The Latest EU Guides and Reports on Cookies
Website cookies and tracking technologies continue to be a trending topic in the EU due to local disparities with privacy and cookies regulations, and the long-awaited approval of an EU regulation national rules.
The Directive on Privacy and Electronic Communications (Directive 2002/58/EC) (‘the ePrivacy Directive‘), which currently serves as the cornerstone of national regulations and guides on web and mobile identification and tracking, was enacted in 2002 and, even after being updated in 2009, results in a blatant mismatch between day-to-day activities based on cookies and other identifiers and the regulation thereof.
Since activities concerning the analysis of users’ behaviors, creation of audiences based on webpage visitors for retargeting, or matching of said visitors on social media platforms are present across virtually any industry focused on offering products or services to end users, companies face the problem of having to adapt their practices concerning the usage of cookies according to local requirements.
There are currently seven data protection authorities have issued guides and reports on the usage of cookies in the wake of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’):
- French (‘CNIL’)
- Spanish (‘AEPD’)
- Greek (‘HDPA’)
- Danish (‘Datatilsynet’)
- German (Federal Data Protection Conference (‘DSK’))
- Irish (‘DPC’)
- British (‘ICO’)
The vast majority of said guides and reports aim at expanding the current regulation of cookies and other tracers which, in some cases, is reduced to one or two dedicated provisions locally.
Recommendations from EU Institutions and European Data Protection Authorities
In this blog post, we dive into recent guidelines on cookies and tracking technologies in countries all over Europe.
CJEU and National Data Protection Authorities
More recently, the implementation of cookies’ requirements has been addressed by the Court of Justice of the European Union (‘CJEU’) and national data protection authorities. Organizations can now access a various range of practical recommendations in order to enable a compliant approach to cookies.
The CJEU established that a pre-filled cookie banner which the user must deselect to refuse consent is not considered lawful. In fact, valid consent to cookies requires an active and specific indication of the website visitor’s wishes. The judgment also states that the interpretation of the ePrivacy Directive does not have to change depending on whether the information stored or accessed through cookies constitutes personal data. The Planet49 case also confirms that the cookie notice must include information on both the lifespan of cookies and third parties’ access.
UK – ICO Guidance on Cookies
- Continue browsing on the website is not a valid way of expressing consent.
- Do not bundle consent into general terms and conditions or privacy notices. In fact, the request must be separate from other matters.
- Analytics cookies are not strictly necessary. Therefore, they require consent.
- Cookie walls are not allowed.
- ‘Nudging’ designs in the consent mechanism aimed at influencing the user’s choice are not allowed.
France – CNIL Guidance on Cookies and Online Trackers
- Continue browsing, pre-filled banners, cookie walls, and general terms and conditions are not valid ways of obtaining consent.
- Audience measurement and others not overly intrusive analytic cookies may be regarded as strictlynecessary and thus can be exempted from the collection of consent.
- Third parties using cookies may be fully and independently responsible for the cookies they use, which means that they shall directly obtain users’ consent.
- Audience measurement cookies must be retained for a maximum period of 13 months, while other cookiesmust be retained for a maximum period of 25 months.
- CNIL provides for a grace period of 6 months from the publication of other practical recommendations on how to obtain consent. These recommendations are expected in the first quarter of 2020.
Germany – DSK Guidance on Telemedia Providers
- Consent is not the only legal basis for cookies. The performance of a contract or the legitimate interest of the data controller or a third party are further possible legal bases for setting cookies.
- Cookie banners merely providing an ‘OK’ button, with no option to refuse the setting of cookies are not considered lawful.
- The lifespan of cookies is not specified under German law. However, the DSK recommends a shortlifespan.
- Analytic cookies are usually strictly necessary and do not require consent.
- Cookie walls are not allowed.
- A user navigating a website in order to manage his/her cookie preferences is not providing valid consent.
- Continue browsing on the website may be a valid way of expressing consent. Examples of continue browsing activities are:
- using a scroll bar, when information on cookies is visible without the use of a cookie banner.
- clicking on certain content links within the website.
- swiping the screen to access the content of the website.
- Cookie walls may be allowed, if appropriate information on the same are provided to the user.
- Analytic cookies require consent.
- The AEPD considers good practice a validity period of no longer 24 months for user’s consent.
- The website provider may collect consent for services offered in different domains through a single website, if the services present similar characteristics.
Ireland – DPC Guidance Note on Cookies and Other Tracking Technologies
- Devices using cookies may also include Internet of Things devices connected to the internet.
- Both first-party and third-party analytic cookies require consent.
- Continue browsing on the website, either through clicking, using, or scrolling, is not a valid way to obtain consent.
- When the website publisher uses a third-party Consent Management Provider (CMP), the following apply:
- the tool or software must not contain pre-checked boxes for the use of cookie.
- when the CMP tool keeps a record of users’ consent, the publisher must also keep a record of that consent under Article 30 of the GDPR.
- the collected consent is valid for no longer than 6 months, and it must be re-collected afterwards.
- The interface of the cookie banner cannot ‘nudge’ the user into accepting cookies over rejecting them. At the same time, accessibility must be considered when designing interfaces.
- The DPC provides for a grace period of 6 months from the publication of the guidance note, after which enforcement will commence.
How CookiePro Helps
CookiePro is constantly monitoring new global guides and best practices, and will continue to keep you updated on the latest news.
- Scan your website to identify and categorize cookies and tracking technologies on your website
- Automatically generate a detailed list of cookies, categories, and descriptions in dynamic Cookie List based on your latest website scan
- Tailor your consent banner to match your company’s brand including display, color, content, and language
- Customize your consent approach from notice only, opt-out, implied, opt-in or customize your own
- Build a centrally located, historical consent database to demonstrate compliance to regulators and auditors
- Once the disclosure is embedded on your website, you can easily update the content from the CookiePro interface at any time.