Cookies and similar tracking technologies are data collection tools used to gather information about internet users for various purposes, including remarketing and audience measurement. Concerns have grown among internet users as a result of the increased reliance on tracking cookies set by websites on the devices of its visitors or users. Regulators are employing all possible legal measures to address this rising threat. The General Data Protection Regulation (GDPR) and the EU ePrivacy Directive already provide guidance on the requirements of using cookies. Furthermore, EU national data protection authorities and the European Data Protection Board (EDPB) have issued guidelines to clarify how cookie laws are interpreted and are likely to be applied.
Cookie guidelines issued by the EDPB
In May 2020, the European Data Protection Board issued its guidelines on consent, which included rules concerning cookies. These guidelines were critical in establishing the fundamental rules for using cookies and other similar technologies.
What is EDPB?
The European Data Protection Board is an independent body that works to ensure that data protection standards are applied consistently throughout the European Union (EU). It encourages collaboration among the EU’s data protection authorities (DPA). The EDPB was established by the GDPR and is headquartered in Brussels.
The EDPB replaced the Article 29 Working Party (WP29), an independent European working party that dealt with issues relating to the protection of privacy and personal data until 25 May 2018, when the GDPR went into effect.
The EDPB is composed of representatives from the EU Member States' national DPAs and the European Data Protection Supervisor (EDPS), who verifies that EU institutions and bodies respect people's right to privacy when processing their personal data. Norway, Lichtenstein, and Iceland's supervisory authorities are also members of the EDPB, although they do not have the right to vote or be elected as chair or deputy chairmen.
- Providing general guidance (including guidelines, recommendations, and best practices) in order to clarify the GDPR and to contribute to the consistent application of the GDPR;
- Rendering formal opinions based on Article 64 of the GDPR;
- Adopting binding decisions based on Article 65 of the GDPR in case of disagreement between the national DPAs;
- Promoting cooperation among the national DPAs.
What are EDPB Cookie Guidelines?
On 4 May 2020, the EDPB adopted the Guidelines 05/2020 on consent under Regulation 2016/679 (“Consent Guidelines”). These guidelines are commonly known as the "Cookie Guidelines," although it should be noted that the Guidelines are not solely about cookies; rather, they shed light on some of the most important issues surrounding cookies. The EDPB Cookie Guidelines ensure a harmonized approach on the conditionality of consent and the unambiguous indication of wishes.
The two most important clarifications provided by the EDPB Cookie Guidelines are:
- The validity of an individual's agreement to the usage of cookies when access to a website is conditional on that individual giving such consent (also known as the “cookie wall”); and
- The validity of an individual's consent to the use of cookies when such consent is granted by scrolling through a website.
EDPB Position on Cookie Walls
The Guidelines state that “in order for consent to be freely given, access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment of a user (so-called cookie walls).” This provision clearly states that cookie walls are prohibited.
Cookie walls do not give individuals a genuine choice because access to a website's content or functionality is contingent on the individual's acceptance of all cookies, and individuals are denied the freedom to reject the placement of cookies on their devices.
EDPB Clarification on Scrolling/Swiping the Website
Until the Guidelines were released in May 2020, many websites depended on scrolling or swiping through the website to signify consent to the websites’ tracking policies. The EDPB reiterated that this approach is illegal, stating “actions such as scrolling or swiping through a webpage or similar user activity will not under any circumstances satisfy the requirement of a clear and affirmative action.”
The rationale behind this clarification is that scrolling or swiping is not an unambiguous indication of an individual's consent because it could alternatively be an indication of rejection. Because it is not technically possible to distinguish whether users want to accept or reject the placement of cookies by scrolling or swiping the website, it does not meet the GDPR's requirement of unambiguous consent.
Are the EDPB guidelines legally binding?
No, the EDPB Guidelines are not legally binding in and of themselves. However, it should be noted that the Guidelines reflect the authorities' agreed-upon shared position and understanding. As a result, adhering to the EDPB Guidelines is critical to ensuring compliance with the GDPR and national data protection laws.
Who must comply with EDPB guidelines?
Since the EDPB Cookie Guidelines are not legally binding, companies are under no direct need to follow them. However, the Guidelines clarify how national DPAs would interpret and apply the provisions of the GDPR. Because of this, the Guidelines are a vital legal instrument. As a result, companies subject to the GDPR are recommended to follow the EDPB Cookie Guidelines in order to avoid sanctions for GDPR violations.
The GDPR applies to the following companies:
- Those established in the EU; or,
- Those providing goods and services to EU citizens and residents; or,
- Those monitoring the behavior of EU citizens and residents
The EDPB Cookie Guidelines have important implications for companies having an EU presence and those engaging with EU citizens and residents.
Cookie guidelines of national DPAs
Some national data protection authorities of the EU member states have issued a set of guidelines in order to regulate the use of cookies by websites and mobile applications in their territories. These guidelines provide non-mandatory rules but are significant pieces of soft law instruments for compliance with the GDPR, and national data protection and cookie laws.
What is a Data Protection Authority (DPA)?
Data Protection Authorities are independent public authorities with investigation and corrective powers that oversee the implementation of data protection laws. They provide expert advice on data protection issues, investigate complaints about violations of the GDPR and relevant national data protection legislation, and levy penalties and other corrective measures against entities that violate the GDPR and national data protection laws. Each EU Member State has its own DPA. Examples include the Commission Nationale de l'Informatique et des Libertés (CNIL) of France the Agencia Española de Protección de Datos (AEPD) of Spain, and the Garante per la Protezione dei Dati Personali (Garante) of Italy.
