The One Stop Guide to EU Cookie Guidelines
Cookies and similar tracking technologies (cookies) are tools used to collect data about internet users for various purposes, including remarketing and audience measurement. Read all about Cookie Guidelines here.
Cookies and similar tracking technologies (cookies) are tools used to collect data about internet users for various purposes, including remarketing and audience measurement. The rise of dependence on tracking cookies placed by the websites on the devices of their visitors or users has grown concerns among internet users. In order to tackle this growing concern, regulators are making use of all available legal tools. The General Data Protection Regulation (GDPR) and the EU ePrivacy Directive already throw light on the requirements of using cookies. Furthermore, EU national data protection authorities and the European Data Protection Board (EDPB) have issued guidelines to clear up how cookie laws are interpreted and are likely to be applied.
Cookie guidelines issued by the EDPB
The European Data Protection Board issued its guidelines on consent in May 2020. The guidelines set out rules, among other things, concerning the cookies. These guidelines played a crucial role in establishing some of the fundamental rules in the field of cookies and other similar technologies.
What is EDPB?
The European Data Protection Board (EDPB) is an independent body contributing to the consistent application of data protection rules throughout the European Union (EU). It promotes cooperation between the EU’s data protection authorities (DPA). The EDPB was established by the General Data Protection Regulation (GDPR) and is based in Brussels.
The EDPB replaced the Article 29 Working Party (WP29), an independent European working party that dealt with issues relating to the protection of privacy and personal data until 25 May 2018, the time of entry into the application of the GDPR.
The EDPB is composed of representatives of the national DPAs of the EU Member States and the European Data Protection Supervisor (EDPS), which is the body that ensures the EU institutions and bodies respect people's right to privacy when processing their personal data. The supervisory authorities of Norway, Lichtenstein, and Iceland are also members of the EDPB without the right to vote and to be elected as a chair or deputy chairs.
The EDPB is entrusted with the following tasks and duties:
- Providing general guidance (including guidelines, recommendations, and best practices) in order to clarify the GDPR and to contribute to the consistent application of the GDPR;
- Rendering formal opinions based on Article 64 of the GDPR;
- Adopting binding decisions based on Article 65 of the GDPR in case of disagreement between the national DPAs;
- Promoting cooperation among the national DPAs.
What are EDPB Cookie Guidelines?
On 4 May 2020, the EDPB adopted the Guidelines 05/2020 on consent under Regulation 2016/679 (“Consent Guidelines”). These guidelines are also referred to as the “Cookie Guidelines.” However, it must be emphasized that the Guidelines are not mainly about cookies, but it throws light on some of the main topics relating to the cookies. The EDPB Cookie Guidelines ensure a harmonized approach on the conditionality of consent and the unambiguous indication of wishes.
Two most relevant clarifications that came out with the EDPB Cookie Guidelines concern:
EDPB Stance on Cookie Walls
The Guidelines state that “in order for consent to be freely given, access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment of a user (so-called cookie walls).” That is obvious from this provision that cookie walls are prohibited.
Cookie walls do not give individuals a genuine choice since access to the content or functionality of a website is made conditional on the individuals' acceptance of all cookies, and they are denied the right to reject the placement of cookies on their devices.
EDPB Clarification on Scrolling/Swiping the Website
Until the Guidelines came out in May 2020, many websites were relying on scrolling or swiping through the website as an indication of consent to websites’ tracking policies. The EDPB made it clear that this practice is illegal, stating “actions such as scrolling or swiping through a webpage or similar user activity will not under any circumstances satisfy the requirement of a clear and affirmative action.”
The rationale behind this clarification is that scrolling or swiping is not an unambiguous indication of consent by an individual since it could also be an indication of rejection. Since it is not technically possible to differentiate whether the users wished to accept or reject the placement of cookies by scrolling or swiping the website, it does not fulfill the requirement of unambiguous consent under the GDPR.
Are EDPB guidelines binding?
No, the EDPB Guidelines are not binding in themselves. However, it should be noted that the Guidelines reflect the common position and understanding that the authorities agree to apply consistently. That is why compliance with the EDPB Guidelines is crucial to ensure compliance with the GDPR and national data protection laws.
