Like the EU, many EU country data protection regulators don’t show cookie notices either

(Post by Patrick Lee, 28 August 2018).

Further to my previous article on the EU and cookies, here is a link to a short video “The EU website has no cookies notice”.

This can be viewed as a curiosity if the EU updates its website to include cookie notices, so that it is in line with what many (most) businesses have felt they have had to do. And some – but by no means all – country data protection regulators.

So, what ARE the country data protection regulators doing about cookies? has a list of data protection regulators.

This is by no means an exhaustive survey, but from the ones that I have looked at so far:

Regulators with cookie notices on their sites

If you haven’t yet added cookie notices, you seem to be in good company (the EU …)

GDPR and cookies: I was looking for best practice

(Post by Patrick Lee, 26 August 2018).

I was trying to answer questions from an acquaintance about cookie notices, and I went looking for examples of best practice. So I visited both the UK Information Commissioner’s Office ( ICO) and the European Union (EU)’s websites. This is what I found.

The EU’s General Data Protection Regulations (GDPR) came into force across the whole of the EU just over 3 months ago, on 25 May 2018. As a result, many of you will have seen (and indeed before May) prominent cookie notices asking you to give explicit consent when visiting websites.

The ICO’s website: looks pretty good

This cookie notice is what you see, and very prominently when you visit the UK Information Commissioner’s (ICO) website for the first time (or after clearing cookies):


The reason for this is that cookies can be used to record personal information. Under GDPR, (and this is from the ICO’s own guidance – the bold emphasis is mine):

Consent must involve some form of communication where the individual knowingly indicates their acceptance. This may involve clicking an icon, sending an email or subscribing to a service. The crucial consideration is that the individual must fully understand that by the action in question they will be giving consent.

In other words, the ICO is implying that users need to knowingly perform an action to give consent to cookies. And that is precisely what the ICO’s own website does via its prominent cookie control notice.

To me (and I should make clear that I am not a lawyer) the ICO website does indeed appear to be very much in line with the letter and spirit of the GDPR.

The EU’s website: a very different story

What about the EU’s website, Remember that I visited in the expectation of seeing an example of good, or perhaps best practice.

At present, the EU’s website, doesn’t give visitors any notice or prominent indication that it is storing cookies on their device.

This is what you see the first time you go to (or if you have cleared cookies). Notice as well as the absence of any cookie notice, the “Not secure” warning from Google Chrome. This seems to be because, unlike the ICO, the EU website does not (initially at least) redirect users to the secure version of their website (

If you click on English as your desired language, you then see (notice that the site has now at least redirected me to its secure version):


There is no cookie notice, or prominent link to information about what cookies it stores and what their purpose is. You have to look in the top right or scroll right down to the bottom of the page to see links to Cookies and Privacy policy.

EU Cookies page says they “may” store cookies

The Cookies page says that they may use cookies (amongst other reasons) to record whether visitors have agreed (or not) to the use of cookies on their site.


Remember that the site says it *may* use cookies. What is it actually doing by this stage? If you are using Google Chrome, you can see which cookies a site is storing on your device by using Ctrl + Shift + I to bring up the developer tools. Then click on the Application tab from the top, and click and expand the Cookies link on the left and click on the name of the site you are visiting.

By this stage, I had decided to look at the site’s Privacy Policy page, and this is what came up:


So while the site’s Cookies page says that it “may” store cookies, or (at the top) “we sometimes place” (them) on your device, it has already stored 4 cookies. In fact it stored 2 cookies when I opened the home page, and the third, has_js, when I clicked on the link to use English as my desired language. The 4th, PIKIW_SESSID, appeared when I went to the Privacy Policy page.

The privacy policy page says that by default website visitors are tracked using cookies from Europa. Rather than (as recommended by the UK Information Commissioner’s Office guidance) asking for explicit consent (in other words, an explicit opt-in), notice that the EU has chosen to rely on an implicit opt-in, i.e. you have to untick the box to opt out:

By default, website visitors are tracked using the first-party persistent cookies from Europa. You may choose not to be tracked by Piwik (opt-out). If you change your mind, you can choose to be tracked again by Piwik (opt-in).

Notice again the PIWIK_SESSID cookie. That seems to be the tracking cookie that the EU is referring to.

Let’s try opting out

But what happens if you decide to opt out? Does the EU’s site do what it says it will do? When you first visit the Privacy Policy page, the Piwik cookie is stored on your pc. The privacy page says that you are opted-in to be tracked by Piwik, but that you can choose not to have a unique web analytics cookie stored on your device, presumably the Piwik cookie that has just been stored. So let’s try opting out by unticking the “you are currently opted in” checkbox.

The site now says that you have opted out, and has an extra cookie (piwik_ignore) to record that you have opted out:


The tracking cookie is still there …

But the PIWIK cookie (PIWIK_SESSID) cookie is still there!

Does it disappear when I go to another page on the site, e.g. the page on Personal Data Protection? No, the cookie is still there.

Perhaps it will go away if we close the browser completely and re-open it …

What if I close the browser completely and open it up again. Will the cookie have disappeared? Apparently not!


It’s not just Google Chrome: similar things happen if you open the site in a different browser, Microsoft Edge.


My conclusion? Again, I am not a lawyer, but I think it is not clear whether the EU website complies with the GDPR (its own regulations) at the moment:

  • there is no prominent cookie notice when you visit the site
  • you have to explicitly opt out of being tracked
  • even when you do opt out, contrary to what the site says, the same or very similar cookie that is used for tracking is still there.

(Article dated 26 August 2018). #GDPR, #EU #Cookies #Privacy