An international tour of cookies? Sounds delightful after this long year. We’re thinking: palmiers from France, Polish torunskie pierniki, Brazilian sequilhos, and kourabiedes from Greece.
Wait, that’s from the baking blog, not the privacy one.
But it’s important to talk about the other type of cookies from this perspective, too. While the EU’s General Data Protection Regulation (GDPR) and the ePrivacy Directive gets lots of airtime, there are nuances that businesses need to consider when planning and implementing their cookie strategy.
Recently Google and Amazon were fined $163 million for their use of web cookies to track user activities without seeking proper consent. Read more about is here.
Key GDPR and ePrivacy Cookie Requirements
Before we jump into talking about cookies in the EU, here’s a quick refresher on general GDPR and ePrivacy cookie requirements.
- You have to tell your users about all the cookies on your website in plain language. This allows them to provide informed consent. (Or not.)
- You can’t drop cookies—except strictly necessary ones—until you’ve received user consent for each cookie. This consent must be clear and explicit.
- You can’t withhold services—including website or application access—if they don’t consent to cookies. (FYI: This is often referred to as “freely given consent.”)
- You’ve got to protect your users’ data. Do third parties have access to user data? It’s still your job to protect it.
What Do You Need to Know About Cookie Consent?
Not surprisingly, countries in the EU have come up with varied interpretations of privacy. Each member state has its own data protection authority (DPA) that monitors privacy laws in their state. They provide guidance and interpretation for businesses and the general public.
DPAs don’t always agree on many issues in privacy. Some are still finalizing initial guidance following GDPR’s implementation. Others have been proactive in implementing GDPR and then revising regulatory guidance. Naturally, cookies are a topic up for (repeated, heated) discussion.
And why not? Cookies can be ambiguous. What does consent look like? Is it opt-in? Opt-out? What cookies need consent? What’s personal information? What about banners and cookie walls? What’s the meaning of life?
Need a refresher on cookies? Check out our whitepaper here or read Do I Need a Cookie Consent Banner.
The list goes on. But that’s why we’re here—to help you understand the different perspectives on cookies within the EU. (We can’t help with the meaning of life, though. That’s outside of our scope.) Let’s take a look at where guidance is strongest: France, the UK, Germany, and Spain.
Cookie Consent by Country
GDPR and ePrivacy have done a great deal to bring privacy practices in line throughout Europe. Among France, the UK, Germany, and Spain, there are some big similarities.
First off, cookie rules don’t apply just to cookies. Rather, they’re relevant to any technology storing or accessing information on a user’s device. (Notably, though, under German practice, it also has to involve processing personal data.)
Consent is viewed similarly, particularly when we’re looking at its definition. Consent—when required—must be specific, freely given, and unambiguous before cookies are deployed. However, there are some nuances when it comes to how it’s put into action in Spain.
Consent, moreover, takes place on multiple levels. Global consent is broadly shared among the UK, France, and Spain, meaning that consent must cover each purpose for which the cookies are used. (Germany, an outlier, doesn’t comment on this.)
Granular consent—the practice of getting consents for separate things—is also a point of general agreement, though each country takes a different approach to achieving it. While the UK doesn’t provide any guidance on the matter, France mandates a second layer allowing users to give consent to each cookie separately. Spain requires that a first layer link to granular consent tools for each category of cookie. Finally, the ability to give granular consent is a must for Germany, but they don’t dictate where it should be implemented.
One big issue in consent is third-party vendors—more commonly referred to as processors in GDPR. French, German, UK, and Spanish authorities all agree: organizations need to identify all processors who will rely on users’ consent. (France goes just a bit further and states that a list of third parties should be accessible and regularly updated.)
But enough about the similarities. Time for a deeper dive into each country’s cookie policies.
France
France bases its cookie laws on the GDPR and ePrivacy Directive and on guidance from Commission nationale de l’informatique et des liberté (CNIL). CNIL’s most recent guidance was issued in October 2020, which updated instructions around user consent, analytic cookies, and cookie walls.
Lawful basis for processing and consent
When it comes to the lawful basis for processing, France limits it to either user consent or strict necessity for technical cookies. Content must be given through positive action and it must be informed consent, meaning the data subjects have been given explicit and clear details about the purposes of the cookies.
As per CNIL’s guidance, several actions don’t constitute content:
- Continuing to browse a website
- Pre-checked boxes
- Browser settings
Analytic cookies and consent
According to France, organizations don’t have to inform users and collect consent if analytic cookies are being used:
- Solely to evaluate and measure a website or application’s audience
- Test a new version of a website or application
- Only generate anonymous statistics
Cookie walls
According to CNIL’s latest guidance, the cookie wall as a tool isn’t GDPR compliant—consent is only valid if the user chooses to accept cookies without any significant inconvenience or negative consequences. Being denied access to a website would fall into that category.
Consent retention and lifespan of cookies
As per CNIL-recommended best practices, cookie consent should ideally be valid for six months. Similarly, they recommended that cookie refusal should be retained for the same period of time.
When it comes to the lifespan of cookies, it shouldn’t be longer than 13 months.