Check the full list of the DPAs across the EU here.
What are national cookie guidelines?
National cookie guidelines are non-binding legal instruments that are issued by EU national DPAs. These cookie guidelines set out clarifications on various aspects of cookie usage by websites that are subject to specific DPA jurisdictions. Cookie consent requirements, consent rejection and withdrawal, and the legality of cookie walls are all typical topics addressed in consent rejection and withdrawal, and the legality of cookie walls are all typical topics addressed in national cookie guidelines. Learn more about GDPR compliance and read our blog to get a simplified breakdown of the latest EDPB Cookie Consent Guidelines.
Several national DPAs have issued cookie guidelines, and many more are expected to do so in the next months or years. While there may be some differences among the national cookie guidelines, the core principles defined by the EDPB Cookie Guidelines and the Planet 49 case remain the same. These basic principles are:
- Don’t place cookies before obtaining consent;
- Don’t use pre-ticked boxes (CJEU Cookie Ruling);
- Don’t use a cookie wall;
- Allow users to separately consent to each category of cookies;
- Display your Privacy Policy and/or Cookie Policy before obtaining consent.
Are national cookie guidelines legally binding?
National cookie guidelines are not legally binding on their own. However, it must be noted that these cookie guidelines provide strong references for organizations to anticipate how the national DPA may conduct its compliance investigations. Furthermore, the national DPAs have the authority to impose sanctions on organizations and would most likely utilize the cookie guidelines published as a point of reference.
Who are required to comply with national cookie guidelines?
National cookie guidelines issued by the national DPAs in the EU are non-binding instruments. They are, nonetheless, vital legal instruments for organizations since they show how national DPAs would use these cookie guidelines to describe non-compliance with the GDPR and national data protection laws. Thus, compliance with national cookie guidelines is recommended for those who fall under the territorial scope of the relevant DPA. For example, the CNIL Cookie Guidelines are relevant for organizations with an establishment in France. Additionally, because the GDPR applies “extraterritorially,” meaning to organizations established outside, we can conclude that if an organization that is not with an establishment in France offers goods or services or monitors the behavior of French people, then that organization becomes subject to CNIL’s authority.
To summarize what has been stated above, the national cookie guidelines should be complied with by organizations:
- With an establishment in a particular EU country; or
- Offering goods or services to the people of a specific EU country; or
- Monitoring the behavior of the people of a specific EU country.
Also, if you are an organization with no base in the EU then you must appoint a representative in the EU. A representative will act on your behalf in relation to GDPR compliance matters.
What are the penalties for violating national cookie guidelines
There are no monetary penalties or other repercussions for non-compliance under the national cookie guidelines. Non-compliance with cookie guidelines will result in non-compliance with national data protection laws as well as the GDPR. As a result, monetary fines and other sanctions under the GDPR will be imposed.
For less serious violations, GDPR imposes a fine of up to EUR 10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever is greater. For more serious violations, the monetary fines can be EUR 20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever is greater.
Non-compliance with cookie rules has resulted in massive fines for big corporations. As a result, companies are recommended not to take national cookie guidelines for granted and to commit efforts to understand and comply with them where applicable. Some national DPAs, such as the French DPA, are particularly active in enforcing cookie rules.
For example, in December 2020, the CNIL imposed large GDPR fines on two major technology businesses for breaking cookie rules. These companies "placed advertising cookies on users' computers ... without obtaining prior consent and without providing adequate information." Google received two monetary fines totaling EUR 100 million as a result of the infraction, while Amazon received a monetary fine totaling EUR 35 million. The fines imposed by CNIL do not stop with the penalty listed above. The French DPA recently slapped two large fines on two major multinational technology companies.
According to the CNIL cookie rules, rejecting consent to use cookies should be as simple as giving it. That is, if just one click is needed to place cookies on users' devices, you must enable refusal of consent in the same way - with just one click. The French DPA recently levied substantial fines on Google and Facebook for failing to comply with the aforementioned criteria. Google received a penalty of EUR 150 million, while Facebook received a penalty of EUR 60 million. The CNIL's argument was that these businesses (websites) "offer a button allowing the user to immediately accept cookies. However, they do not provide an equivalent solution (button or other), enabling the Internet user to easily refuse the deposit of these cookies. Several clicks are required to refuse all cookies, against a single one to accept them."
As a result, it is strongly advised that organizations follow the national cookie guidelines in order to avoid any hefty fines.
National Cookie Guidelines explained
National cookie guidelines generally overlap in their requirements. However, there are some distinctions between them. To ensure compliance, check which criteria applies to your company and make sure you understand and commit resources to meet their requirements.
1. German DSK Cookie Guidelines
The association of German state data protection authorities - DSK cookie guidelines provide clarity on the use of cookies by German websites and mobile applications.
1.1 What is DSK?
In Germany, private sector companies are subject to the jurisdiction of state data protection authorities (DPAs) such as Hamburg DPA (Hamburgische Beauftragte für Datenschutz und Informationsfreiheit or HmbBfDI), Berlin DPA (Berliner Beauftragte für Datenschutz und Informationsfreiheit or BlnBDI), and others. The DSK is an association of independent state data protection authorities in Germany. The DSK deals with and comments on the data protection issues in the country. It acts as a coordinating body and makes no decisions that are binding on the organizations.
