Since the GDPR entered into force, hardly any other issue has been discussed so much and so diversely as the requirements relating to the use of cookies and similar technologies. Several EU data protection authorities published opinions and guidelines in this regard and even the CJEU has already dealt with the topic in one of its judgements. Nevertheless, no uniform line has yet been established with regard to the requirements. Although many of the supervisory authorities advocate that the use of cookies requires appropriate information to the user and – with a few exceptions – consent, and therefore recommend the use of a cookie banner, the requirements for such a cookie banner differ. This becomes particularly relevant for data controller operating websites accessible from different member states. To avoid administrative orders or even fines it is crucial to properly assess the varying requirements to be able to identify an adequate – possibly risk-based – approach.
Background
In the context of cookies and comparable technologies, legal requirements may not only derive from the GDPR or national data protection laws but additionally from the EU ePrivacy legislation. In addition to the question on whether the use of cookies and Adtech tools generally requires the user’s prior consent a follow-up question arises as to the criteria for such consent. In addition to the legal requirements as laid out in the GDPR, the CJEU provided some general guidance in its Planet 49 decision from October 2019. Despite these presumably clear specifications, the supervisory authorities’ interpretation of the requirements for consent varies. At the same time, fines and administrative orders in response to alleged GDPR violations when using cookies have increased over the last months. For example, the Spanish authorities imposed in October 2019 a fine of EUR 30.000 on the Spanish low-cost airline Vueling due to non-compliance with Cookie requirements stipulated under the pertinent Spanish law (case no. PS/00300/2019).
Requirements under the GDPR
The legal basis in Art. 6 para. 1 sentence 1 lit. a) GDPR does not stipulate any details for a consent declaration. According to Art. 4 No. 11 GDPR, consent is any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her. The provision does not provide specifications on how to design a cookie banner but the controller is free to define the specific form of consent.
Article 29 Data Protection Working Party (Art.-29-Working Party)
In its Working Paper 259 (WP 259, Guidelines on consent under Regulation 2016/679), the Art.-29-Working Party stipulates that a variety of actions is feasible for lawful consent, including for example swiping a bar on a screen, waiving in front of a smart camera, turning a smartphone around clockwise, or in a figure-eight motion. The Art.-29-Working Party emphasizes that virtually any form of consent is possible, provided that it is sufficiently clear to the user that he/she is making a declaration through the corresponding action. It is therefore crucial that the respective action is sufficiently distinguishable from other actions of the user.
Guidelines and opinions by the EU data protection authorities
Several EU regulators provided guidelines on the use of cookies and comparable technologies providing differently detailed information on the design of a cookie banner. There is broad agreement that the cookie banner must contain information on the cookies used – directly in the banner or via corresponding links. However, the requirements of the authorities vary with regard to the concrete form in which the user may provide consent. The variance ranges from views that allow effectively any action to opinions that require that the user clicks on an individual button at the first level for each individual category of cookies. Furthermore, there are different views on whether legally compliant consent to the use of cookies requires a specific “decline” option.
Spain
The regulatory authority in Spain has rather less strict requirements for a cookie banner compared to the other EU authorities. Apart from a cookie banner that includes an explicit “Reject“ and “Accept” button, the Spanish regulator also recognizes lawful consent where the website operator only requires clicking on the website, provided that the user is sufficiently informed about the relevance of this action in the cookie banner. Source: Spain
Italy
The Italian authority provides FAQs on cookies on their website. Although it does not specify the requirements for a cookie banner but rather provides basic information, the information indicates that it is not necessary that the cookie banner contains a “Reject” button at the first level. The user must be offered the possibility to continue browsing without being tracked in any way, for example by closing the banner by clicking on an X feature to be inserted at the top right of the banner. Source: Italy
Liechtenstein
The supervisory authority in Liechtenstein only refers to the general conditions of Art. 6, 7 GDPR concerning consent requirements for cookies. It makes clear that consent can take various forms, including implied consent. This could lead to the conclusion that the authority does not impose too strict requirements on a cookie banner. In particular, it is not apparent from the information provided that the authority would, for example, require a specific “Reject” button or that clicking on the website would not be sufficient if respective information was provided. In this respect, it remains to be seen whether the authority will further specify its instructions in the future. Source: Liechtenstein
Netherlands
In its guidelines on the use of cookies, the authority of the Netherlands stipulates that a cookie wall is inadmissible and that pre-ticked boxes do not constitute consent in conformity with the law. However, the authority remains silent on the positive conditions for the design of a cookie banner. The lack of specific requirements may suggest that the authority is unlikely to impose any special requirements on consent for cookies and similar technologies, e.g. a “Reject” button on the first level of the cookie banner. It remains to be seen how the authority deals with cookie banners in practice. Source: The Netherlands
Austria
Austria has not yet provided specific guidelines for the requirements for the use of cookies and similar technologies. However, the cookie banner became indirectly part of a case decided by the authority in November 2018. The cookie banner in those proceedings allowed consent to be obtained by clicking on an “OK” button or by clicking on an area outside the banner. Although the authority did not specifically address the question of what a lawful cookie banner generally requires it explained that the design of the banner enabled the user to make a conscious decision and thus to give consent.
Ireland
Somewhat stricter conditions provide the guidelines of the Irish regulator. The supervisory authority explicitly stipulates that clicking outside the cookie banner on the website or scrolling does not constitute sufficient user consent but the user must have an actual choice. Here, however, the explanations suggest that it is also sufficient if the cookie banner contains an “Accept” button on the first level as well as a button through which the user can access further information. Nonetheless, although the authority considers the provision of a “Reject” button recommendable, it probably does not consider it a mandatory measure. Source: Ireland
Germany, UK, France, Greece
Much stricter requirements for the consent to the use of cookies can be found in the guidelines of the authorities in Germany, the UK, France and Greece. These authorities all require that when a website provider uses a cookie banner, the first level of the banner should not just provide a button that allows the user to accept the cookie. Rather, these authorities are of the opinion that the voluntary nature of consent requires that the banner also explicitly offers the option of rejecting cookies. The Greek regulator, for example, explicitly stipulates that the user must be able to accept or reject the use of cookies with the same number of clicks and at the same level. Source: Germany, UK, France, Greece
Belgium and Denmark
It appears that the Danish and Belgium supervisory authorities take the strictest approach among the EU regulators. They interpret the requirements even more narrowly than the regulators in Germany, the UK, France and Greece. According to the Danish guideline, voluntary consent is already lacking if a cookie banner only provides for a single accept option on the first level without differentiating between different cookie purposes, even if it is possible to select or deselect the different purposes on a second level. Similarly, the Belgium authority takes the position that if a website uses more than one type of cookie, the website provider shall obtain separate consent for each type of cookie already in the first layer of information. The second layer has to provide users with the possibility of making a granular choice per cookie. Source: Belgium and Denmark
Posted by Taylor Wessing via Lexology
