New EU Cookie law: Guidelines for users and website owners

The EU “Cookie” Law comes into effect on 25 May 2012 and all EU countries will be required to follow it. The new law will definitely have an impact on the already weakened economy of Europe since it will affect all online shops and websites. According to the Wired UK “Compliance with the EU’s “cookie law” could cost the UK economy as much as £10 billion if implemented incorrectly, according to a “worst case scenario””. In this article we explain the changes that took place, the options that you have as a webmaster and we provide an example of how you should structure your new Privacy Policy.

According to the Directive 2009/136/EC according to article 5 (3):

“Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal  equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.”

According to the Field Fisher Waterhouse (2012) there’s a full list of EU countries in which the Article 5(3) has been implemented or not, what the implementation status is,  strict “opt-in” consent required (or expected) and what the legal requirements are. The case in point, the country is stated and whether or not the Article 5(3) has been implemented:

YES: Austria, Bulgaria, Czech Republic, Denmark, Finland, France,  Greece, Hungary, Ireland, Latvia, Lithuania, Luxembourg, Slovakia, Sweden, United Kingdom

NO: Belgium, Cyprus, Germany, Italy, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovenia, Spain

N/A: Estonia

For more information about the countries who implemented it you can check the Full Table.

What is a Cookie?

A cookie is a text-based file located onto your computer containing information that can be accessed by the visited website. Generally, cookies help enhance the user’s experience whenever they visit a website. What define cookies are 3 basic characteristics:

1. Statistical reporting

Website owners can be helped by statistical reporting in order to enhance the features of their website for the user needs.

2. Behavioural Advertising

A user can conduct a search for a certain product for which he/she is interested in.  The cookie can identify the product for which the user is interested in and consecutively -the cookie- will display advertisements which are relevant to the user queries.

3. Tracking conversions

When a user visits and online shop, he/she can browse products and consecutively he/she can select products for which he/she is interested in purchasing.  In other words, online commerce websites use cookies to recognize you and speed up the shopping process the next time you visit the website.

Type of Cookies

The most common types of cookies which can be found on most websites are:

Geotargeting cookies

Completely anonymous and identifies the country that the user comes from.

Third party cookies

Social media sharing buttons (e.g. Tweet Share, Facebook, Google+ etc)

Registration Cookies

These cookies identify on which account the user is signed in with. Also it enables the use of other server-side technologies such as sessions.

Advertising Cookies

These cookies are also anonymous and they store information about the content that the user is browsing. They are used by advertising networks to serve relevant ads to the users.

Google Analytics cookies

They are also completely anonymous as they do not recognise the true identity of the user. These cookies are solely used to collect information on how users use the website, which pages they use more often, from which country they come etc.

What the website owners should do?

The new law leaves Webmasters with 3 main options:

  1. Theoretically one option is to ignore the Privacy Policy. However by neglecting intentionally on working upon their new Privacy Policy, it could result to a fine by their national Data Protection Authorities.
  2. The website owners could deactivate the use of cookies for their websites. However, it should be taken into account the fact that deactivating the cookies could have an impact on the functionality of the website.
  3. The website could comply with EU directive by adjusting the Privacy Policy to the needs of their website.

Taking into account the fact that each website is different the structure of each policy should be differentiated.

How to Structure your new Privacy Policy

Practically depending on the type of the website (online shop/online commerce website, internet marketing agency etc), the Privacy Policy should be adjusted to the needs of each website separately. Nevertheless below we provide an example of how to structure your Privacy Policy to make it compatible with the new EU law.

The structure of a Privacy policy should be as below:


On your introduction, you can mention and explain the following matters:

How you handle user data?

How you protect that information?

Mention that you respect the sensitive data of your users and that you protect their privacy.

Describe what the national DPA (Data protection Authority) says, according to the EU Directive.

Provide the definition of the cookie and include all the uses of cookies on the website:

  • Web Analytics cookies
  • Geotargeting, Advertising cookies
  • Are we using any other type of cookies besides Google Analytics?
  • Registration Cookies
  • Geotargeting cookies?
  • Third party cookies such as Social Networks (Facebook, Twitter share etc)

How we use your information

As website owners (data controllers/data processors) you should explain clearly on how you use the information that you collect; for example, if you send newsletters you should specify it and assure the users (data subjects) that you are going to safeguard the mail contact from any unauthorized access/unlawful use.

Visitors to our website

As website owners you need to clarify explicitly that the information that you collect from the visitors of your website does not recognise their true identity and additionally the cookies are used in order to improve the user experience.

People who make a complaint to us

If users (data subjects) show concern on the amount of (personal) data that is being stored on the websites, then users could contact to the website owners

Access to personal information

In the event of keeping personally identifiable information (PII), users (as data subjects) could file a “subject access request”, requesting for any PII kept on file of the website owners.

Disclosure of personal information

Website owners who are within the EU, should ensure that they are not going to send any data outside the EEA (European Economic Area) which do not have an adequate level of data protection.

[Job applicants, former/current employees]

Website owners (data controllers/data processors) should clarify for how long they maintain on their file the details of job applicants (data subjects).

Changes to this privacy notice

It should be stated whenever the Privacy Policy is updated.

How to contact us

Provide your contact details for any questions/concerns made by the data subjects.


Comments are closed.