1.2 What are the DSK cookie guidelines?
The German DSK issued its cookie guidelines in April 2019. After the German Federal Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia (TTDSG) went into effect on 1 January 2021, the DSK issued its Guidance for Providers of Telemedia Services, which was primarily concerned with the “cookie provision” of the new German law. The guidelines focus on the TTDSG's consent requirements and exceptions for cookie consent.
Read more about DSK cookie guidelines.
1.3 What are the requirements of the German DSK cookie guidelines?
You must do the following to comply with the German DSK cookie consent guidelines:
- Set tracking cookies only if you have explicit prior consent from your website visitors.
- Avoid requiring users to accept tracking cookies to access your website's content.
- Allow users to opt-out of tracking cookies.
- You do not need to obtain valid GDPR cookie consent for essential cookies
- Take precautions with the embedded content
- Disclose all the cookies you use on your website and communicate the purpose of each to your users in your cookie and privacy policies.
- Do not use pre-ticked consent boxes
Find out more on the requirements of the German DSK cookie guidelines
2. ICO Cookie Guidelines
In July 2019, the United Kingdom's Information Commissioner's Office (ICO) announced cookie guidelines pertaining to cookies and other related technology.
2.1 What is the ICO?
ICO stands for the Information Commissioner’s Office of the United Kingdom. This is the UK’s public authority in charge of enforcing the country's data protection laws. It issues guidance to assist firms in complying with privacy laws (UK Data Privacy Act 2018, UK GDPR).
2.2 What are the ICO Cookie Guidelines
On 3 July 2019, the ICO cookie guidelines were issued to address cookies and similar technologies in detail. The guidelines are critical for online services such as websites and mobile apps. The ICO cookie guidelines help businesses understand how the GDPR and the UK Privacy and Electronic Communications Regulation (PECR) are interpreted and applied.
Click here to learn more about ICO Cookie Guidelines.
2.3 What are the requirements of the ICO Cookie Guidelines?
ICO Cookie Guidelines require you to inform your users about the use of cookies. A good practice is to show them a cookie banner where they can choose their privacy preferences and read your privacy policy and cookie declaration.
Users must affirmatively accept cookies by clicking on the "ACCEPT" button or something similar. The user should check the boxes for each collection/processing purpose. Pre-ticked boxes are not allowed.
Generally, cookie walls are often not authorized in getting user consent. It is feasible, however, to use cookie walls as a requirement of access to specific website content.
Continued use of the website or browsing does not indicate acceptance of cookies and other tracking technologies.
Click to learn more about the requirements of the ICO Cookie Guidelines.
3. CNIL Cookie Guidelines
The French DPA - CNIL has issued guidelines and recommendations concerning cookies. These guidelines and recommendations provide rules and best practices for websites and mobile applications to comply with data protection and cookie laws in France.
3.1 What is CNIL?
CNIL stands for Commission Nationale de l’informatique et des Libertés, the French national data protection authority. The French Data Protection Act of 6 January 1978, established CNIL France as an independent administrative authority responsible for ensuring the protection of personal data in computer files and processing operations, both public and private. They have the authority to enforce France's data protection laws.
3.2 What are CNIL Cookie Guidelines?
On 1 October 2020, CNIL published its revised cookie guidelines, that was initially published On 18 July 2019, and partially annulled by the Highest Administrative Court of France. CNIL also published its final recommendations on the practical modalities for obtaining users’ consent (“Recommendations”) and a set of questions and answers about the recommendations (“FAQs”).
More about CNIL Cookie Guidelines.
3.3 What are the requirements of CNIL Cookie Guidelines?
Users must be able to refuse consent to the use of cookies as easily as they can accept them. Users' inaction or silence (such as scrolling through and browsing) must be interpreted as a refusal to use cookies. Furthermore, users must have the right to withdraw consent at any time, and withdrawal must be as simple as giving consent.
The CNIL does not completely prohibit cookie walls. Cookie walls are permitted and legal in certain circumstances. Their legality must be determined on a case-by-case basis. When using cookie walls, you must guarantee that you present the user with clear information about the repercussions of accepting or declining consent, as well as information about the impossibility of accessing the content or service without consent.
Click to read more on the requirements of CNIL Cookie Guidelines.
In 2022, 81% of French companies are still not compliant with GDPR.
3.4 What are CNIL Recommendations?
In addition to the CNIL cookie guidelines, the French DPA provided recommendations for following the cookie guidelines. Some of the most salient points from the CNIL recommendations are:
- Before presenting users with the option to accept or reject cookies, the cookie consent banner must provide information about the purpose of cookies or the cookie category.
- The purpose of the cookie or the cookie category must be presented with a brief and highlighted title, followed by a brief description of the purpose.
- The cookie banner must include a link that points to a cookie policy (or privacy policy) page containing detailed information about cookies.
- The "Accept All” and “Reject All” buttons must be at the same level and prominence.
- Avoid pre-ticked boxes or pre-activated toggle switches.
- Allow for granular consent.
- Renew all cookie choices after 6 months.
More about CNIL Cookie Recommendations.
4. Spain AEPD Cookie Guidelines
The Spanish DPA - AEPD issued its cookie guidelines that set out rules for compliance with cookie laws in Spain.
4.1 What is the AEPD?
AEPD is short for Agencia Española de Protección de Datos which translates to “Spanish Agency for Data Protection.” They ensure that Spaniards adhere to European and national data privacy regulations. In Spain, the AEPD is the official supervisory authority for personal data protection issues.