Who must comply with EDPB guidelines?
Since the EDPB Cookie Guidelines are not binding, there is no direct obligation on organizations to comply with them. However, the Guidelines provide clarity on how national DPAs would interpret and apply the provisions of the GDPR. This fact makes the Guidelines an important piece of legal instrument. Therefore, organizations subject to the GDPR are encouraged to comply with the EDPB Cookie Guidelines in order to avoid getting sanctioned for GDPR violations.
Organizations that are subject to the GDPR are those:
- Established in the EU; or
- Offering goods and services to people in the EU; or
- Monitoring the behavior of people in the EU.
It is apparent that the EDPB Cookie Guidelines have significant implications for companies with an establishment in the EU and those dealing with people from the EU.
Cookie guidelines of national DPAs
What is a Data Protection Authority (DPA)?
Data Protection Authorities (DPAs) are independent public authorities that supervise the application of the data protection laws through investigative and corrective powers through investigative and corrective powers. They provide expert advice on data protection issues, handle complaints lodged against violations of the GDPR and the relevant national data protection laws, and issue fines and other corrective measures on organizations acting in breach of the GDPR and national data protection laws. Each EU Member State has its own DPA. Examples include the Commission Nationale de l'Informatique et des Libertés (CNIL) of France, the Agencia Española de Protección de Datos (AEPD) of Spain, and the Garante per la Protezione dei Dati Personali (Garante) of Italy.
Check the full list of the DPAs across the EU here.
What are national cookie guidelines?
National cookie guidelines are non-binding legal instruments that are issued by EU national DPAs. These cookie guidelines set out clarifications on various aspects of cookie usage by websites that are subject to the jurisdiction of particular DPAs. Cookie consent requirements, rejection, and withdrawal of consent, the validity of cookie walls are some of the common issues that are dealt with within the national cookie guidelines.
Several national DPAs have issued cookie guidelines, and many are expected to issue guidelines in the coming months or years. While there may be some differences among the national cookies guidelines, the core principles remain the same, which are formed by the EDPB Cookie Guidelines and the Planet 49 case. These basic principles are:
- Don’t place cookies before obtaining consent;
- Don’t use pre-ticket boxes;
- Don’t use a “cookie wall”;
- Allow users to separately consent to each category of cookies;
Are national cookie guidelines binding?
By themselves, the national cookie guidelines are not binding. However, it must be noted that these cookie guidelines provide strong references for organizations to anticipate how the national DPA may conduct its compliance investigations. Furthermore, the national DPAs have powers to impose sanctions on organizations, and it is likely that they would use the cookie guidelines issued by them as a point of reference.
Who must comply with national cookie guidelines?
National cookie guidelines issued by the national DPAs in the EU are non-binding instruments. However, as they highlight how the national DPAs would use these cookie guidelines to characterize a non-compliance with the GDPR and national data protection laws, they are important legal instruments for businesses. Thus, compliance with national cookie guidelines is recommended for those who fall under the territorial scope of the relevant DPA. For example, CNIL Cookie Guidelines are relevant for organizations with an establishment in France. Additionally, since the GDPR applies “extraterritorially,” meaning to organizations established outside, we may conclude that if an organization that is not with an establishment in France offers goods or services or monitors the behavior of French people, then that organization becomes subject to CNIL’s authority.
To summarize what is pointed out above, the national cookie guidelines should be complied with by organizations:
- With an establishment in a particular EU country; or
- Offering goods or services to the people of a specific EU country; or
- Monitoring the behavior of the people of a specific EU country.
What are the penalties for violating national cookie guidelines
The national cookie guidelines do not set out monetary penalties or any other sanctions for non-compliance in themselves. Non-compliance with cookie guidelines will lead to non-compliance with national data protection laws and the GDPR. Therefore, monetary fines and other sanctions set out under the GDPR will be applicable.
For less severe infringements, GDPR sets out a fine of up to EUR 10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher. For more severe infringements, the monetary fines can be EUR 20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.
Non-compliance with cookie rules has ended up in huge fines on big corporations. Therefore, companies are encouraged not to take for granted the national cookie guidelines and allocate resources to understand them and comply with them insofar as they are applicable to them. Some national DPAs are particularly active in enforcing cookie rules, such as the CNIL - the French DPA.
