EU legislation on cookies

EUROPA websites must follow the Commission's guidelines on privacy and data protection and inform users that cookies are not being used to gather information unnecessarily.

The ePrivacy directive – more specifically Article 5(3) – requires prior informed consent for storage or for access to information stored on a user's terminal equipment. In other words, you must ask users if they agree to most cookies and similar technologies (e.g. web beacons, Flash cookies, etc.) before the site starts to use them.

For consent to be valid, it must be informed, specific, freely given and must constitute a real indication of the individual's wishes.

However, some cookies are exempt from this requirement. Consent is not required if the cookie is:

  1. used for the sole purpose of carrying out the transmission of a communication, and
  2. strictly necessary in order for the provider of an information society service explicitly required by the user to provide that service.

Cookies clearly exempt from consent according to the EU advisory body on data protection- WP29 pdf include

  • user-input cookies (session-id) such as first-party cookies to keep track of the user's input when filling online forms, shopping carts, etc., for the duration of a session or persistent cookies limited to a few hours in some cases
  • authentication cookies, to identify the user once he has logged in, for the duration of a session
  • user-centric security cookies, used to detect authentication abuses, for a limited persistent duration
  • multimedia content player cookies, used to store technical data to play back video or audio content, for the duration of a session
  • load-balancing cookies, for the duration of session
  • user-interface customisation cookies such as language or font preferences, for the duration of a session (or slightly longer)
  • third-party social plug-in content-sharing cookies, for logged-in members of a social network.

 

Use on EUROPA

The use of cookies on EUROPA is allowed under certain conditions. You should take the following steps.

  1. Ask yourself whether the use of cookies is essential for a given functionality, and if there is no other, non-intrusive alternative.
  2. If you think a cookie is essential, ask yourself how intrusive it is: what data does each cookie hold? Is it linked to other 
  3. information held about the user? Is its lifespan appropriate to its purpose? What type of cookie is it? Is it a first or a third-party setting the cookie? Who controls the data?
  4. Evaluate for each cookie if informed consent is required or not:
  • first-party session cookies DO NOT require informed consent.
  • first-party persistent cookies DO require informed consent. Use only when strictly necessary. The expiry period must not exceed one year.
  • all third-party session and persistent cookies require informed consent. These cookies should not be used on EUROPA sites, as the data collected may be transferred beyond the EU's legal jurisdiction.
Before storing cookies, gain consent from the users (if required) by implementing the Cookie Consent Kit in all the pages of any website using cookies that require informed consent.

Inform users about the use of cookies in plain, jargon-free language in a dedicated "cookie notice" page linked from the service toolbar of the standard templates. This page should explain:

  • why cookies are being used, (to remember users' actions, identify users, collect traffic information, etc.)
  • if the cookies are essential for the website or a given functionality to work or if they aim to enhance the performance of the website
  • the types of cookies used (e.g. session or permanent, first or third-party)
  • who controls/accesses the cookie-related information (website or third-party)
  • that the cookie will not be used for any purpose other than the one stated
  • how users can withdraw consent.

A standard template to create your own cookie notice pagezip(241 kB) is available. If a site does not use any cookies, the dedicated "cookie notice" page should use the template and just mention this. If your site uses the same cookies as the Commission homepage, you can link to the top level cookie notice. 

 

Cookie Consent Kit

This service is dedicated to external and internal developers of the European Institutions. Consequently, features documented on this site are tailored to our content management systems and internal guidelines.

The cookie consent solution is a JavaScript-based kit that, after some site-specific configuration, will automatically add a header banner to the page. This header banner will disappear once the user has accepted or refused the cookies used on the site.

This solution provides the following functionalities:

  • JavaScript to automatically display the header banner in 24 languages
  • a wizard to declare your cookies and the link to your cookies notice page
  • a JavaScript API with methods and functions that help to prevent prior storage of cookies
  • a corporate-consent cookie to remember the choice of the user across websites
  • a template for the cookie notice page.

This is a central service: you have to include the JavaScript file on your website and add a one-site-specific configuration file listing the cookies you are using. You will also have to add a short HTML parameter to every element in your site that sets a cookie.

 

Read the full documentation to implement the Cookie Consent Kit
Download the template to create your own cookie notice page






  1. The use of cookies on EUROPA is allowed under certain conditions. You should take the following steps.
  1. The use of cookies on EUROPA is allowed under certain conditions. You should take the following steps.
  1. The use of cookies on EUROPA is allowed under certain conditions. You should take the following steps.
Top