As European Regulators Take Use of Cookies More Seriously, Here Are the Basics for Compliance

EPDB-logo-300x300This week the European Data Protection Board (EDPB), a body that represents European data protection authorities, set up a new cookie banner taskforce. The new taskforce will coordinate the response to over 400 complaints concerning cookie banners filed by a nonprofit organization founded by Max Schrems, None of Your Business (NOYB).

Previously considered by many to be a lower priority issue in terms of regulator enforcement, the use of cookies and other online tracking technologies is becoming more and more of a hot topic for European data protection authorities. Many have issued guidance in recent months, and we are beginning to see increased fines in this area. The French and Spanish data protection authorities have fined many household names for non-compliance with cookie rules recently, for example.

Given the increased focus on this issue, it is time for organizations to take another look at their compliance with European cookie rules which apply to websites directed at the EU and UK, regardless of whether the website publisher is based in a third country (such as the U.S.).

Here are the basic rules for cookie compliance:

  • Cookies and other tracking technologies (such as clear gifs, web beacons, etc.) must not be placed on a user’s device without their prior consent, unless they are strictly necessary to providing the service.
  • Examples of “strictly necessary” cookies include cookies used to remember preferences, such as language or goods placed in an online basket, session cookies used for security, load-balancing cookies, etc. Analytics cookies (whether first party or third party) are not considered “strictly necessary.”
  • Consent must be “opt-in”—no pre-ticked boxes.
  • Consent cannot be inferred from a user’s continued use of a website after having seen a cookie banner.
  • Consent must be granular, e.g., allowing a user to accept analytics cookies, but not advertising cookies.
  • Users must be able to control all cookies dropped on a website, including third-party cookies (e.g., Google Analytics).
  • Users must be able to withdraw consent as easily as they gave it, meaning users must be able to update their cookie preferences.
  • For consent to be “informed” (a key requirement of the GDPR), website owners must publish a list of their cookies and similar technologies, why they are used and how long they will stay on a user’s device. This information is generally contained in a cookie policy.
  • Requiring a user to accept cookies in order to be able to access a website, as opposed to giving them a free choice to accept or refuse cookies, is unlikely to be compliant with EU/UK law.

A key point to remember is that EU/UK laws around prior consent for tracking technologies applies not only to cookies served by websites and mobile apps, but also any technologies that access information stored on a connected device to track user behavior. For example, prior informed consent would be required to monitor driving habits in a connected car, an individual’s use of a connected fridge, or viewing habits from a smart TV, where such monitoring is not “strictly necessary” for providing a service requested by the individual.


The EU’s “Third Way” to AI Regulation

EU Publishes Privacy Guidance on the Use of Contact Tracing Technology in the Fight Against COVID-19

UK Privacy Regulator Takes Aim at the AdTech Industry