Spain
The Spanish DPA, the Spanish Agency for Data Protection or AEPD, looks to GDPR in putting together its guidance, as well as local laws: Law 34/2002 on Information Society Services and Electronic Commerce, Law 3/2018 on Data Protection and Guarantee of Digital Rights, and the AEPD’s opinions.
AEPD was updated in July 2020, and organizations were expected to comply by October 31 of this year.
Lawful basis for processing and consent
In Spain, the lawful basis for processing is clear, affirmative consent. However, some privacy professionals have considered Spain’s definition of affirmative consent to be ambiguous.
Unlike other member states, Spain now considers continued browsing on a website to be a valid form of consent, assuming that adequate notice has been given. Other actions that may constitute valid consent include:
- Using a scroll bar, insofar as the information on cookies is visible without using it.
- Clicking on any link contained in the site other than those in the second layer of information on cookies or the privacy policy link.
- On devices such as mobile phones or tablets, by swiping the initial screen and accessing the content.
Note: these actions are considered valid consent as a form of affirmative action. They’re not saying that implied consent suffices.
Analytic cookies and consent
Analytic cookies require consent. (See, sometimes it’s straightforward!)
Cookie walls
Spain’s AEPD most recent guidance has determined that cookie walls aren’t compliant if they don’t offer an equivalent alternative to access without having to give their consent.
Consent retention and lifespan of cookies
The lifespan of cookies match their intended purposes. And given that the AEPD suggests user consent should only last 24 months, cookies should match the lifespan of consent.
UK
In the UK, the DPA is the Information Commissioner’s Office (ICO). While other DPAs in the EU are bound by GDPR, the upcoming Brexit puts the UK in a different position. Questions have, naturally, cropped up.
The UK has committed to following GDPR’s guidelines, but under the guise of a UK GDPR. More officially known as the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
As such, GDPR won’t actually apply in the UK after December 31, 2020—yes, it’s that soon—but the above regulation nonetheless preserves GDPR’s guidance. ICO also looks to the Privacy and Electronic Communications Regulations (PECR).
Lawful basis for processing and consent
The user’s consent is the lawful basis for processing under ICO’s guidance.
If consent is required under PECR for non-essential cookies, organizations can’t fall back to an alternative legal basis under PECR or GDPR (or its replacement). In cases where personal data is involved, then the ball is in GDPR’s court and legitimate interests can be used as a legal basis.
Analytic cookies and consent
Analytic cookies don’t belong to the “strictly necessary” category of cookies. As such, you need to get consent before deploying them.
Another point to remember for ICO guidance: first-party and third-party cookies are considered distinct. You need consent for both, but as per ICO, valid consent is viewed as harder to get for third-party cookies because of the lack of direct relationship between third party and the user. Take extra care to highlight use of third-party cookies.
Cookie walls
In other states, cookie walls aren’t generally aligned with valid consent. However, ICO allows for the possibility if it applies to specific content and it doesn’t impede access to the website as a whole.
Consent retention and lifespan of cookies
ICO doesn’t extend any specific guidance for how consent can be retained nor what the appropriate lifespan of a cookie should be. For both questions, there’s not a one-size-fits-all answer.
Generally speaking, for lifespan, it’s ideal to limit duration to what is necessary for the purposes of the cookie. Likewise, for consent, you should consider what the function of consent is in the context of use. Does a user visit frequent? Are functionalities changing? Is content updated? Those types of questions should guide you when you seek consent.
Germany
In Germany, GDPR and ePrivacy are applicable, but their DPA, delightfully known as Datenshutzbehörde (DSB), also provides robust guidance for organizations. That being said, unlike other EU member states, Germany hasn’t entirely implemented Article 5(3) of the ePrivacy Directive.
Instead, there is a debate around whether some provisions within the preexisting German Telemedia Act sufficiently cover the requirements of Article 5(3) of the ePrivacy Directive. Notably, the German Data Protection Conference takes the position that Article 5(3) of the ePrivacy Directive hasn’t been implemented in German law. As a result, according to them, there is no German cookie law and instead, guidance is reliant on GDPR.
Lawful basis for processing and consent
The legal basis for processing in Germany rests on consent, contractual relationship, or legitimate interest, depending on the purpose of cookies and/or tracking tools.
Analytic cookies and consent
Consent is required for analytic cookies when they result in transferring personal data to a third party. Even then, obtaining consent might not be strictly necessary as long as users can opt-out of transferring their data to the third party.
Cookie walls
As a rule, consent for cookies must be voluntary according to Germany’s guidance. Anyone wanting to access a site or application needs to be able to refuse cookies without negative consequences. In other words, access should be allowed even if cookies are refused.
Consent retention and lifespan of cookies
Germany doesn’t have specific local guidance on retention of consent and the lifespan of cookies. As a result, policies default to GDPR and ePrivacy.
Cookies Around the World
Cookies in the EU, of course, aren’t limited to France, Spain, the UK, and Germany—each member state either has or has the ability to develop guidance on how cookies should be handled. And, don’t forget, these are just European cookies. Brazil, China, India, Australia, are just some of the other countries with privacy regulations in place that address cookies.
Cookies are complex, but they’re a critical part of your privacy practices. If you haven’t had your fill of cookies yet, we’d love to help you customize your cookie practices to your EU audiences. Drop us a line to schedule a consultation today.