4.2 What are the AEPD Cookie Guidelines?
In November 2019, the Spanish DPA published its guidance on the use of cookies and other similar tracking technologies (“Cookie Guidelines”). The DPA published an updated version of the Cookie Guidelines on 28 July 2020. The updated guidelines were published to reflect the changes made to the Consent Guidelines issued by the EDPB.
4.3 What are the requirements of the AEPD Guidelines?
The Spanish DPA cookie guidelines require you to adhere to the guidelines by doing the following:
- Users must be informed about cookies in a concise, understandable, clear, and unambiguous manner.
- During consent collection, the information about cookies cannot be more than two clicks away from the first page. The main information is to be provided in two layers, the main layer, and a detailed, optional layer, in a clearly visible notice.
- Consent must be an indication of affirmative action. Consent can be obtained by clicking on the "I consent" or "I accept" buttons or equivalent terms.
- Cookie choice, whether acceptance or refusal made by users must not be kept forever. It must be renewed every 24 months at least.
- Cookie walls and pre-ticked boxes must be avoided.
Click to read more about AEPD Cookie Guidelines.
4.4. What does an AEPD compliant cookie banner look like?
According to the Spanish DPA cookie guidelines, information about cookies can be provided in two layers.
The first layer must be identified by a generally used term, such as “cookies,” and must contain the following information:
- The identity of the website's owner.
- Identification of the purposes of the cookies used on the website.
- Information on whether such cookies are solely the website manager's cookies or whether third-party cookies are also used.
- General information on the types of data that will be collected and used if user profiling is used (for example, when behavioral advertising cookies are used).
- The manner in which users can accept, set up, and reject cookie use, including a warning that if they proceed with certain actions, it will be assumed that users accept cookie use.
- A clearly visible link to a second informative layer
The second layer must contain more detailed information about cookies (i.e., cookie policy).
Click here for more information about AEPD compliant cookie banners.
5. Netherlands AP Cookie Guidelines
The Dutch DPA published its cookie guidelines following its survey of a number of Dutch websites for GDPR compliant cookie consent requirements.
5.1 What is the Autoriteit Persoonsgegevens?
Autoriteit Persoonsgegevens(AP) is the Dutch Data Protection Authority. This independent administrative body has been appointed by law in the Netherlands as the supervisory authority for the processing of personal data. The AP is located in The Hague.
5.2 What are the Dutch DPA Cookie Guidelines?
In December 2019, the Dutch Data Protection Authority released cookie consent guidelines to help website owners in the Netherlands deploy cookies in a GDPR-compliant way. This came in the aftermath of the Dutch DPA survey of a total of 175 websites in the Netherlands which concluded that 50% of those audited were found to be non-compliant with GDPR cookie consent requirements.
5.3 What are the requirements of the Dutch DPA Cookie Guidelines?
According to the Autoriteit Persoonsgegevens, you must:
- Ensure your website remains accessible if a user does not provide cookie consent, or avoid cookie walls
- Obtain prior consent before deploying non-essential cookies
- Give users control over their consent choices
- Pre-ticked boxes are not allowed
Click here for more information on the Dutch DPA Cookie Guidelines.
6. Italian Garante Cookie Guidelines
The Italian DPA issued updated cookie guidelines in June 2021 which sets out updated rules on cookies and similar technologies.
6.1 What is Italian Garante?
The Italian Data Protection Authority (Garante per la protezione dei dati personali, or simply Garante) is an independent authority set up to protect fundamental rights and freedoms in connection with the processing of personal data and to ensure respect for individuals' dignity.
6.2 What are the Garante Cookie Guidelines?
On 8 May 2014, the Italian DPA issued a resolution about streamlined procedures for information notices and gaining consent for the use of cookies. Since then, there have been several amendments to the applicable legal framework in Italy, including the entry into effect of the GDPR.
On 10 June 2021, the Garante published its updated guidelines (Cookie Guidelines) concerning cookies and other tracking tools. The Cookie Guidelines aim to ensure that website owners comply with both the GDPR and the ePrivacy Directive.
6.3 What are the requirements of the Garante Cookie Guidelines?
The Italian DPA Cookie Guidelines set out that:
1. You must obtain consent before setting non-technical cookies (cookies that are not strictly necessary for the website to function).
2. Users visiting your site for the first time must be shown a cookie banner that is clearly distinguishable from other components of the website.
3. Scrolling cannot be relied on as a means of valid consent.
4. Cookie walls are not legal.
5. Analytics cookies can be used without consent only when it is not possible to single out a data subject.
6. You must wait at least six months before displaying your cookie banner again.
Click to read more on Italian DPA Cookie Guidelines.
7. Denmark Datatilsynet Cookie Guidelines
In Denmark several organizations, including the national Data Protection Authority (Datatilsynet) have issued cookie guidelines. These guidelines provide necessary information for websites and mobile applications to comply with the GDPR and national data protection and cookie laws.
7.1 What is Datatilsynet?
The Datatilsynet is the independent authority that supervises compliance with the rules on the protection of personal data. Datatilsynet provides guidance and advice as well as deals with complaints and makes inspections.
7.2 What are cookie laws in Denmark?
In Denmark, there are two primary laws to consider when it comes to cookies. They are as follows:
- The Danish Cookie Law (Cookiebekendtgørelsen); and,
- The General Data Protection Regulation of the EU - GDPR (and the Data Protection Act of Denmark).