For example, in December 2020, the CNIL imposed large fines on two big tech companies for their violation of cookie rules. These companies "placed advertising cookies on users' computers... without obtaining prior consent and without providing adequate information". As a result of the violation, Google received two monetary fines resulting in EUR 100 million, and Amazon received a monetary fine of EUR 35 million. CNIL’s sanctions do not end with the aforementioned fines. The French DPA has recently imposed two large fines on two big multinational tech companies.
Consequently, it is highly recommended that organizations comply with the national cookie guidelines in order to avoid any hefty fines that they may be subject to.
National Cookie Guidelines explained
The requirements of national cookie guidelines mainly overlap. However, there are some differences among them. In order to ensure you are compliant, you should check what guidelines are applicable to you and ensure you understand and allocate resources to comply with their requirements.
1. German DSK Cookie Guidelines
1.1 What is DSK?
Private sector companies in Germany are subject to the jurisdiction of state data protection authorities (DPAs) such as Hamburg DPA (HmbBfDI), Berlin DPA (BlnBDI), etc. The DSK (short for “Datenschutzkonferenz” in German) is an association of German state data protection authorities. The DSK deals with and comments on the data protection issues in Germany. It serves as a coordinating body and makes no binding decisions on the organizations.
1.2 What are the DSK cookie guidelines?
The German DSK issued its cookie guidelines in April 2019. After the German Federal Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia (TTDSG) entered into force on 1 January 2021, the DSK issued its Guidance for Providers of Telemedia Services, which was primarily concerned with the “cookie provision” of the new German law. The guidelines focus on the TTDSG's consent requirements and exceptions for cookie consent.
Read more about DSK cookie guidelines.
1.3 What are the requirements of the German DSK cookie guidelines?
You must do the following to comply with the German DSK cookie consent guidelines:
- Set tracking cookies only if you have explicit prior consent from your website visitors.
- Avoid requiring users to accept tracking cookies to access your website's content.
- Allow users to opt-out of tracking cookies.
- You do not need to obtain valid GDPR cookie consent for essential cookies
- Take precautions with the embedded content
- Disclose all the cookies you use on your website and communicate the purpose of each to your users in your cookie and privacy policies.
- Do not use pre-checked consent boxes
Find out more on the requirements of the German DSK cookie guidelines
2. ICO Cookie Guidelines
The Information Commissioner’s Office of the United Kingdom (ICO) has published its cookie guidelines in July 2019 which concerns cookies and other similar technologies.
2.1 What is the ICO?
ICO stands for the Information Commissioner’s Office of the United Kingdom. This is the UK’s public authority in charge of enforcing the country's data protection laws. Among other things, it publishes guidelines that help businesses easily comply with privacy laws (UK Data Privacy Act 2018, UK GDPR).
2.2 What are the ICO Cookie Guidelines
On July 3, 2019, the ICO cookie guidelines were issued to address cookies and similar technologies in detail. The guidelines are critical for online services such as websites and mobile apps. The ICO cookie guidelines help businesses understand how the GDPR and the UK Privacy and Electronic Communications Regulation (PECR) are interpreted and applied.
Click here to learn more about ICO Cookie Guidelines.
2.3 What are the requirements of the ICO Cookie Guidelines?
Users must accept cookies through affirmative action (i.e., clicking on the "ACCEPT" button or something similar). The user should tick the checkboxes for each purpose of collection/processing. Pre-ticked boxes are not allowed.
In general, cookie walls are not permitted in obtaining users' consent. However, using cookie walls as a condition of access to specific website content is possible.
Remaining or browsing the website does not imply accepting cookies and other tracking technologies.
Click to learn more about the requirements of the ICO Cookie Guidelines.
3. CNIL Cookie Guidelines
The French DPA - CNIL has issued guidelines and recommendations concerning cookies. These guidelines and recommendations provide rules and best practices for websites and mobile applications to comply with data protection and cookie laws in France.
