Storing user-related data is only permitted under the EU Cookie Law (also known as the ePrivacy Directive) if users give their explicit consent. This opt-in process is therefore mandatory—at least for tracking cookies if you do business in the European Union. But what is the current legal status?

What does the EU Cookie Law say?

In the European Union, Directive 2009/136/EC is intended to ensure and strengthen the protection of personal data. The cookie data law essentially requires that website visitors be clearly informed about the use of cookies and must consent to their storage.

According to the directive, cookies may only be set without prior consent if they are technically necessary—for example, to deliver a service explicitly requested by the user. This includes cookies like session cookies used to store language preferences, login credentials, or shopping cart contents, as well as Flash cookies for media playback.

However, for the use of most other cookies, website operators must obtain user consent. This applies to any cookies not essential for the operation of the website. Most notably, this includes advertising cookies used for retargeting, as well as analytics and social media cookies.

Cheap domain names – buy yours now
  • Free website protection with SSL Wildcard included
  • Free private registration for greater privacy
  • Free Domain Connect for easy DNS setup

What’s included in the current EU Cookie Law

With its cookie law, the European Union aims to protect the personal data of internet users. In general, a distinction is made between technically necessary and non-essential cookies:

  1. Technically necessary cookies: These include cookies that are essential for the core functions of a website. Examples include storing login credentials, shopping basket contents, or language preferences using session cookies (which are deleted when the browser is closed).
  2. Non-essential cookies: These refer to text files that serve purposes beyond the website’s basic functionality. Examples include:
  • Tracking cookies that collect data such as user location
  • Targeting cookies that tailor advertising content to the user
  • Analytics cookies that gather information about user behaviour on the site
  • Social media cookies that link the website with platforms like Facebook, Twitter, etc.

According to the EU Cookie Law, necessary cookies may be set without prior consent. However, visitors must give their explicit consent before non-essential cookies can store any data. As a result, the directive requires an opt-in approach for non-essential cookies. These cookies must not be set unless and until the user agrees to their use.

How UK businesses comply with the EU Cookie Law

UK businesses already have their own laws to comply with, namely the Privacy and Electronic Communications Regulations (PECR) and the UK General Data Protection Regulation (UK GDPR).

However, if a UK company operates a website that is accessible to users in the European Union, or works with EU-based partners, it must also ensure compliance with the EU Cookie Law (ePrivacy Directive) and the EU General Data Protection Regulation (GDPR).

Even though the UK has left the EU, these EU rules still apply when UK businesses process personal data from EU residents, due to the extraterritorial scope of the GDPR and the ePrivacy Directive.

Key compliance measures for UK businesses

To meet the requirements of EU cookie and data protection laws, UK businesses typically take the following steps:

  1. Implement a cookie banner with opt-in functionality
    Users from the EU must actively consent to the use of non-essential cookies (e.g. analytics or advertising). The banner must clearly explain what cookies are used and allow users to accept or reject them.

  2. Granular consent options
    Offer EU users a way to choose which types of cookies they accept—such as functional, performance, or marketing cookies. This is often managed through a Consent Management Platform (CMP).

  3. Maintain a clear and accessible cookie policy
    Your website should provide a cookie policy that includes:

    • A list of the cookies used
    • The purpose and duration of each cookie
    • Any third-party services involved
    • Instructions for changing or withdrawing consent

  4. Geo-targeted compliance tools
    Many UK businesses use IP-based geolocation to show cookie banners only to users from the EU. This helps ensure compliance without disrupting the experience of UK-only or international users.

  5. Consent recordkeeping
    Keep a log of cookie consents for EU users. This is part of the accountability principle under the GDPR and may be required during audits or investigations.

Web hosting
The hosting your website deserves at an unbeatable price
  • Loading 3x faster for happier customers
  • Rock-solid 99.99% uptime and advanced protection
  • Only at IONOS: up to 500 GB included

What are cookies and what data do they collect?

Cookies are small text files that a browser stores on a user’s device when visiting a website. They save information related to your visit, enhancing user experience—for example, by remembering your login credentials or language preferences so you don’t have to re-enter them each time. While cookies provide convenience, they also raise privacy concerns. Many are used to track specific aspects of user behaviour online, enabling features like personalised advertising. Tracking and targeting cookies in particular are frequently criticised by privacy advocates.

A typical cookie includes information such as the lifetime of the file and a randomly generated ID number that helps the website recognise your device. In most cases, data stored by cookies is anonymised. Personally identifiable information (PII) is only collected when a site requires you to log in.

Want to know how to delete stored cookies from your browser? Watch this video:

nWNf-hqDEnE.jpg To display this video, third-party cookies are required. You can access and change your cookie settings here.

What does the future hold for cookie data?

For years, the European Union has been working on the ePrivacy Regulation to establish uniform rules for the use of cookies and other tracking technologies. Originally, the ePrivacy Regulation was intended to come into force alongside the General Data Protection Regulation (GDPR), but its implementation remains uncertain.

Until the ePrivacy Regulation is formally enacted, cookies that can be used to identify users—through ID numbers, behavioural profiles, or tracking mechanisms—fall under the definition of ‘personal data’ as outlined in Chapter 1 of the GDPR. This applies to any company—inside or outside the EU—that collects or processes such data from individuals located in the EU.

Please refer to the legal disclaimer for this article.

Was this article helpful?
Go to Main Menu