Inside EU Cookie Laws

By Carla Rover • May 25, 2011 •

What it is: The UK’s Privacy and Electronic Communications Directive, an amendment to the EU’s E-Privacy Directive, will restrict the use of cookies and virtually any other tracking methods used for advertising purposes. Both legal frameworks would require any company with users in an EU country to be subject to EU-wide and country-specific privacy legislation. The UK law’s translation of the EU’s E-Privacy Directive principles is far more restrictive than the present incarnation of the US-EU Safe Harbor agreement, which requires US companies to offer notification when cookies are used on a website.

Why it matters: The restriction on cookie use could impose financial and even criminal penalties for the improper use of cookies. The UK government today announced a deferment on non-compliance penalties for one year. The law, however may still place large American brands at a disadvantage. Because many major American campaigns employ rich media ads and display content from multiple sources, the bigger and more elaborate an advertising campaign or a retail website is, the more vulnerable it would be to restrictions through the new EU directives.

How it works: The law would require notice each time a cookie is used, setting up a flurry of notifications. The bigger the website and the richer the media, the greater the risk. A browser solution might work for webpages, but it wouldn’t work for mobile apps and even Web apps. The ICO suggests that companies use “some other way” to alert users to cookie use. Adding information to a terms of use agreement won’t work either, according to the report, unless all users are issued a new agreement and certify their acceptance.

Who’s doing it: Every company with a user in the EU or the UK will eventually have to implement the measures, but at present only two EU members, Denmark and Estonia, have implemented controls to enforce the EU directives besides the UK’s efforts. The EU and the UK are presently working with all major browser manufacturers to create browser-level solutions for privacy. Some American companies, such as Truste and AdSafe, are creating products for EU-compliance.

Assessment: The cookie-use evaluation process is only half the battle, as American companies will also have to contend with further EU legislation meant to limit data storage practices globally, on mobile and online. “Businesses may want to check their sites to work out where they are using cookies and what those cookies are doing,” wrote attorney Johnathan Armstrong, of Duane Morris, a firm specializing in technology law. “They may want to stop using unnecessary cookies, especially those sending data to third parties. Businesses may then work on ways of telling visitors to their sites what is happening to their data. Given that the law is in a state of uncertainty, transparency should be the guiding principle of any business in its online activities.”

More in Media

Future of Work

Esquire’s Michael Sebastian on the workday of a magazine editor in the age of TikTok and AI

August 20, 2025

The editor in chief of Esquire represents something of a paradox: a digital native who came up through the ranks of online journalism.

The Creator Economy

Creators hire AI like interns as they look to save costs on the creative process

August 19, 2025

While some creators churn out AI slop in the name of scale, others are using the tech more pragmatically — to perform back-end tasks they previously had to pay a human to do.

The Creator Economy

VTubers are catching marketers’ eyes in 2025

August 18, 2025

Instead of revealing their real-life faces to the camera, VTubers use motion-capture or hand-tracking technology to map their movements and facial expressions to an animated avatar. That way, they can keep their identities private while still building distinct, marketable personas that fans connect with.