The EU cookie law is the popular name for the ePrivacy Directive working alongside the GDPR. It requires websites to get a visitor's prior, opt-in consent before setting non-essential cookies or trackers. The rule applies to any site with EU or EEA visitors, regardless of where the business itself is based.
Strictly necessary cookies, such as those running a shopping cart or a login session, are exempt and need no consent. A 2025 to 2026 reform proposal could change how banners work. It is not yet law, so the opt-in rule still applies to every site today.
What Is the EU Cookie Law?
"EU cookie law" is the common name for the ePrivacy Directive, which requires informed, prior consent before a website sets non-essential cookies. It usually works alongside the GDPR, and the directive is the part that actually mandates the cookie banner you see on most European sites.
The name stuck because of what the law caused. It is not a law literally titled "the cookie law." The ePrivacy Directive was passed in 2002 and amended in 2009. It earned the nickname because of its most notable effect: the worldwide spread of cookie consent pop-ups after the 2009 amendment took effect. Before that amendment, EU rules on cookies allowed a lighter, opt-out approach. The 2009 change flipped cookies to today's opt-in model. Sites must ask first, not just offer a way to say no later.
For the directive's full legislative history, articles, and mechanics, see the ePrivacy Directive.
Which Laws Make Up the "EU Cookie Law"? (ePrivacy Directive + GDPR)
The "EU cookie law" is really two instruments working together, not one statute. Each does a different job.
| Instrument | What it governs |
|---|---|
| ePrivacy Directive (2002/58/EC, amended by 2009/136/EC) | Requires prior consent before storing or accessing information on a visitor's device, including cookies |
| GDPR (Regulation (EU) 2016/679) | Sets the legal standard for what counts as valid consent, and governs how any personal data collected is processed and stored |
The ePrivacy Directive mandates the consent rule for cookies. The GDPR establishes the rules for how that personal data must be handled, stored, and processed once collected. The 2009 amendment, Directive 2009/136/EC, is the specific change that introduced prior consent for cookies. Before 2009, EU rules permitted a lighter opt-out approach; after it, sites had to ask first.
The GDPR itself barely mentions cookies. It refers to them once, in Recital 30, which notes that cookie identifiers can be combined with other data to identify a person. That combination can qualify as personal data in certain circumstances. The detailed cookie rule comes from the ePrivacy Directive, not the GDPR's main text.
For the GDPR's full scope beyond cookies, see the GDPR. Both instruments sit within the wider family of EU and global privacy laws that govern how businesses handle personal data.
When Does the EU Cookie Law Apply, and to Whom?
The EU cookie law applies to any website or app that sets non-essential cookies on a visitor's device in the EU or EEA. This holds regardless of where the business itself is based.
Two points matter for anyone asking whether this affects them:
- Extraterritorial reach. A US or otherwise non-EU site with EU or EEA visitors is in scope. The law triggers on the visitor's location, not the company's headquarters.
- No small-business exemption. The rule triggers on the cookies and trackers a site sets, not on company size or revenue. A solo blogger running Google Analytics without consent is technically in the same position as a large enterprise doing the same thing.
What Does the EU Cookie Law Require? (Valid Consent)
To use non-essential cookies, a site must get the visitor's valid consent first. Valid consent under the EU cookie law has six specific components:
- Prior consent. Non-essential cookies cannot activate until the visitor explicitly agrees. Loading trackers before a response, then asking after the fact, does not satisfy the rule.
- Opt-in only. Pre-ticked boxes, implied consent, and scroll-to-consent are not valid. The visitor must take a clear, affirmative action.
- Granular control. Visitors must be able to accept or reject categories separately, such as analytics versus marketing, rather than facing a single all-or-nothing choice.
- Equal options. Rejecting cookies must be as easy and visually accessible as accepting them.
- Easy withdrawal. Changing or withdrawing consent must be just as easy as giving it in the first place.
- Clear information. Visitors need plain-language information about what each cookie does and why, before they consent.
