Are cookie warnings still required under the EU cookie law?
As a European (Dutch) and a web builder:
Yes, this is still required (if you have tracking/3rd party cookies). But now the cookie storm is over, and the dust has settled, most sites only show a small banner "we use cookies" and stick to that. Unless you're in the big league, there's not much to worry about, with just that notification you're already doing better than most sites. I have yet to encounter an actual court case about this.
Dutch law requires opt-in, but that rarely happens. European law says opt-out should be possible, but most websites just tell the user they use cookies and keep it to that.
This applies to EVERY website targeting europeans, no matter where you host or where the company originates.
• This website has plenty of info about EU legislation on cookies
Might be nice to know, you no longer need to place the notification if you only use Google Analytics (you had to because GA uses a cookie to check for returning visitors) and cookies specific for the website. Because of this, most small common websites don't need a notification to the user.
The reason GA is allowed, is because they don't track you from site to site, only if you come back. This is considered acceptable because it is basic information which is useful for a webmaster and not privacy invasive for visitors. These cookies are available for the visited domain only and therefor seen as first party.
FYI, it's called cookie law, but this doesn't only apply to cookies. Session.storage and similar functionalities fall under the same rules. Everything that tracks users for the purpose of tracking users.
Unless you do some sort of tracking, most cookies are exempt from that law. From the "EU Internet Handbook":
Cookies clearly exempt from consent according to the EU advisory body on data protection include:
- user‑input cookies (session-id) such as first‑party cookies to keep track of the user's input when filling online forms, shopping carts, etc., for the duration of a session or persistent cookies limited to a few hours in some cases
- authentication cookies, to identify the user once he has logged in, for the duration of a session
- user‑centric security cookies, used to detect authentication abuses, for a limited persistent duration
- multimedia content player cookies, used to store technical data to play back video or audio content, for the duration of a session
- load‑balancing cookies, for the duration of session
- user‑interface customisation cookies such as language or font preferences, for the duration of a session (or slightly longer)
- third‑party social plug‑in content‑sharing cookies, for logged‑in members of a social network.
This means you only have to show such an alert for tracking or third-party cookies.