Updated: How much has the cookie crumbled across the EU?

Intellectual Property Update

In December 2011, DLA Piper published a summary of the way in which the law relating to cookies had been implemented across EU Member States.

Since 5 December 2011, there have been updates in respect of: Bulgaria, Czech Republic, Lithuania, the Netherlands, Sweden and the United Kingdom, details of which are set out and can be viewed in the updated table.

For example, on 13 December 2011, the UK's Information Commissioner (ICO) published an updated cookie compliance guidance note which: 

  • sets out examples of compliance measures to adopt
  • provides business with clarification over concepts such as third party cookies and sites which use analytic only cookies, and
  • includes a section on frequently asked questions. View the ICO's guidance


The amended E-Privacy Directive1, which was to be implemented by all EU member states by 25 May 2011, requires the user to consent to the use of cookies.

View the 2009 E-Privacy Directive

Please refer to Article 2(5) (at page 30), which amends Article 5(3) of Directive 2002/58/EC.

Article 5(3) of the E-Privacy Directive provides that 'the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with the Data Protection Directive2 about the purposes of the processing.'3

This change requires that consent to the use of cookies must be 'opt-in' (rather than 'opt-out'). However, there has been some uncertainty as to how the measures would be implemented into national law by the different EU member states and whether the law would, in practice, require additional measures to be taken to ensure the lawful use of cookies.

View the table which illustrates how Article 5(3) of the E-Privacy Directive has been implemented into the law of the applicable EU member state, together with a summary of the current position regarding the implementation of the E-Privacy Directive generally

Previous DLA Piper cookie alerts:

What should businesses do?

Businesses are advised to start assessing their cookie use now and developing their IT systems to make sure that they can properly comply. In essence, the more the use of a cookie relates to the personal information of a user, the more robust the procedures to obtain consent will have to be.

DLA Piper's EU Information Law team have developed a robust methodology to assist organisations through the complex rules relating to compliance with cookies and can assist organisations by undertaking a cookies audit, suggest compliance options and assist in the implementation of the most effective option.

[1] As amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC, Directive 2002/58/EC (concerning the processing of personal data and the protection of privacy in the electronic communications sector) and Regulation (EC) No 2006/2004.
[2] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
[3]Article 2(5) of Directive 2009/136/EC.