A site must also document and store the consent it receives. It must still let visitors use the core service even if they refuse non-essential cookies. For the full compliance checklist and banner requirements, see GDPR cookie consent requirements.
Which Cookies Are Exempt? (The "Strictly Necessary" Rule)
Cookies that are strictly necessary to deliver a service the visitor actually requested do not need consent. Everything else does.
Common examples of strictly necessary cookies:
- Cookies that remember shopping-cart items so an order persists across pages or after a visitor logs back in
- Session cookies that keep a logged-in area secure, such as an online banking session
- Load-balancing cookies that distribute traffic across servers so a page loads reliably
Analytics and advertising cookies are not strictly necessary, even when a business considers them important to running its site. A cookie only qualifies for the exemption if it is essential to fulfil the visitor's specific request, not merely convenient or useful to the business. Google Analytics, ad-tech pixels, and most third-party tracking scripts fall outside this exemption and require consent like any other non-essential cookie.
How Is the EU Cookie Law Enforced (and What Are the Penalties)?
The EU cookie law is enforced at the national level by each EU country's Data Protection Authority, not by a single central EU regulator. That is because the ePrivacy Directive is a directive, not a regulation. It gets transposed into each member state's own national law, and each country's authority enforces its own version.
Penalties connect to two layers. Breaches of the consent rule itself draw fines under each country's national ePrivacy-style law. Personal data handling is separately governed by the GDPR, so GDPR-level fines can also apply to related data-processing failures. Those fines can reach EUR 20 million or 4% of a company's global annual turnover, whichever is higher, under GDPR Article 83(5). National authorities have used this framework against real companies. France's CNIL fined Amazon Europe EUR 35 million in December 2020 for setting advertising cookies without valid consent.
How Is the Law Different in Each EU Country (and the UK)?
Because the ePrivacy Directive is a directive, each country writes its own national law to implement it. The exact wording, fine levels, and regulator differ by country as a result. The UK implements the rule through PECR (the Privacy and Electronic Communications Regulations), enforced by the ICO. Other EU member states have their own transpositions and DPAs, such as France's CNIL. The underlying consent standard stays consistent across countries, since it traces back to the same directive and the GDPR. The specific national rules and enforcement posture still vary. For the UK-specific rules, see PECR.
Is the EU Cookie Law Changing? (The 2026 Reform)
Yes, reform is on the table, but it is currently a proposal, not law. The current opt-in consent rule still applies to every site today.
Reform has been attempted before. A separate ePrivacy Regulation was first proposed in 2017 to replace the ePrivacy Directive with a single, directly applicable EU rule. It stalled for years and was withdrawn in 2025 without ever being adopted. The current effort takes a different route.
The European Commission published its "Digital Omnibus" proposal in November 2025, aiming to simplify cookie rules and reduce banner fatigue. The proposal would fold cookie consent into the GDPR itself rather than leaving it in the ePrivacy Directive. A new Article 88a would set out narrow purposes where cookies can be stored without consent. These are communication transmission, a service the visitor explicitly requested, or a controller's own aggregated audience statistics. A new Article 88b would require websites to support consent and refusal through automated, machine-readable means. That includes browser-level signals, instead of a banner on every site.
Two things are true at once, and both matter. First, this would shift where the rule lives, from the ePrivacy Directive into the GDPR, and could eventually reduce how often visitors see a banner. Second, nothing has changed yet. The proposal is still moving through the EU legislative process, with regulators and industry groups still negotiating its scope as of mid-2026. Until it is adopted and takes effect, the current opt-in consent rule stands. A site cannot simply stop showing a banner in anticipation of the change.
How Is the EU Cookie Law Different from the GDPR?
The EU cookie law and the GDPR overlap but are not the same thing. The clearest distinction is what each one actually requires.
| Aspect | EU Cookie Law (ePrivacy Directive) | GDPR |
|---|---|---|
| Legal instrument | Directive, transposed into national law | Regulation, directly applicable EU-wide |
| What it governs | Storing or accessing information on a visitor's device, including cookies | Processing of personal data generally |
| Consent role | Requires prior consent before setting non-essential cookies | Defines what counts as valid consent (freely given, specific, informed, unambiguous) |
In short, the ePrivacy Directive requires the consent, and the GDPR defines what a valid consent looks like and governs the data afterward. A cookie that qualifies as personal data is subject to both instruments at once.
