risk paying a fine or, worse, criminal charges. 

And we’re sure you want to avoid facing any of those. 

But before it even reaches that point, due process requires that you are informed of your violations and the actions you need to correct. 

You’ll be given several days to comply, the failure of which results in several consequences under the ePrivacy Directive.

Fair warning, the fine could cost you millions, and nobody wants that. Under the ePrivacy Directive, a fine could cost as much as 20 million euros or 4% of annual global turnover.

To give you a clear picture of what can happen, we’ve enumerated the following actions you’ll need to face. 

Information Gathering

Your local authorities will inform you of your non-compliance and ask for information about your website.

This includes a link to your cookies, how you manage your local storage, and a thorough investigation of your cookie banner.

Change Implementation

If your local authorities find something wrong with your cookie banner, its implementation, or its provisions, you’ll be informed of this fact immediately. 

More importantly, the ePrivacy Directive allows you to comply with the changes they’ll have you make. 

Consider this the forgiveness stage because you won’t be met with fines or penalties. 

This stage requires websites to comply with their directive and correct mistakes without consequences. 

Penalty Enforcement

If you still fail to make the necessary changes despite being informed of the same, penalties under the ePrivacy Directive start being enforced. 

As much as possible, we don’t want you to reach this stage. If you could rectify the error without any inconvenience, we highly recommend you do the same. Facing the penalty is no joke, especially if that means years of imprisonment or fine worth millions.

Is There a Cookie Law in the UK?

Cookie Law in the UK

Yes, the UK has a cookie law fully integrated and introduced into domestic UK law.

Similar to the European cookie law, the Data Protection Act of 2018 highlights that websites must obtain consent from their users before collecting, storing, and processing personal data. 

One of the salient features of the Data Protection Act of 2018 is the right of the people to object to how their personal data is being processed, as well as the right to inform users of why their data is being collected. 

It even contains new regulations for the UK intelligence services.

The UK’s version of the EU cookie law lists clearly and concisely the obligations of websites and the rights of consumers. 

Is There a Cookie Law in the US?

Cookie Law in the US

Unfortunately, the US does not have a collective data privacy law to protect general consumers. 

This puts the personal data of many consumers at risk, especially in data breaches. 

Notwithstanding this, several states in the US have put up safeguards to promote data protection within their territorial jurisdiction. 

A good example of effective data protection act in the US is the California Consumer Privacy Act and the Virginia Consumer Data Protection Act. 

California Consumer Privacy Act

To date, the California Consumer Privacy Act (CCPA) has to be one of the best data privacy legislation in the US. 

It provides clear and comprehensive information, similar to the EU cookie law, and is very specific with the duties and responsibilities of websites. 

One of the salient features of the California cookie law is that it regulates how cookies are collected, processed, and stored. 

And more importantly, it reiterates the importance of obtaining explicit consumer consent. 

The California privacy rights act also discusses the vital role of website owners and their employees in data protection. 

At the outset, employees must be properly trained to handle data collection and processing. 

It isn’t enough that the consumers give explicit consent because this is just one aspect of the CCPA. 

Another aspect, and one of the most important, is knowing how to properly and securely keep the data collected. 

Virginia Consumer Data Protection Act

Similar to the CCPA, the Virginia Consumer Data Protection Act (VCDPA) aims to regulate consumer cookie consent collection, storage, and processing. 

The objectives are the same, reiterating the necessity of obtaining prior consent before collecting personal data. 

The scope of the VCDPA applies to Virginia residents and website users. 

Briefly, the VCDPA enumerates an exhaustive list of the rights of consumers, the following being the most important:

  • Right to access personal information gathered by websites.
  • Right to correct any mistake in the personal information collected from them.
  • Right to demand from websites that their personal data be deleted.

Make sure to be aware of the salient features of the VCDPA, as well as its vital role in keeping your personal data secure.

Frequently Asked Questions

In general, cookie law is still tricky and complicated to discuss. 

The issue of cookie law is relatively new, and its concept has yet to be embraced by various countries worldwide, even in EU countries. 

This being the case, it doesn’t come as a surprise to us that there are a lot of unanswered questions about cookie law and electronic communications regulations. 

We’ve answered some of the most FAQs we get, which can help you understand the ePrivacy Directive better. 

Does the EU Cookie Law Apply to US Websites?

Yes, the EU cookie law applies to US websites. However, there are certain qualifications before the EU cookie law should be applied.

In general, the EU cookie law only applies to organizations that collect and process personal data in the European Union

But once a US-based company starts doing business with EU residents, or when US websites have EU visitors, they’ll become covered by the EU cookie law. 

The EU cookie law applies to them when they start collecting, storing, and processing the personal data of EU visitors.

Are There Other Cookie Laws Around the World?

Yes, various countries have their own laws similar to the ePrivacy Directive. 

Thanks to the general data protection regulation, countries worldwide have a general framework of an effective cookie law and what their own national legislation should look like.

Such countries include the European Union, some parts of the United States, Argentina, Nigeria, India, Australia, and more. 

With a rising need for cookie law compliance, the near future of data protection looks bright and hopeful. 

Are There Cookies That Are Exempted From the ePrivacy Directive?

Yes, cookies deemed as “strictly necessary” are exempted from the ePrivacy Directive. 

In general, strictly necessary cookies are part of the basic functions of a website to provide an effective service to its consumers. 

It only refers to cookies necessary to carry out the consumer’s requests through a series of actions. 

This being the case, strictly necessary cookies don’t require websites to ask for explicit consent from the users. 

Will the ePrivacy Regulation Replace the ePrivacy Directive Soon?

Yes, the ePrivacy Regulation is set to replace the ePrivacy Directive soon. 

Remember that the ePrivacy Directive started in 2009, which is already over a decade. A lot has happened since then to technology and data protection laws. Replacing the ePrivacy Directive with the ePrivacy Regulation is necessary to have effective, updated, and strong data privacy laws.


The internet is a treasure trove of information, including personal data about yourself. 

Many websites are collecting personal data about you — and your only protection against it is data privacy laws. 

Before you hit “Accept All Cookies,” always remember what information you willingly give away.

We hope you learned a lot about the ePrivacy Directive and the general data protection regulation. If you’re interested, check out some of the top cookie policy generators and get started!