The Danish Cookie Law is administered by the Danish Business Authority (Erhvervsstyrelsen), whereas the GDPR and its national implementation are administered by Datatilsynet.
7.3 What are Danish DPA Cookie Guidelines?
There are three pieces of guidelines relating to cookies that were published by the Danish authorities.
1. On 20 February 2020, the Danish DPA published cookie consent guidelines to help website operators comply with GDPR personal data processing obligations.
2. On 10 December 2019, the Danish Business Authority issued guidance on the usage of cookies.
3. On 12 February 2021, Datatilsynet, the Danish Business Authority, and the Danish Council for Digital Security announced joint guidance on the recommendations for cookie usage.
Click here to find out more about the Danish Cookie Guidelines.
7.4 What are the requirements of the Danish DPA Cookie Guidelines?
According to Danish DPA cookie consent guidelines, your personal data processing activities are GDPR compliant if and only if the following conditions are met:
- You do not process data without prior consent.
- You provide users with information about the different types of cookies you have on your website, their purposes, and reasons why you need to process their personal information.
- You receive consent based on affirmative action when a user visits your website to show that they have definitely agreed to the processing of their personal data.
- In accordance with the granularity requirement, you make it simple for the visitor to provide consent for specific purposes and not others.
- You make it easy for users to withdraw their consent, just as you make it easy for them to give it. This includes the text as well as the visual elements of your cookie banner.
- You keep logs of what users have given consent to and how you obtained their consent.
Click to read more on the requirements of the Danish Cookie Guidelines.
8. Belgium DPA Cookie Guidelines
The Belgian DPA cookie guidelines provide clarity on the use of cookies and other similar technologies.
8.1 What is the Belgium DPA?
The Data Protection Authority (in French: L'Autorité de protection des données or APD; in Dutch: Gegevensbeschermingsautoriteit or GBA) is an independent supervisory body responsible for ensuring compliance with the fundamental principles of personal data protection. The Authority was created in December 2017 as the national Data Protection Authority.
8.2 What are the Belgium DPA Cookie Guidelines?
In December 2019, the Belgian DPA enforced a regulatory fine of EUR 15,000 on a website that provides legal news in the country. The primary reason for this penalty was the company's unauthorized use of cookies. However, several parties questioned the Belgian DPA's decision because there was no clear framework in place to help firms comply with GDPR cookie rules once the EU's precedent-setting data privacy law went into effect.
In response to this, on 9 April 2020, the DPA prepared and published new Consolidated Cookie Guidance on the Belgian DPA website.
8.3 What are the requirements of the Belgium DPA Cookie Guidelines?
The Belgian DPA’s Cookie Guidance provides clear guidelines you need to follow to ensure you obtain valid cookie consent in accordance with GDPR requirements:
- You must obtain consent for all non-essential cookies.
- For cookie consent to be considered valid, it must be informed.
- You must allow users to provide granular consent.
- Obtaining unambiguous consent is mandatory.
- Cookie walls are invalid under the GDPR.
- Users must be allowed to withdraw consent easily.
- You must offer proof that you obtain valid GDPR cookie consent from your website users.
Read more about the Belgian DPA Cookie Guidelines.
9. Greek DPA Cookie Guidelines
The Greek DPA cookie guidelines were published following the audit carried out by the DPA for the use of cookies by the most popular Greek websites.
9.1 What is the Greek DPA?
The Hellenic Data Protection Authority (HDPA) is a Greek independent public authority with its headquarters in Athens. The HDPA is responsible for supervising the implementation of the GDPR, the national data protection act, and other regulations concerning the protection of the individual from the processing of personal data, as well as the exercise of the duties assigned to it each time.
9.2 What are the Greek DPA Cookie Guidelines?
On 25 February 2020, the Greek DPA Cookie Consent Guidelines were published to help businesses in meeting GDPR compliance requirements. The Guidelines were adopted following the completion of an audit carried out by the HDPA for the use of cookies by popular Greek websites, in which the HDPA discovered that the majority of the audited websites were not GDPR compliant.
Click to read more on the Greek DPA Cookie Guidelines.
9.3 What cookies require prior consent under the Greek DPA Cookie Guidelines?
According to the Greek DPA cookie consent guidelines:
- Before you place cookies or similar tracking technology, you must first receive prior consent from the user, regardless of whether you process their personal data or not.
- Only cookies and trackers deemed necessary for either the normal operation of your website or the delivery of a service requested by the user are excluded from the need for prior consent.
Click to read more on prior consent requirements under the Greek DPA Cookie Guidelines.
9.4 What are the Greek DPA’s Requirements for a Compliant Cookie Notice?
The cookie consent guidelines of the Hellenic DPA require you to offer users with information about cookies and why they must provide prior consent via applicable mechanisms such as cookie banners or pop-up windows.
Click to read more on the Greek DPA compliant cookie notices.
9.5 How do I Obtain Valid Cookie Consent under the Greek DPA Cookie Consent Guidelines?
As a data controller, to comply with the Greek DPA cookie consent guidelines, you must ensure that:
- The prior consent you receive is given through affirmative action from the user. Using pre-checked consent boxes or relying on a user's scrolling action is not considered obtaining valid consent.
- Your users must easily withdraw their consent as easily as they gave it.
- You allow users to accept or reject the use of non-essential trackers through the same number of actions (e.g., two clicks)
- Your cookie banner design does not impact the user's cookie consent choice, for example, by emphasizing the 'ACCEPT' button above the 'REJECT' button. The Hellenic DPA suggests that your cookie banner be designed with the same text size and color emphasis for all buttons and be easy to understand.
