Getting valid cookie consent as part of ensuring compliance in the collection of data

Marketing and advertising technologies can be a powerful tool enabling you to leverage the true value of your data. We’ve previously explored the use of different types of user identifiers, including cookie identifiers. This blog post will consider some of the legal aspects of cookies and relevant case law developments in the EU, including how to collect appropriate consent for their use.

IMPORTANT
Please note that the following is only our best interpretation of applicable cookie and privacy laws as well as recent case law developments, but that it in no way constitutes any legal advice. Every cookie consent flow is dependent on the particularities of a website or app and cookies used, so there is no one universal solution that fits absolutely all websites and apps. We recommend you consult your own legal counsel on this to ensure your websites’ and apps’ use of cookies and data collection are up to date and in compliance with applicable laws and regulations.

FIRST: A checklist

ASKING FOR CONSENT

Do you ask for consent to use cookies and similar technologies (e.g. web beacons or tags)?

Are these consent requests separated?

• Do you give the option to consent to each type of cookie based on their purposes (i.e. the user is given the option to choose which cookies to consent to. For example, a user is able to choose to accept e.g. functional cookies and decline social media cookies)?

Do you inform users about:

• The purpose of the cookies (should be included already in the cookie banner)
• The duration of cookies
• How the user can revoke consent
• The third parties that may have access to the cookie information (e.g. Google or Facebook)

Is this information clear and comprehensive? It should be written in a language appropriate for the target audience.

Are the means of consent explicit? This requires affirmative action, NOT through the use of pre-ticked boxes.

Do you provide functionalities to revoke or change consent settings?

Does your consent system stop cookies from being set until consent is obtained?

USING PERSONAL DATA

Do you inform the users about the processing of personal data collected by the cookies in accordance with the information requirements in the GDPR?

Is this information prominent and easily accessible (e.g. in your cookie and/or privacy notice)?

RECORDS

Do you maintain records of consent given by end-users?

THIRD PARTIES’ USE OF PERSONAL DATA

Do you provide information on how third-parties use personal data, for instance by linking to their privacy policy?

Is this information prominent and easily accessible?

Cookies and similar technologies (e.g. web beacons or tags) are regulated by two main legal instruments:

• The General Data Protection Regulation (‘GDPR’) which applies to all personal data processed
• The ePrivacy Directive applies specifically to the electronic communications sector and governs the use of cookies.

In practice, placing cookies or similar technologies are regulated by the ePrivacy Directive, but the personal data collected by them may serve to identify individuals and therefore falls under the GDPR. Also, the consent to cookies must fulfill the requirements for valid consent under the GDPR. This means that direct marketing practices must be entirely compliant with both.

Importantly, the European Data Protection Board has confirmed that the Directive will take precedence over general provisions of the GDPR in cases where it particularises the rules set out in the GDPR. For example, the Directive specifically requires prior consent for the collection of data via the setting of cookies, so the other, more general, legal grounds for processing in the GDPR cannot be relied on.

If consent is required, what is consent?

Before setting any cookies on a website and collecting any data from a user’s device, consent must be obtained. Pursuant to the GDPR, this consent must be freely given, specific, informed and unambiguous in order to be valid.

• Freely given. This excludes any cases where the end-user is forced into giving consent (such as “cookie walls”).
• Specific. This requires consent to be given for each type of cookie-based on their specific purpose, so social media cookies need to be consented to separately from e.g. functional cookies.
• Informed. The end-user must be made aware of what they are consenting to, and certain specific information must be given.
• Unambiguous. This requires clear affirmative action, so pre-ticked boxes are not considered valid.

What cookies require consent?

The ePrivacy Directive doesn’t require consent for so-called “strictly necessary cookies”, those that are generally set solely to ensure the functioning of the website. These may for example include cookies aimed at authentication, cookies that store the contents of a shopping basket, or cookies that allow paying websites to limit free access to their content to a certain quantity and/or for a certain limited time period. Otherwise, any other types of cookies that are not strictly necessary require consent.

What is “freely given” consent?

Setting cookies requires consent to be freely given, and in no way can the user be forced into agreeing to cookies. The French Data Protection Authority’s (the CNIL) recent draft recommendations specify that cookie choices should be recorded so as not to unnecessarily solicit the user repeatedly for their consent if they have previously refused. They consider that asking for consent each time a user visits a website if they have refused the use of cookies could put pressure on the user to accept all cookies, hence consent would not be freely given. The CNIL advises recording refusal to the setting of cookies for at least as long as consent to it is recorded. The duration of consent should depend on the context, the scope of the consent given, and the expectations of the user, but generally, the CNIL considers that 6 months validity is appropriate. After that, consent should be renewed in order to still be considered freely given.