3.1 What is CNIL?
CNIL stands for Commission Nationale de l’informatique et des Libertés, the French national data protection authority. The French Data Protection Act of January 6, 1978, established CNIL France as an independent administrative authority responsible for ensuring the protection of personal data in computer files and processing operations, both public and private. They have the authority to enforce the data protection laws in France.
3.2 What are CNIL Cookie Guidelines?
On October 1, 2020, CNIL published its revised cookie guidelines, that was initially published On July 18, 2019, and partially annulled by the Highest Administrative Court of France. CNIL also published its final recommendations on the practical modalities for obtaining users’ consent (“Recommendations”) and a set of questions and answers about the recommendations (“FAQs”).
More about CNIL Cookie Guidelines.
3.3 What are the requirements of CNIL Cookie Guidelines?
The CNIL does not completely prohibit cookie walls. Cookie walls are permissible and legal in certain circumstances. Their legality must be determined on a case-by-case basis. When cookie walls are used, you have to ensure that you provide the user with clear information about the consequences when the user accepts or denies consent and, in particular, information about the impossibility of accessing the content or service without consent must be provided.
Click to read more on the requirements of CNIL Cookie Guidelines.
3.4 What are CNIL Recommendations?
In addition to the CNIL cookie guidelines, the French DPA provided recommendations for following the cookie guidelines. Some of the most salient points from the CNIL recommendations are:
- Before presenting individuals with the option to accept or reject cookies, the cookie consent banner must provide information about the purpose of cookies or the cookie category.
- The purpose of the cookie or the cookie category must be presented with a brief and highlighted title, followed by a brief description of the purpose.
- The "Accept All” and “Reject All” buttons must be at the same level and prominence.
- Avoid pre-ticked boxes or pre-activated toggle switches.
- Allow for granular consent
- Renew cookie choice after 6 months
More about CNIL Cookie Recommendations.
4. Spain AEPD Cookie Guidelines
The Spanish DPA - AEPD issued its cookie guidelines that set out rules for compliance with cookie laws in Spain.
4.1 What is the AEPD?
AEPD is short for Agencia Española de Protección de Datos which means “Spanish Agency for Data Protection.” Their role is to guarantee that Spaniards follow European and national data protection laws. AEPD is the official supervisory authority for personal data protection matters in Spain.
4.2 What are the AEPD Cookie Guidelines?
4.3 What are the requirements of the AEPD Guidelines?
The Spanish DPA cookie guidelines require you to adhere to the guidelines by doing the following:
- Users must be informed about cookies in a concise, understandable, clear, and unambiguous manner.
- During consent collection, the information about cookies cannot be more than two clicks away from the first page. The main information is to be provided in two layers, the main layer, and a detailed, optional layer, in a clearly visible notice.
- Consent must be an indication of affirmative action. Consent can be obtained by clicking on the "I consent" or "I accept" buttons or other terms of a similar nature.
- Cookie choice, whether acceptance or refusal made by users must not be kept forever. It must be renewed at least every 24 months.
- Cookie walls and pre-ticked boxes must be avoided.
Click to read more about AEPD Cookie Guidelines.
4.4. What does an AEPD compliant cookie banner look like?
According to the Spanish DPA cookie guidelines, information about cookies can be provided in two layers.
The first layer must be identified by a generally used term, such as “cookies,” and must contain the following information:
- The identity of the website's owner.
- Identification of the purposes of the cookies used on the website.
- Information on whether such cookies are solely the website manager's cookies or whether third-party cookies are also used.
- General information on the types of data that will be collected and used if user profiling is used (for example, when behavioral advertising cookies are used).
- The manner in which users can accept, set up, and reject cookie use, including a warning that if they proceed with certain actions, it will be assumed that users accept cookie use.
- A clearly visible link to a second informative layer
Click here for more information about AEPD compliant cookie banners.
5. Netherlands AP Cookie Guidelines
The Dutch DPA published its cookie guidelines following its survey of a number of Dutch websites for GDPR compliant cookie consent requirements.
5.1 What is the Autoriteit Persoonsgegevens?
Autoriteit Persoonsgegevens (AP) is the Dutch Data Protection Authority. This independent administrative body has been appointed by law in the Netherlands as the supervisory authority for the processing of personal data. The AP is located in The Hague.