Click for more information on valid cookie consent under the Greek DPA Cookie Guidelines.
10. Irish DPA Cookie Guidelines
The Irish Data Protection Commission issued a cookie guidance note following the examination of the cookie policies and practices of a number of Irish websites.
10.1 What is the Irish DPC?
The Data Protection Commission (DPC) is the independent national authority in Ireland responsible for upholding individuals' fundamental right to data protection in the EU. The DPC is the Irish supervisory authority for the GDPR and also has functions and powers related to other important regulatory frameworks, including the Irish ePrivacy Regulations (2011) and the EU Directive known as the Law Enforcement Directive.
10.2 What are the Irish DPC Cookie Guidelines?
In April 2020, the Irish Data Protection Commission released a report known as the ‘cookie sweep survey,’ which examined the cookie policies and practices of 38 unnamed firms operating in Ireland.
The Irish DPC used a three-color coding system to assess the data controllers’ compliance levels: Red, Green, and Amber. While green denoted full compliance, amber denoted minor compliance issues and red denoted non-compliance. Only two of the 38 entities examined received the full green rating from the Irish DPC.
Read more about the ‘cookie sweep survey.’
In April 2020, the Irish DPC issued a guidance note concerning cookies and similar technologies. Organizations were given a 6-month grace period (until October 2020) to bring their cookie usage in line with the guidance.
10.3 What are the key takeaways from the Irish DPC cookie guidance?
According to the DPC, businesses must obtain user consent in line with GDPR requirements. This means the consent must be: freely given, specific, informed, and unambiguous. However, the guidelines provide two crucial exceptions: the communications exemption, and the strictly necessary exemption.
If you allow third parties to add plugins, widgets, pixel trackers, or “like” buttons, you need to know of the kind of data shared with these third parties.
The Irish DPC requires you to obtain prior and valid GDPR cookie consent from users before placing this category of cookies on their devices. While first-party analytics cookies are unlikely to raise privacy issues when strictly limited to statistical purposes on your website, third-party analytics cookies are subject to GDPR compliance enforcement actions.
Suppose you maintain records of your consumers’ consent to installing cookies on their devices. In that case, the Irish DPC guidance note specifies that the period after which their consent should be re-obtained must not exceed six months from when it was first given. Similarly, if a user declines to consent to cookies, you may request their consent again after six months.
Read more on the Irish DPA Cookie Guidance.
11. Luxembourg DPA Cookie Guidelines
The Luxembourg DPA issued its cookies and similar technologies guidelines in October 2021 to help websites and mobile applications comply with the GDPR and national data protection and cookie laws.
11.1 What is CNPD?
The Luxembourg National Data Protection Commission (Commission Nationale pour la Protection des Données, or CNPD) is an independent public institution and acts as the official data protection authority in the Grand Duchy of Luxembourg. It verifies the legality of the processing of personal data and ensures the protection of personal freedoms and fundamental rights in terms of data protection and privacy.
11.2 What are the Luxembourg DPA Cookie Guidelines?
The Luxembourg DPA - CNPD published its guidelines on cookies and similar technologies (Cookies) on 26 October 2021. The guidelines aim to help website and mobile app operators comply with the applicable legal framework in Luxembourg.
The cookie guidelines differentiate between essential cookies and non-essential cookies. The essential cookies are those for which consent is not required. On the other hand, non-essential cookies require prior consent from users.
11.3 What are the requirements of the Luxembourg DPA Cookie Guidelines?
To comply with Luxembourg DPA cookie guidelines, you must ensure to meet the following requirements:
1. There is no need to obtain consent for essential cookies.
2. Provide information about the use of essential cookies.
3. You must obtain consent to use non-essential cookies.
4. You cannot use dark patterns to obtain consent.
5. Withdrawing consent must be as easy as giving it.
6. You must request consent 12 months after obtaining the first consent.
7. Have a two-layered cookie banner.
Read more on the Luxembourg DPA Cookie Guidelines.
12. Finnish DPA Cookie Guidelines
The Finnish Transport and Communications Agency - Traficom published its updated cookie guidelines in May 2021 based on the Finnish DPA - Data Protection Ombudsman ruling.
12.1 What is Finland DPA?
The Office of the Data Protection Ombudsman is a national supervisory authority in Finland that supervises compliance with data protection legislation. The Data Protection Ombudsman imposes administrative fines under the General Data Protection Regulation and issues statements on significant questions related to the application of the legislation governing the processing of personal data.
More on Finland DPA.
12.2 What is Traficom?
Traficom (the Finnish Transport and Communications Agency) is the authority responsible for monitoring and ensuring the confidentiality of electronic communications. It is also the competent authority on cookie regulation and supervision of the use of cookies.
12.3 What are the Traficom Cookie Guidelines?
In April 2020, Traficom published a ruling that declared it possible to give consent to cookies through browser settings. However, a month later, in May 2020, the Finnish DPA, the Data Protection Ombudsman, issued a decision that contradicted the ruling made by Traficom.
In May 2021, Traficom changed its cookie guidelines to reflect the decision of the Ombudsman.
Read more on Finnish DPA Cookie Guidelines.
12.4 The Requirements of Traficom Guidelines
The cookie guidelines of Traficom set out requirements for website and mobile application operators. The guidelines also cover similar tracking technologies, including session and local storage, tracking pixels, web beacons, tags, and fingerprinting technologies.