Other considerations such as cookie walls which block a visitor’s access to a website unless they consent have not as yet been interpreted by case law. However, we believe that in most cases this would not be considered freely given consent, and therefore not allowed, since a cookie wall more or less forces the user to accept cookies in order to use the website.

By the same token, consent is not considered freely given and valid if the user cannot modify their choices at any time, and withdraw their consent to the setting of cookies. It must be as easy to withdraw consent as it is to give consent, so such settings should be easily accessible and available at all times throughout the user’s browsing. A lot of websites only address this by referring users to their browser settings. However, the Spanish Data Protection Authority recently fined a company that did this, so it may no longer be considered sufficient to be compliant. Instead, a consent mechanism allowing users to modify their settings directly on the webpage may be preferred and thus strongly recommended.

How specific should it be?

Consent should be obtained separately for each type of cookie which follows a specific purpose. This requires distinguishing, for example, between cookies for social media, performance/analytics, and tracking. The user must be given the option to consent to each category/purpose individually by ticking separate boxes. At the moment, certain supervisory authorities have confirmed that this is sufficient, and that consent per each individual cookie is not strictly required.

What information should be given?

Users need to know what they are consenting to, so certain information must be provided before they consent. This means that a certain amount of information should be included for instance in a cookie prompt, which links to an accessible privacy/cookie policy which develops this further. Information should include what the cookies are, their purpose, the identity of the controller, how to revoke consent, and other information required by Articles 13 and 14 of the GDPR with regards to any personal data collected by the cookies. In addition to this, according to the recent Planet49 case, this should also include the duration of the cookies, all cookie providers (first and third parties), and at least the categories of third parties who may have access to the personal data collected by the cookies.

What does affirmative action mean?

Consent must be unambiguous, so there must be no doubt that the user has agreed to certain cookies being set. The EU Court of Justice has confirmed in the Planet 49 case that this means that opt-in consent is necessary, as opt-out is not sufficient. Hence all consent boxes should by default be unticked and all toggles should by default be set to “NO”, so as the user may actively consent to the setting of cookies. The CNIL is of the opinion that “Accept all cookies” buttons are valid so long as the user has the possibility of customising the settings and that a “Refuse all cookies” button is also available. Other formulations such as “by continuing to browse this website you consent to the use of cookies” are still uncertain, but we consider that this is most likely not valid as this is not an affirmative action and consent would not be unambiguous.

Is the end of cookies near?

Supervisory authorities appear to be tightening down on cookies and appropriate consent mechanisms, both following complaints and on their own initiative, meaning that it is all the more important to implement proper compliant consent flows. In addition to this, increased privacy concerns may mean that the future holds something very different for cookies. An example of this is Intelligent Tracking Prevention (ITP), implemented by Apple, which initially aimed to block third-party cookies from collecting cross-site browsing data for ad targeting purposes. Its most recent update, ITP 2.2, has been developed to deprecate certain first party client-side cookies after 24 hours, becoming increasingly privacy enhancing. Other browsers such as Firefox and Chrome are also taking action in this area. This presents challenges for the future of data collection for digital marketing purposes.

Summary

To summarise, the following points are worth paying attention to:

1. Be proactive: ensuring compliance with applicable legislation is crucial, so staying up to date with any developments is essential.
2.    Be informed: companies should be diligent and should for example know what data are being processed or which cookies are being placed on their websites or apps. You should also be aware of any applicable policies on platforms used in digital marketing. Compliance with these is important in order to keep using such tools in accordance with their terms and conditions.
3. Use a consent mechanism that ensures a compliant consent flow for cookies. Remember that:

• Consent must be opt-in: pre-checked boxes are not valid
• Consent should be granular, meaning that end users should at least consent to each type of cookies based on their purpose
• All purposes of the cookies should be listed already in the cookie-consent banner with further detailed information in a cookie policy
• Consents must be recorded
• It should be as easy to withdraw consent as it is to give it. End users should be able to modify their consent settings easily, and at all times, directly on your website or app

Be transparent as part of your compliance: make sure your policies, notices and cookie prompts are appropriate and up to date. They should:

• be clearly written and accessible to the target audience
• reference the correct applicable legislation and supervisory authority
• be specific and adapted to your activities
• provide all necessary information to end users (for example how to withdraw consent, duration of the cookies, and other required details)
• easily available on the website

Further information and resources that may be of interest:

• ICO guidance on cookies
• CNIL guidance (in French)
• CNIL draft recommendations (in English), available to download here
• Cookiechoices.org
• Planet 49-case