A Closer Look at EU Cookie Law

22 Apr 2021

Cookies have become an essential part of users’ browsing experience and allow a more tailored use of the Internet (e.g., stay logged in a webpage, remember set preferences, receive tailored ads, etc.). However, cookies also raise concerns about privacy online.

What is a cookie?

A cookie is a small text file that a website places on users’ devices (computer, phone, tablet), and which enables website owners to gain insight into users’ online activities. Cookies can harvest data that can be used for online tracking, personal profiling, developing marketing tactics and similar activities. Accordingly, they may qualify as personal data. Certain types of cookies are also essential to ensure security and the proper functioning of websites.

Based on their purposes, the main types of cookies include:

  • Strictly necessary cookies: they are essential to browse websites and use their features, such as accessing secure areas of the site or allow to hold items in a shopping cart online.
  • Preferences or functionality cookies: they allow a website to remember choices users made in the past, such as username and passwords, language preference, or region.
  • Statistics or performance cookies: they collect information about the use of a website to improve its functions. Typically this information is aggregated and cannot be used to identify an individual.
  • Marketing cookies: they track online activity to help advertisers deliver more relevant advertising or to limit how many times a user sees a particular ad. These cookies may share that information with other organizations or advertisers.

Cookies can also be distinguished based on whether the cookies are placed by the website owner themselves (first-party cookies) or by a third party with access to the visited website (third-party cookies), such as advertisers or analytic systems.


What rules are cookies subject to?

The use of cookies in the EU is governed essentially by two instruments:

  • The ePrivacy Directive, which governs the confidentiality of electronic communications, tracking on the Internet and by equipment such as smartphones or smart meters. ePrivacy rules are lex specialis to those of the GDPR;
  • The GDPR, pursuant to which cookies may qualify as personal data to the extent that they identify individuals, and are consequently subjected to all rules of the GDPR, including, in particular, requirement of a valid lawful basis (in this case, consent or legitimate interest) for their collection and processing.

How to comply with cookie law?

Legal basis and validity of consent

All cookies other than strictly necessary ones require the user’s prior consent. The validity of consent is subject to the GDPR’s standard, which requires that consent be (i) informed, (ii) freely given, (iii) specific, and (iv) unequivocal. Therefore, practices such as using so-called “cookie walls” to obtain users’ consent are unlawful, as consent is not deemed to be freely given.[1]

Users must be given a genuine choice to accept or refuse cookies and such consent must be adequately stored and documented by website owners. Moreover, website owners must collect users’ consent for cookies (except for strictly necessary ones) prior to actually placing cookies on the device and must consequently ensure that cookies are not placed without consent.

The website’s services cannot be made inaccessible because the user rejected the use of cookies. Finally, users must be able to easily withdraw their consent at any time.


Pursuant to the rules of the ePrivacy Directive and the GDPR, in order to place and process cookies lawfully, website owners must:

  • Inform users that the website uses cookies (e.g., by way of a cookie banner);
  • Provide detailed information concerning (i) what information the cookie collects and (ii) what purposes it pursues (e.g., within a cookie policy);
  • Information must be provided in clear and comprehensible language, and in sufficient detail.

Leading EU caselaw

In its judgment Planet49, the EU Court of Justice clarified several important aspects relating to validity of consent under the GDPR, relevant for the lawful use of cookies. In particular, valid consent must amount to a clear affirmative action of the individual, as opposed to relying on a passive behavior. This entails that an active behavior, such as ticking a box can meet this threshold, whereas silence, pre-ticked checkboxes (which the user must de-select to refuse cookies) or inactivity, do not meet the conditions of valid consent. Moreover, consent must be specific in relation to a given processing activity and purpose, which entails that different purposes cannot be bundled in a single consent request.

Moreover, the Court held that the protection granted by e-privacy rules apply to any information stored in users’ terminal equipment, regardless of whether or not it constitutes personal data, and intends to protect users from the risk that hidden identifiers and other similar devices (“spyware, web bugs, hidden identifiers and other similar devices” as detailed in the ePrivacy Directive) enter those users’ terminal equipment without their knowledge. For this reason, information provided must cover also those cookies and tracking technologies that do not amount to personal identification.

Finally, the Court maintained that, even though not expressly provided by the ePrivacy Directive, yet in accordance with the principle of fair processing and the rules of GDPR, the user must be provided with information concerning the duration of the operation of cookies and whether or not third parties may have access to those cookies.

Recent guidance and decisions regarding the use of cookies

There are numerous decisions and guidance throughout the EU Member States on the topic of cookies.

The Belgian Data Protection Authority provides detailed information in its dedicated page.

The French Data Protection Authority amended its guidelines in 2020. The French DPA recommends including a “refuse all” button in consent requests. In addition, it is recommended that, when tracking technologies are used on sites other than the one visited (third-party cookies), consent should be obtained on each of the sites concerned.

The Spanish DPA recently fined Abanca Corporación Bancaria because it found it had violated Spanish Law (transposing the e-Privacy Directive) because it installed third-party non-necessary cookies before obtaining consent from users and because it failed to identify cookies that were placed on devices before users agreed to them.

In another case, the Spanish DPA fined a furniture company for failing to provide users with an option to reject cookies and for offering unclear information in the cookie banner and privacy policy.

What to expect going forward?

In February 2021, the Council of the EU adopted its negotiating position on the ePrivacy Regulation (more information in our previous article). The text is now subject to the trialogue negotiations between the EU Parliament, the Council and the Commission. Further developments concerning the upcoming Regulation, which will replace the ePrivacy Directive, are expected.

It should also be noted that there is a general tendency of reducing the use of third-party cookies, which is likely set to continue, as Google announced it intends to phase out third-party cookies in the future, in favor of other privacy-preserving technologies.

In conclusion, as cookies remain a top concern for European data protection authorities in their enforcement action, we recommend reviewing cookie use practices and related policies, monitoring developments in local enforcement, and preparing compliance with the upcoming ePrivacy Regulation.



Do not hesitate to contact us should you require further information and assistance on the issues discussed in this note, or any other data protection related matter.




Patrice Vanderbeeken


       Slavica Puric



Laura Somaini



[1] Note that in accordance with the latest draft of the proposed ePrivacy Regulation (Council of the EU’s position adopted on 10 February 2021), the use of “cookie walls” is allowed as long as the user has a genuine choice between the service that is conditional on the user’s content and an alternative service that does not involve cookies.

[1] Note that in accordance with the latest draft of the proposed ePrivacy Regulation (Council of the EU’s position adopted on 10 February 2021), the use of “cookie walls” is allowed as long as the user has a genuine choice between the service that is conditional on the user’s content and an alternative service that does not involve cookies.