1. Non-essential cookies require prior consent.
2. Legitimate interest cannot be a ground for cookie usage.
3. Consent must be freely given, specific, informed, and unambiguous.
4. Rejecting cookies must be as easy for the user as it is to give consent.
5. Withdrawing cookies must be as easy as giving consent.
6. Pre-ticked boxes are not lawful.
7. Consent cannot be bundled into the Terms of the website.
8. Provide information about the cookies.
9. Cookie walls are not allowed.
10. Referring to browser settings for rejecting cookies is not lawful.
11. Consent must be demonstrable.
Click to read more on the requirements of Traficom Cookie Guidelines.
13. Latvian DVI Cookie Guidelines
The Latvian DPA released its cookie guidelines in March 2022 setting out information on the requirements of cookie usage and a model cookie policy.
13.1 What is Latvian DVI?
The Data State Inspectorate (DVI) is the national data protection authority in Latvia. The authority is in charge of enforcing GDPR in Latvia.
13.2 What are Latvian DVI Cookie Guidelines
In March 2022, right after the results of the cookie audit were released, the Latvian Dast State Inspectorate published its cookie guidelines (“Cookie Guidelines”). The Cookie Guidelines set out information about cookies and their categories, requirements for the lawful use of cookies by website owners, and a model cookie policy for websites to publish.
13.3 What are the requirements of the Latvian DPA Cookie Guidelines?
To comply with the Latvian DVI Cookie Guidelines, you should satisfy the following requirements:
1. Provide clear and comprehensible information to the users
2. Use multi-layered approach
3. Keep the cookie notice until the user makes a decision
4. Consent must conform with GDPR standards
5. Have both “Accept” and “Reject” options
6. Closing the banner cannot be considered consent
7. Do not rely on browser settings for consent
8. Consent must be demonstrable
9. Consent must be withdrawn easily
10. Renew consent regularly
Read more about the Latvian DPA Cookie Guidelines.
Similarities and Differences between National DPA Cookie Guidelines
National DPA cookie guidelines include a lot of similarities as well as certain differences. In this section, we will discuss these similarities and differences.
What are the similarities between the national DPA cookie guidelines?
The cookie guidelines issued by most national DPAs are quite similar. This is because they mainly rely on the EDPB Consent Guidelines (also called the “Cookie Guidelines”) and the Planet 49 case. The key takeaways from the sources mentioned above are:
EDPB Consent Guidelines
1. Cookie walls are not lawful as they do not give individuals a genuine choice over the use of cookies.
2. Scrolling/browsing cannot be relied on as a means of indication of consent as it does not satisfy users' requirement of clear and affirmative action.
Planet 49 case
1. Pre-ticked checkboxes allowing the use of cookies do not constitute valid consent.
2. When consent is required to place cookies under the ePrivacy Directive, the GDPR standard of consent applies (freely given, specific, informed, and unambiguous).
3. Consent cannot be bundled as it does not meet the “specificity” requirement under the GDPR. Thus, websites must request consent for different cookie usage purposes (granular consent).
4. Information must be given to visitors, including, among other matters, the duration of the cookie lifespan, whether third parties will have access to these technologies, and the categories of third-party recipient cookies.
5. Regardless of whether the cookies constitute personal data, Article 5(3) of the e-Privacy Directive (the cookie consent rule) applies to any information placed or accessed from an individual's device.
The cookie guidelines issued by most national DPAs are formed around the aforementioned rules and principles. There, however, exist some minor differences among them.
What are the differences in national DPA Cookie guidelines?
Differences relating to national DPA cookie guidelines are mainly about issues that others do not regulate some national DPA cookie guidelines. It must be noted this does not imply that there are major differences in such cases. It is just that certain countries’ cookie guidelines are not as explicit as others and do not set out rules on specific issues relating to cookies. For example, not every national DPA provides rules concerning the UI design of cookie banners (i.e., rules relating to “Accept” and “Reject” buttons).
Other than that, some minor differences exist between cookie guidelines issued by national DPAs. These differences, which will be described below, do not contradict each other severely but vary slightly from each other based on certain nuances. For example, cookie walls are generally forbidden under almost all national DPA cookie guidelines. But some of them allow cookie walls to be used in certain limited circumstances (i.e., when cookie walls are used only to limit access to certain website sections if consent is not provided).
Below are the common differences found in most national DPA cookie guidelines.
1. Cookie consent retention period
Some cookie guidelines set out the lifespan for user cookie choices, whether acceptance or refusal. These lifespan rules may vary from country to country. For example, CNIL, as a best practice, considers that a 6-month period is appropriate for the validity of the choice made by a user. On the other hand, the Spanish DPA (AEPD) suggests that cookie choice should be renewed every 24 months, and Luxembourg DPA (CNPD) requires renewing consent every 12 months. The Italian DPA, Garante, shares the same view as the French CNIL and considers six months is appropriate for consent renewal.
Some national DPA cookie guidelines do not set a specific period for the validity of cookie consent choice but require that cookie choice lifespan be proportionate and limited to the purposes for which they are used (i.e., ICO).
However, some national DPA cookie guidelines are silent regarding cookie choice lifespan.
2. Cookie walls
Cookie walls are generally declared unlawful by the EDPB Consent Guidelines. Most national DPAs follow the standard set by the EDPB. That said, some slight differences relate to rules on cookie walls established under national DPA cookie guidelines.