5.2 What are the Dutch DPA Cookie Guidelines?
In December 2019, the Dutch Data Protection Authority released cookie consent guidelines to help website owners in the Netherlands deploy cookies in a GDPR-compliant way. This came in the aftermath of the Dutch DPA survey of a total of 175 websites in the Netherlands which concluded that 50% of those audited were found to be non-compliant with GDPR cookie consent requirements.
5.3 What are the requirements of the Dutch DPA Cookie Guidelines?
According to the Autoriteit Persoonsgegevens (AP), you must;
- Ensure your website remains accessible if a user does not provide cookie consent (Avoid “Cookie Walls”)
- Obtain Prior Consent Before Deploying Non-Essential Cookies
- Give Users Control over their Consent Choices
- Pre-ticked boxes are not allowed
Click here for more information on the Dutch DPA Cookie Guidelines.
6. Italian Garante Cookie Guidelines
The Italian DPA issued updated cookie guidelines in June 2021 which sets out updated rules on cookies and similar technologies.
6.1 What is Italian Garante?
The Italian Data Protection Authority (Garante per la protezione dei dati personali, or simply Garante) is an independent authority set up to protect fundamental rights and freedoms in connection with the processing of personal data and to ensure respect for individuals' dignity.
6.2 What are the Garante Cookie Guidelines?
On 10 June 2021, the Garante published its updated guidelines concerning cookies and other tracking tools (Cookie Guidelines). The Cookie Guidelines aim to ensure that website owners comply with both the GDPR and the ePrivacy Directive.
6.3 What are the requirements of the Garante Cookie Guidelines?
The Italian DPA Cookie Guidelines set out that:
1. You must obtain consent before setting non-technical cookies (cookies that are not strictly necessary for the website to function).
2. Users visiting your site for the first time must be shown a cookie banner that is clearly distinguishable from other components of the website.
3. Scrolling cannot be relied on as a means of valid consent.
4. Cookie walls are not legal.
5. Analytics cookies can be used without consent only when it is not possible to single out a data subject.
6. At least 6 months must elapse before you can show your cookie banner again.
Click to read more on Italian DPA Cookie Guidelines.
7. Denmark Datatilsynet Cookie Guidelines
In Denmark several organizations, including the national DPA - Datatilsynet have issued cookie guidelines. These guidelines provide necessary information for websites and mobile applications to comply with the GDPR and national data protection and cookie laws.
7.1 What is Datatilsynet?
The Danish Data Protection Agency - Datatilsynet is the independent authority that supervises compliance with the rules on the protection of personal data. Datatilsynet provides guidance and advice as well as deals with complaints and makes inspections.
7.2 What are cookie laws in Denmark?
In Denmark, there are two primary laws to consider when it comes to cookies. They are as follows:
- The Danish Cookie Law (Cookiebekendtgørelsen); and,
- The General Data Protection Regulation of the EU - GDPR (and the Data Protection Act of Denmark).
The Danish Cookie Law is administered by the Danish Business Authority (Erhvervsstyrelsen), whereas the GDPR and its national implementation are administered by Datatilsynet.
7.3 What are Danish DPA Cookie Guidelines?
There are three pieces of guidelines relating to cookies that were published by the Danish authorities.
1. The Danish DPA (Datatilsynet) cookie consent guidelines were released on February 20, 2020, to provide clarity for website owners to ease compliance with GDPR personal data processing requirements.
Click here to find more about the Danish Cookie Guidelines.
7.4 What are the requirements of the Danish DPA Cookie Guidelines?
According to Danish DPA cookie consent guidelines, your personal data processing activities are GDPR compliant if and only if the following conditions are met:
- You do not process data before prior consent is given.
- You provide users with information about the different types of cookies you have on your website, their purposes, and reasons why you need to process their personal information.
- You receive consent based on affirmative action when a user visits your website to show that they have definitely agreed to the processing of their personal data.
- In accordance with the granularity requirement, you make it simple for the visitor to provide consent for specific purposes and not others.
- You make it easy for users to withdraw their consent, just as you make it easy for them to give it. This includes the text as well as the visual elements of your cookie banner.
- You are keeping logs of what users have given consent to and how you obtained their consent.
Click to read more on the requirements of the Danish Cookie Guidelines.
