Storing user-related data is only permitted under the EU Cookie Law (also known as the ePrivacy Directive) if users give their explicit consent. This opt-in process is therefore mandatory—at least for tracking cookies if you do business in the European Union. But what is the current legal status?

What does the EU Cookie Law say?

In the European Union, Directive 2009/136/EC is intended to ensure and strengthen the pro­tec­tion of personal data. The cookie data law es­sen­tially requires that website visitors be clearly informed about the use of cookies and must consent to their storage.

According to the directive, cookies may only be set without prior consent if they are tech­nic­ally necessary—for example, to deliver a service ex­pli­citly requested by the user. This includes cookies like session cookies used to store language pref­er­ences, login cre­den­tials, or shopping cart contents, as well as Flash cookies for media playback.

However, for the use of most other cookies, website operators must obtain user consent. This applies to any cookies not essential for the operation of the website. Most notably, this includes ad­vert­ising cookies used for re­tar­get­ing, as well as analytics and social media cookies.

Cheap domain names – buy yours now
  • Free website pro­tec­tion with SSL Wildcard included
  • Free private re­gis­tra­tion for greater privacy
  • Free Domain Connect for easy DNS setup

What’s included in the current EU Cookie Law

With its cookie law, the European Union aims to protect the personal data of internet users. In general, a dis­tinc­tion is made between tech­nic­ally necessary and non-essential cookies:

  1. Tech­nic­ally necessary cookies: These include cookies that are essential for the core functions of a website. Examples include storing login cre­den­tials, shopping basket contents, or language pref­er­ences using session cookies (which are deleted when the browser is closed).
  2. Non-essential cookies: These refer to text files that serve purposes beyond the website’s basic func­tion­al­ity. Examples include:
  • Tracking cookies that collect data such as user location
  • Targeting cookies that tailor ad­vert­ising content to the user
  • Analytics cookies that gather in­form­a­tion about user behaviour on the site
  • Social media cookies that link the website with platforms like Facebook, Twitter, etc.

According to the EU Cookie Law, necessary cookies may be set without prior consent. However, visitors must give their explicit consent before non-essential cookies can store any data. As a result, the directive requires an opt-in approach for non-essential cookies. These cookies must not be set unless and until the user agrees to their use.

How UK busi­nesses comply with the EU Cookie Law

UK busi­nesses already have their own laws to comply with, namely the Privacy and Elec­tron­ic Com­mu­nic­a­tions Reg­u­la­tions (PECR) and the UK General Data Pro­tec­tion Reg­u­la­tion (UK GDPR).

However, if a UK company operates a website that is ac­cess­ible to users in the European Union, or works with EU-based partners, it must also ensure com­pli­ance with the EU Cookie Law (ePrivacy Directive) and the EU General Data Pro­tec­tion Reg­u­la­tion (GDPR).

Even though the UK has left the EU, these EU rules still apply when UK busi­nesses process personal data from EU residents, due to the ex­tra­ter­rit­ori­al scope of the GDPR and the ePrivacy Directive.

Key com­pli­ance measures for UK busi­nesses

To meet the re­quire­ments of EU cookie and data pro­tec­tion laws, UK busi­nesses typically take the following steps:

  1. Implement a cookie banner with opt-in func­tion­al­ity
    Users from the EU must actively consent to the use of non-essential cookies (e.g. analytics or ad­vert­ising). The banner must clearly explain what cookies are used and allow users to accept or reject them.

  2. Granular consent options
    Offer EU users a way to choose which types of cookies they accept—such as func­tion­al, per­form­ance, or marketing cookies. This is often managed through a Consent Man­age­ment Platform (CMP).

  3. Maintain a clear and ac­cess­ible cookie policy
    Your website should provide a cookie policy that includes:

    • A list of the cookies used
    • The purpose and duration of each cookie
    • Any third-party services involved
    • In­struc­tions for changing or with­draw­ing consent

  4. Geo-targeted com­pli­ance tools
    Many UK busi­nesses use IP-based geo­loca­tion to show cookie banners only to users from the EU. This helps ensure com­pli­ance without dis­rupt­ing the ex­per­i­ence of UK-only or in­ter­na­tion­al users.

  5. Consent re­cord­keep­ing
    Keep a log of cookie consents for EU users. This is part of the ac­count­ab­il­ity principle under the GDPR and may be required during audits or in­vest­ig­a­tions.

Web hosting
The hosting your website deserves at an un­beat­able price
  • Loading 3x faster for happier customers
  • Rock-solid 99.99% uptime and advanced pro­tec­tion
  • Only at IONOS: up to 500 GB included

What are cookies and what data do they collect?

Cookies are small text files that a browser stores on a user’s device when visiting a website. They save in­form­a­tion related to your visit, enhancing user ex­per­i­ence—for example, by re­mem­ber­ing your login cre­den­tials or language pref­er­ences so you don’t have to re-enter them each time. While cookies provide con­veni­ence, they also raise privacy concerns. Many are used to track specific aspects of user behaviour online, enabling features like per­son­al­ised ad­vert­ising. Tracking and targeting cookies in par­tic­u­lar are fre­quently cri­ti­cised by privacy advocates.

A typical cookie includes in­form­a­tion such as the lifetime of the file and a randomly generated ID number that helps the website recognise your device. In most cases, data stored by cookies is an­onymised. Per­son­ally iden­ti­fi­able in­form­a­tion (PII) is only collected when a site requires you to log in.

Want to know how to delete stored cookies from your browser? Watch this video:

nWNf-hqDEnE.jpg To display this video, third-party cookies are required. You can access and change your cookie settings here.

What does the future hold for cookie data?

For years, the European Union has been working on the ePrivacy Reg­u­la­tion to establish uniform rules for the use of cookies and other tracking tech­no­lo­gies. Ori­gin­ally, the ePrivacy Reg­u­la­tion was intended to come into force alongside the General Data Pro­tec­tion Reg­u­la­tion (GDPR), but its im­ple­ment­a­tion remains uncertain.

Until the ePrivacy Reg­u­la­tion is formally enacted, cookies that can be used to identify users—through ID numbers, be­ha­vi­our­al profiles, or tracking mech­an­isms—fall under the defin­i­tion of ‘personal data’ as outlined in Chapter 1 of the GDPR. This applies to any company—inside or outside the EU—that collects or processes such data from in­di­vidu­als located in the EU.

Please refer to the legal dis­claim­er for this article.

Go to Main Menu