What the EU Cookie Law Means for Your Website
In practice, complying with the EU cookie law means six concrete actions on your site.
- Scan your site to find every cookie and tracker actually running on it
- Block non-essential cookies and scripts until the visitor consents
- Show a clear consent banner with an accept option and an equally easy reject option
- Offer a preference center so visitors can choose by category instead of all-or-nothing
- Publish a cookie policy describing what you use and why
- Keep a record of each visitor's consent choice
Cookie banners have a real reputation problem, and banner fatigue is a documented complaint behind the reform effort covered above. But until that reform is adopted, the compliant path is still the scan-block-consent sequence above, not skipping the banner. The same discipline that satisfies the EU cookie law is what it takes to achieve GDPR compliance more broadly.
How Consently Helps You Meet EU Cookie Consent Requirements
Consently handles the consent side of the EU cookie law for you. It shows EU and EEA visitors a GDPR opt-in consent banner with accept, reject, and manage-by-category options. The law requires consent before non-essential cookies load. Consently automatically scans your site for cookies and trackers, then blocks non-essential cookies, scripts, and iframes until the visitor consents.
Two features map directly to what the law expects. A preference center gives visitors the granular, per-category consent the ePrivacy Directive and GDPR both call for. A visitor can accept analytics but reject marketing, for example. Consent logs with export give you the documentation and audit trail regulators expect a compliant site to keep. A cookie policy generator is also available for the disclosure the law requires. For sites running ads or analytics, Consently signals consent through Google Consent Mode v2 and IAB TCF 2.3. Those trackers only fire once the visitor agrees.
Consently supports explicit, opt-in consent only, which is exactly what the EU cookie law calls for. It does not detect browser-level universal opt-out signals. It also does not make legal compliance decisions for you. The platform runs the consent and disclosure mechanics the law requires, but legal compliance for your specific business stays your responsibility.
Consently's GDPR cookie consent solution covers the banner, scanning, and blocking described above. Try Consently free with a 14-day trial, no credit card required.
FAQs
What is the EU cookie law in simple terms?
The EU cookie law is the popular name for the ePrivacy Directive working with the GDPR. Together they require websites to get a visitor's opt-in consent before using non-essential cookies. It applies to any site with EU or EEA visitors, not just EU-based businesses.
Is cookie consent mandatory in the EU?
Yes, for non-essential cookies such as analytics and advertising trackers. Strictly necessary cookies, like those securing a shopping cart or a login session, are exempt from the consent requirement.
Do I need consent for all cookies?
No. Only non-essential cookies, including analytics, advertising, and most tracking cookies, need consent. Strictly necessary cookies that a visitor's request depends on, such as a shopping cart, do not.
Does the EU cookie law apply to websites outside the EU?
Yes. The rule applies based on where the visitor is located, not where the business is based. A site outside the EU with EU or EEA visitors is still in scope.
Can a visitor refuse cookies?
Yes. Rejecting cookies must be as easy and visually accessible as accepting them. The site must still function for essential features after a visitor refuses non-essential cookies.
What are the penalties for breaking the EU cookie law?
Enforcement runs through each country's national Data Protection Authority under its own ePrivacy-style law, and GDPR-level fines can also apply to related data-processing failures. Those fines can reach EUR 20 million or 4% of global annual turnover, whichever is higher, under GDPR Article 83(5).
Is the EU cookie law the same as GDPR?
No. The ePrivacy Directive requires consent before setting cookies. The GDPR defines what a valid consent looks like and governs how any personal data collected is processed afterward.
Is the EU getting rid of cookie banners?
Not yet. A 2025 to 2026 reform proposal, the Digital Omnibus, would move cookie consent into the GDPR and support browser-level consent signals. It is still a proposal moving through the EU legislative process, so the current opt-in consent rule still applies today.

