Inside EU Cookie Laws

By Carla Rover • May 25, 2011 •

What it is: The UK’s Privacy and Electronic Communications Directive, an amendment to the EU’s E-Privacy Directive, will restrict the use of cookies and virtually any other tracking methods used for advertising purposes. Both legal frameworks would require any company with users in an EU country to be subject to EU-wide and country-specific privacy legislation. The UK law’s translation of the EU’s E-Privacy Directive principles is far more restrictive than the present incarnation of the US-EU Safe Harbor agreement, which requires US companies to offer notification when cookies are used on a website.

Why it matters: The restriction on cookie use could impose financial and even criminal penalties for the improper use of cookies. The UK government today announced a deferment on non-compliance penalties for one year. The law, however may still place large American brands at a disadvantage. Because many major American campaigns employ rich media ads and display content from multiple sources, the bigger and more elaborate an advertising campaign or a retail website is, the more vulnerable it would be to restrictions through the new EU directives.

How it works: The law would require notice each time a cookie is used, setting up a flurry of notifications. The bigger the website and the richer the media, the greater the risk. A browser solution might work for webpages, but it wouldn’t work for mobile apps and even Web apps. The ICO suggests that companies use “some other way” to alert users to cookie use. Adding information to a terms of use agreement won’t work either, according to the report, unless all users are issued a new agreement and certify their acceptance.

Who’s doing it: Every company with a user in the EU or the UK will eventually have to implement the measures, but at present only two EU members, Denmark and Estonia, have implemented controls to enforce the EU directives besides the UK’s efforts. The EU and the UK are presently working with all major browser manufacturers to create browser-level solutions for privacy. Some American companies, such as Truste and AdSafe, are creating products for EU-compliance.

Assessment: The cookie-use evaluation process is only half the battle, as American companies will also have to contend with further EU legislation meant to limit data storage practices globally, on mobile and online. “Businesses may want to check their sites to work out where they are using cookies and what those cookies are doing,” wrote attorney Johnathan Armstrong, of Duane Morris, a firm specializing in technology law. “They may want to stop using unnecessary cookies, especially those sending data to third parties. Businesses may then work on ways of telling visitors to their sites what is happening to their data. Given that the law is in a state of uncertainty, transparency should be the guiding principle of any business in its online activities.”

More in Media

Bold Call

Bold Call: AI will rewrite publishers’ websites in 2026

January 22, 2026

This year, publishers will use AI to transform static sites into dynamic, personalized and reader-driven experiences.

Member Exclusive

Media Briefing: The anatomy of the publishers’ SEO dilemma

January 22, 2026

As AI upends search, publishers face a choice in 2026: chase Google, feed AI, or figure out how to balance both.

Digiday Awards

UBS, New York Times Advertising, Uber Advertising and The Wall Street Journal are Digiday Media Awards Europe finalists

January 20, 2026

This year, the organizations modernizing European media are pioneering interactive formats that drive engagement and impact, while premium contexts build trust and authority. Digiday Media Awards Europe finalists are also pairing innovation with sustainability, thoughtful design and seamless omnichannel storytelling to enhance user experience across touchpoints. In the Best Use of Interactive Content category, UBS […]