Hogan Lovells 2024 Election Impact and Congressional Outlook Report
The legal requirements for the use of cookies have been subject to discussion over the last few years, with little to no enforcement and guidance from European data protection authorities (DPAs). That has changed recently.
In the last few months, there have been interesting developments concerning the use of cookies. Upon investigating 175 websites, the Dutch DPA concluded that half of those websites did not comply with cookie requirements. The Bavarian DPA (Germany) initiated a similar investigation and the Spanish DPA (AEPD) has issued two fines for not complying with cookie requirements. In addition to these investigations and fines, various DPAs have published guidelines with very different interpretations. Cookie compliance seems to have become a high priority for DPAs.
We recently published Getting Cookie Consent Right, describing how various approaches to cookie consent fare against the European Court of Justices’ (CJEU) Planet49 decision. In this blog post, we further help navigate through the EU cookie landscape by focusing on how European DPAs are approaching cookie consent and transparency in light of the Planet49 decision.
Users should provide consent for the use of cookies that require the processing of personal data. There seems to be a longstanding consensus that consent is not required for functional cookies (necessary for making a website work) but is required for tracking cookies (following and targeting users). However, recent publications show that DPAs have differing views on whether, and if so under what circumstances, consent is required for analytical cookies (measuring the use of a website).
The French (CNIL) and Dutch DPAs have published lists of requirements that should be met when using analytical cookies without user consent. The bottom line of these lists is that no personal data should be shared when using analytical cookies, which would require companies to (for example) deactivate cookies collecting ‘UserID’ for ‘advertising purposes’. Furthermore, the German DPAs (DSK) indicated that consent is not required for analytical cookies when no personal data is being processed (without giving further guidance in the form of a list of requirements).
Contrary to that approach, the AEPD, the UK Information Commissioner’s Office (ICO), and Belgian DPA have indicated that consent is required for analytical cookies – without any exceptions. The ICO however indicated that although consent is required, analytical (first party) cookies qualify as low risk cookies and, therefore, enforcement seems to be unlikely.
The implication of these differing approaches among European DPAs is that using analytical cookies throughout the European Union (via a website that is directed to data subjects in all Member States) without user consent is not without risk.
In its recent Planet49 decision, the CJEU eliminated any possible discussion on soft opt-in (opt-in obtained without the data subject’s affirmative action). A pre-ticked box for consent is not sufficient.
But, following the Planet49 decision, European DPAs are still debating what type of action may constitute an “affirmative action”. On the one hand, the Italian DPA (Garante) and AEPD have indicated that scrolling through a website or clicking on any link could qualify as an affirmative action. The Belgian DPA, CNIL, ICO, German DPAs, and Dutch DPA do not seem to agree with the Garante and APED. They have indicated that consent should be obtained by having the user click on a button or link which refers to cookie consent.
Furthermore, the German and Dutch DPAs have indicated that users should be provided with the choice to either ‘Accept’ or ‘Decline’ the cookies (or close the banner without accepting the cookies). It would not be sufficient to only give the user the option to ‘Accept’ cookies in a cookie banner. Although AEPD and Garante have indicated that this would not be strictly required, providing website users with a choice to either accepting or declining cookies by clicking on a ‘cookie button’ seems to be the most suitable option for requesting cookie consent.
Although there seems to be a consensus whether cookie walls (website browsing only possible after accepting cookies) are permitted, the ICO has left some room for using a cookie wall. While discussing the use of cookie walls on its website, the ICO stated that the right of data protection is not absolute and should be balanced against (for example) the freedom to conduct business. However, other DPAs (including the CNIL and the Dutch DPA) have quite clearly stated that the use of cookie walls is not permitted.
With the Planet49 decision, it has become clear that website users should be informed on – at least – the purpose, retention period (i.e., cookie operation), types of cookies used and third parties that place cookies.
The ICO and Dutch DPA have indicated that information on the types of cookies used and purposes should be included on the first page that the website users visit (i.e., in the cookie banner). Then, in a second layer, more information on the use of cookies should be provided.
Other European DPAs have not been this specific about the cookie information that should be included in notices. However, based on the Planet49 decision it is likely that website users should be able to access more granular information about a website’s cookie use by clicking only one link (i.e., second layer information). Therefore, including (concise) cookie information in a cookie banner and including a link to the more granular cookie statement seems to be good practice.
Based on the DPAs’ publications referred to in this blogpost, a pan-European cookie strategy requires website operators to consider (at least) the following:
Authored by Joke Bodewits and Wout Olieslagers