For example, CNIL cookie guidelines do not ban cookie walls entirely. It allows the use of cookie walls if their lawfulness is assessed on a case-by-case basis. Other than that, ICO states that using cookie walls as a condition of access to specific website content is possible. Specific website content means you should not make “general website access” conditional on users accepting non-essential cookies. Still, you can only limit a specific range of the website if the user does not consent.
3. Analytics cookies
One of the main differences found in the national DPA cookie guidelines is whether analytics cookies require prior consent or not. As a general rule, analytics cookies are subject to the requirement of prior consent. However, some national cookie guidelines exempt analytics cookies within certain strict limitations. For example, CNIL provides that certain analytics solutions could be exempt from the consent requirement. The consent exemption for analytics cookies applies subject to the following conditions:
- These cookies must be limited to measuring the audience of the site only on behalf of the site owner;
- They must only be used to produce anonymous statistical data;
- They must not allow the tracking of persons across different sites;
- They must not be combined with other data and must not be shared with third parties.
In addition, the Italian DPA - Garante Cookie Guidelines set out that analytics cookies can be considered technical cookies (and thus, be exempt from consent requirements) under strict conditions. For analytics cookies to be treated as technical cookies, it is essential to prevent direct identification of the data subject or, in other words, keep your users anonymous.
4. Prominence of cookie options given to users
Some cookie guidelines require websites to follow some rules regarding to cookie banner designs. These requirements are mainly about options given to users to accept or reject cookies and the prominence of these options.
While most national cookie guidelines are quite strict in this matter, several national cookie guidelines are silent concerning the same matter.
As an example, CNIL sets out that the “Accept all” and the “Reject all” buttons must be equally prominent (at the same level, with the same appearance). It constitutes a clear and simple way to allow the users to express their choices.
ICO considers that a consent mechanism that emphasizes the “agree” button over the “reject” button represents a non-compliant approach, as the online service is influencing users towards the “accept” option.
Greek DPA provides that your cookie banner design must not influence the user’s cookie consent choice (i.e., by having a design that emphasizes the “Accept” button over the “Reject” one. The Hellenic DPA recommends that the design of your cookie banner should have the same font size and color emphasis for all buttons and be easy to read. Read about Data Protection Laws and the principle of Privacy by Design.
The Danish DPA suggests that you must provide equal opportunity to accept and reject the use of cookies and not mislead users with button sizes or colors. The Dutch DPA also suggests that the “Reject” and “Accept” options (either as buttons or links) should be of the same prominence.
On the contrary, some national DPA cookie guidelines do not provide any rules relating to cookie options. For example, the national cookie guidelines issued by the Belgian and Finnish DPA provide no explicit requirement.
Compliance with Cookie Guidelines with Secure Privacy
This section shows how you can comply with the cookie guidelines issued by EU national DPA cookie guidelines with Secure Privacy.
What is Secure Privacy?
Secure Privacy is a company offering cookie consent management software (e.g. for GDPR). Secure Privacy provides a complete solution for your website and cookie consent needs. It offers a simple, easy-to-use interface that allows you to manage and automate your cookie compliance.
What are the features of Secure Privacy software?
Secure Privacy software have the following features:
1. Customizable cookie consent banner
Cookie consent banners can be easily added to your website. It is easy to use and can be added to your website in minutes.
2. Cookie and privacy policy generator
To comply with the GDPR, CCPA, and other data privacy laws, you can quickly create a privacy/cookie policy. The platform's privacy/cookie policy can be changed without the requirement for a developer.
3. Automated website cookie scanning
Secure Privacy website cookie scanner software will scan all cookies and other tracking elements on your website, assisting you in meeting GDPR, CCPA, and LGPD standards.
4. Consent preference center
The consent preference center enables website visitors to opt-in or opt-out of cookies at any time. Visitors can remove their consent just as easy as they grant cookie consent.
5. Automated cookie consent recording
Secure Privacy automatically logs all cookie acceptance and declines for its customers.
6. Multi-language support
Secure Privacy supports more than 70+ languages.
How to Obtain Valid GDPR Cookie Consent with Secure Privacy?
With Secure Privacy’s GDPR cookie banner, you can obtain valid cookie consent from users. Our solution helps you to ensure that:
- You implement a multi-tiered method to obtain and communicate cookie consent to users. You can use the Secure Privacy cookie banner to notify users about the importance of cookies and why their consent is essential for their placement. Second, our banner helps you in explaining to users the many types of analytics technologies that you employ in your cookie notice.
- You do not bundle consents. Instead, Secure Privacy's GDPR cookie banner guarantees that consent is secured for all purposes by allowing users to choose which cookies they consent to.
- You include an opt-in for any cookie on your website that is not pre-checked to demonstrate user consent.
- Within your cookie notice, you include information on how to withdraw consent for the use of cookies, as well as a method to ensure that your visitors re-affirm their consent every six months.
- You record consents in a way that can show the visitors' ability to withdraw.
- You include a link to the cookie notice to provide users with extra information, such as which third parties will have access to their personal data if they agree to the installation of a third-party analytics cookie.
Our free GDPR e-book provides a simplified step-by-step breakdown of the two laws to help you understand what you need to become compliant with the GDPR.
If you would like to receive additional information on the EDPB’s or national DPAs’ cookies guidelines or to have our data protection expert carry out a quick 'check-up' of your website, cookie consent banner, or your cookie policy, book a call today.