8. Belgium DPA Cookie Guidelines
8.1 What is the Belgium DPA?
The Data Protection Authority (in French L'Autorité de protection des données - APD, in Dutch Gegevensbeschermingsautoriteit - GBA) is an independent supervisory body responsible for ensuring compliance with the fundamental principles of personal data protection. The Authority was created in December 2017 as a national Data Protection Authority.
8.2 What are the Belgium DPA Cookie Guidelines?
In response to this, on April 9, 2020, the DPA prepared and published new Consolidated Cookie Guidance on the Belgian DPA website.
8.3 What are the requirements of the Belgium DPA Cookie Guidelines?
The Belgian DPA’s Cookie Guidance provides clear guidelines you need to follow to ensure you obtain valid cookie consent in accordance with GDPR requirements. They are as follows:
- You must seek consent for all non-essential cookies.
- For cookie consent to be considered valid, it must be informed.
- You must allow users to provide granular consent.
- Obtaining unambiguous consent is mandatory.
- Cookie walls are Invalid under the GDPR.
- Users must be allowed to withdraw consent easily.
- You must offer proof that you obtain valid GDPR cookie consent from your website users.
Read more about the Belgian DPA Cookie Guidelines.
9. Greek DPA Cookie Guidelines
9.1 What is the Greek DPA?
The Hellenic Data Protection Authority (HDPA) is an independent public authority in Greece and has its seat in Athens. The HDPA is responsible for supervising the implementation of the General Data Protection Regulation (GDPR), national data protection act, and other regulations concerning the protection of the individual from the processing of personal data, as well as the exercise of the duties assigned to it each time.
9.2 What are the Greek DPA Cookie Guidelines?
Click to read more on the Greek DPA Cookie Guidelines.
9.3 What cookies require prior consent under the Greek DPA Cookie Guidelines?
According to the Greek DPA cookie consent guidelines:
- Before you place cookies or similar tracking technology, you must receive prior consent from the user first, regardless of whether you process their personal data or not.
- Only cookies and trackers deemed necessary for either the normal functioning of your website or for the delivery of service clearly requested by the user are exempt from the prior consent requirement.
Click to read more on prior consent requirements under the Greek DPA Cookie Guidelines.
9.4 What are the Greek DPA’s Requirements for a Compliant Cookie Notice?
The Hellenic DPA’s cookie consent guidelines require you to give users information about cookies and why it is important for them to provide prior consent through relevant mechanisms such as cookie banners or pop-up windows.
Click to read more on the Greek DPA compliant cookie notices.
9.5 How do I Obtain Valid Cookie Consent under the Greek DPA Cookie Consent Guidelines?
As a data controller, to comply with the Greek DPA cookie consent guidelines, you must ensure that;
- The prior consent you receive is given through affirmative action from the user. Using pre-checked consent boxes or relying on a user's scrolling action is not considered a valid way to obtain valid consent.
- Your users have an easy way to withdraw their consent the same way it was easy to give it.
- You allow users to accept or reject the use of non-essential trackers through the same number of actions (e.g., clicks)
- Your cookie banner design does not have an influence on the user’s cookie consent choice, e.g., through having a design that emphasizes the ‘ACCEPT’ button over the ‘REJECT’ one. The Hellenic DPA recommends that the design of your cookie banner has the same font size and color emphasis for all buttons and is easy to read.
Click for more information on valid cookie consent under the Greek DPA Cookie Guidelines.
10. Irish DPA Cookie Guidelines
The Irish Data Protection Commission issued a cookie guidance note following the examination of the cookie policies and practices of a number of Irish websites.
10.1 What is the Irish DPC?
The Data Protection Commission (DPC) is the independent national authority in Ireland responsible for upholding the fundamental right of individuals in the EU to have their personal data protected. The DPC is the Irish supervisory authority for the General Data Protection Regulation (GDPR) and also has functions and powers related to other important regulatory frameworks, including the Irish ePrivacy Regulations (2011) and the EU Directive known as the Law Enforcement Directive.
10.2 What are the Irish DPC Cookie Guidelines?
In April 2020, the Irish Data Protection Commission (DPC) released a report known as the ‘cookie sweep survey’, that examined the cookie policies and practices of 38 unnamed firms operating in Ireland.
