Cookie Regulations and the New EU Cookie Law

piegazeInternet and Web Development

Dec 7, 2013 (4 years and 5 months ago)


Cookie Regulations and
the New EU Cookie Law
Drupal Camp Alpe-Adria, April 2013
Igor Kolar, Janez Urevc

// todo

We will explain new EU cookie directive and
show what it brings to us in practice. We will
present informations commissioner opinion
about the topic and help you to spot and
overcome problems before they arise.

We will also show Drupal modules that can
make your life with cookies easier.

What happened

Directive on Privacy and Electronic
Communications (2002/58/EC)

Amended by the Data Retention Directive

And then by Directive
, added Article
5(3) requiring
cookie opt-in

To be implemented by 25th of May 2011, most
everyone but the UK was late. The UK regulation
went into force in May 2012, problems arose

What does this 'opt-in' mean?

Depends on what your privacy commisioner thinks

UK: “not going beyond implied consent” (opt-out)

SI: prior informed consent (opt-in) for non-existential cookies

But existential cookies means pretty much everything save Ads,
GA and share everywhere widgets

U.S. DNT insufficient

Existential cookies in SI

Load balancing

Shopping cart

User authentication


Audio/Video, including flash and DRM cookies

Page customization (language, features, ..)

Social media embeds (!)



Ads, particularly with 3rd party Ad Networks
then might (will) use behavioral tracking

Disqus, Issuu, Scribd

Other stupid widgets

Getting consent

DNT does not suffice because it's opt-in by default (see IE drama)

Provide a clear
privacy policy
listing all the cookies you use, and
update it

In SI, you should ask
non-existential cookie,
and make sure to provide
on what that cookie will be
used for

Best during registration, or in User preferences for existing users

splash screens
(!) or header/footer bars otherwise


You may not set cookies in SI before you get
consent (you can in the UK)

If the user refuses, the site has to work without
cookies, or redirect to
) or to

You may NOT save a cookie indicating that
consent was refused, unless you get consent for
that cookie first

User flushed that cookie? Do it again.


You could get reported, or the Commissioner
may pursue on their own

Trivial to prove


Up to €20k for medium and large enterprises

200-1000 for small enterprises or s.p.

100-500 for person responsible

Long-term solutions

General Data Protection
, replacing
the current (old) EU Data Protection Directive

To add support for Social media, Cloud

Adoption in 2014, enforcement in 2015/16

One-stop shop / single jurisdiction
. Move
your company to Ireland and all EU privacy
affairs are handled by their “business-friendly”

Lobbying money doing work


Remove all bullshit extensions by
June the 15th

Switch to your own analytics service

Get permission for Ad cookies for now, and
hold out until the new Regulation kicks in

Be double sure you do this if your work for the
Government, a Government contractor or
otherwise accept public money