Try our conversational search powered by Generative AI!

Views: 18263
Number of votes: 2
Average rating:

Protecting your visitors’ privacy according to EU directive on cookies

In order to protect visitors’ privacy when visiting websites, EU countries have had reason to review their legislation regarding the usage of cookies. An EU directive states that site owners are responsible for informing visitors about which cookies are used and what they are used for. The website visitors must also approve the cookies to be used.

This means that website owners must inform and explicitly ask each first-time visitor if a cookie may be placed on the computer, mobile phone or other terminal equipment. It is not acceptable to solely rely on the visitors’ web browser cookie settings.

A worst-case scenario is that the website must seek the visitors’ approval for every cookie. Large websites with many cookies may have more than 30 pop-ups for the visitor to click in order to read the content on the site. Lack of awareness regarding the EU directive may lead to website visitors saying no, which will in turn affect the website negatively.

The directive is also unclear as to how visitors should be informed about cookies and approve them. Instead, this has been left up to the market to develop a solution to handle approval, as long as the requirement that visitors can approve cookies is met.

Exceptions from the approval requirements can be granted if a service is offered that technically cannot function without cookies. For example, if you have an online store with a shopping cart to keep track of what the customer wants to buy. If the customer upon registration approves the rules, there is no need for a new approval.

Intended to protect privacy

Cookies are not harmful to your computer and are used on many websites to facilitate visitors’ access to various functions such as “remembering” the choices made ​​by visitors on the site. For example, a nationwide site that “remembers” which county the visitor chose on the last visit.

The information in the cookies can be used to compile and analyze the information that a visitor leaves when surfing the web. Ad networks use such cookies to “track” how visitors browse, which websites and pages they visit  and how long they stay on the sites. Hackers may use cookies as a component of an attack, for example, phishing.

Today’s technology makes the law difficult to follow

It is common for websites to have information on the usage of cookies on the site, yet cookies will be sent to a visitor’s computer without notification. Very few of today’s browsers are designed for the so-called opt-in model, that is, the visitor must expressly give consent to sharing personal information. This is, however, now a requirement under the directive. The browsers are not sophisticated enough to distinguish between different types of cookies and visits no longer take place via conventional web browsers only, but perhaps via an app on a mobile device.

For website owners and managers, what is relevant is where their organization is active, not where the server is located. In some cases, there may be a question of limitations which can be determined from case to case. Check this with the Office of Data Protection in your country.

Solution for EPiServer websites

As a first step, the information texts below should be downloaded for usage when implementing a solution. You can put a statement like this on all pages (or pages with dynamic content and a form) for “new visitors” by using the personalization feature in EPiServer CMS. Refer to Creating Personalized Content section in the user documentation (web help), by using visitor groups based on the Number of Visits (less than 1) and Geographic Location (country) criteria. However, to use personalization for collecting the visitor's approval will require development.

You can also develop an ASP.NET solution to handle session states without cookies. Refer to the blog posts Cookieless Session State in ASP.NET without Nasty URLs and Going Cookieless with EPiServer CMS by Allan Træn.

Cookies used by EPiServer products

EPiServer CMS

EPiServer CMS uses the following cookies:

Cookie name



Session cookie sent to the web browser. Used when you open the browser and then go to a website that implements ASP.NET session state. This cookie is deleted when you close your browser.


Used if you are using the Number of Visits personalization criterion. This cookie will not be set if you remove it from all of your visitor groups.

.EPiServerLogin, EPiDPCKEY, .ASPXRoles

Only used if you log in to a website. This is not a major problem as long as you clearly state on the login page that cookies will be used if you log in.

EPiServer Commerce

EPiServer Commerce uses the following cookies:

Cookie name



Session cookie sent to the web browser. Holds the ID of the latest order created by the customer. This cookie is deleted when you close your browser.


Session cookie sent to the web browser. Holds the language code. This cookie is deleted when you close your browser.


Short facts

Cookies are files used by your browser on a website or third party, and can range from very small text files to large files for Flash Player. The reason for the new laws is an EU Directive on Privacy and Electronic Communications to increase the privacy of internet users. Sweden was chosen among the first countries to apply the new Electronic Communications Act July 1, 2011. Site owners have approximately one year to develop a solution that works for both the website and visitors.

Information texts and statements for download

The information to visitors should contain the following:

  • Information about the cookie. List the cookie names, domain/service where they are used, and how long they are stored on the computer. Also list cookies from third-party analytics tools used.
  • Purpose. What are the cookies used for, for example, storing web browser settings, statistics on banner clicks etc.
  • How the information is used. If IP addresses are stored for security reasons, for example, when the visitor signs up as a member, or buys anything in a web shop.
  • Alternative. If the visitor can use the services on the website without cookies being used. Specify what services that technically need to have cookies.

You can download the following samples of information texts and statements for usage on your website:


United Kingdom (In English)

Sweden (In Swedish)

  • Information by Post- and Telestyrelsen about cookies for site owners:
  • Information by Post- and Telestyrelsen about cookies for visitors: 
  • Example of website with approval of cookies: Svenska Regeringskansliet


Please login to comment.