The Irish DPC used a three-color coding system to assess the level of compliance of data controllers: Red, Green, and Amber. While Green denoted full compliance, Red denoted non-compliance. Only two of the 38 entities examined received the full 'Green' rating from the Irish DPC.
Read more about the ‘cookie sweep survey.’
In April 2020, the Irish DPC issued a guidance note concerning cookies and similar technologies. Organizations were given a 6-month grace period (until October 2020) to bring their cookie usage in line with the guidance.
10.3 What are the key takeaways from the Irish DPC cookie guidance?
According to the DPC, businesses must obtain user consent in line with GDPR requirements. This means the consent must be: freely given, specific, informed, and unambiguous. However, the guidelines provide two crucial exceptions, which are: the communications exemption, and the strictly necessary exemption.
If you allow third parties to add plugins, widgets, pixel trackers, or "like" buttons, you need to be aware of the kind of data shared with these third parties.
The Irish DPC requires you to obtain prior and valid GDPR cookie consent from users before placing this category of cookies in their devices. While first-party analytics cookies are unlikely to raise privacy issues when strictly limited to statistical purposes on your website, third-party analytics cookies are subject to GDPR compliance enforcement actions.
Read more on the Irish DPA Cookie Guidance.
11. Luxembourg DPA Cookie Guidelines
The Luxembourg DPA issued its guidelines on cookies and similar technologies in October 2021 that aim to help websites and mobile applications comply with the GDPR and national data protection and cookie laws.
11.1 What is CNPD?
The National Data Protection Commission (Commission Nationale pour la Protection des Données – CNPD) is an independent public institution and acts as the official data protection authority in the Grand Duchy of Luxembourg. It verifies the legality of the processing of personal data and ensures the protection of personal freedoms and fundamental rights in terms of data protection and privacy.
11.2 What are the Luxembourg DPA Cookie Guidelines?
The Luxembourg DPA - CNPD published its guidelines on cookies and similar technologies (Cookies) on October 26, 2021. The guidelines aim to help website operators and mobile app operators in complying with the applicable legal framework in Luxembourg.
The cookie guidelines differentiate between essential cookies and non-essential cookies. The essential cookies are those for which consent is not required. On the other hand, non-essential cookies require prior consent from users.
11.3 What are the requirements of the Luxembourg DPA Cookie Guidelines?
In order to comply with Luxembourg DPA cookie guidelines, you must ensure to meet the following requirements:
1. There is no need to obtain consent for essential cookies.
2. Provide information about the use of essential cookies.
3. You must obtain consent to use non-essential cookies.
4. You cannot use dark patterns for obtaining consent.
5. Withdrawing consent must be as easy as giving it.
6. You must request consent after 12 months after obtaining the first consent.
7. Have a two-layered cookie banner.
Read more on the Luxembourg DPA Cookie Guidelines.
12. Finnish DPA Cookie Guidelines
The Finnish Transport and Communications Agency - Traficom published its updated cookie guidelines in May 2021 based on the ruling of the Finnish DPA - Data Protection Ombudsman.
12.1 What is Finland DPA?
The Office of the Data Protection Ombudsman is a national supervisory authority in Finland that supervises compliance with data protection legislation. The Data Protection Ombudsman imposes administrative fines under the General Data Protection Regulation and issues statements on significant questions related to the application of the legislation governing the processing of personal data.
More on Finland DPA.
12.3 What are the Traficom Cookie Guidelines?
In April 2020, Traficom published a ruling that declared it possible to give consent to cookies through browser settings. However, a month later, in May 2020, the Finnish DPA, the Data Protection Ombudsman, issued a decision that contradicted the ruling made by the Traficom.
In May 2021, Traficom changed its cookie guidelines to reflect the decision of the Ombudsman.
Read more on Finnish DPA Cookie Guidelines.
12.4 The Requirements of Traficom Guidelines
The cookie guidelines of Traficom set out requirements for website operators and mobile application operators. The guidelines also cover similar tracking technologies, including session and local storage, tracking pixels, web beacons, tags, and fingerprinting technologies.
1. