This week the European Data Protection Board (EDPB), a body that represents European data protection authorities, set up a new cookie banner taskforce. The new taskforce will coordinate the response to over 400 complaints concerning cookie banners filed by a nonprofit organization founded by Max Schrems, None of Your Business (NOYB).
Given the increased focus on this issue, it is time for organizations to take another look at their compliance with European cookie rules which apply to websites directed at the EU and UK, regardless of whether the website publisher is based in a third country (such as the U.S.).
Here are the basic rules for cookie compliance:
- Cookies and other tracking technologies (such as clear gifs, web beacons, etc.) must not be placed on a user’s device without their prior consent, unless they are strictly necessary to providing the service.
- Examples of “strictly necessary” cookies include cookies used to remember preferences, such as language or goods placed in an online basket, session cookies used for security, load-balancing cookies, etc. Analytics cookies (whether first party or third party) are not considered “strictly necessary.”
- Consent must be “opt-in”—no pre-ticked boxes.
- Consent cannot be inferred from a user’s continued use of a website after having seen a cookie banner.
- Consent must be granular, e.g., allowing a user to accept analytics cookies, but not advertising cookies.
- Users must be able to control all cookies dropped on a website, including third-party cookies (e.g., Google Analytics).
- Users must be able to withdraw consent as easily as they gave it, meaning users must be able to update their cookie preferences.
A key point to remember is that EU/UK laws around prior consent for tracking technologies applies not only to cookies served by websites and mobile apps, but also any technologies that access information stored on a connected device to track user behavior. For example, prior informed consent would be required to monitor driving habits in a connected car, an individual’s use of a connected fridge, or viewing habits from a smart TV, where such monitoring is not “strictly necessary” for providing a service requested by the individual.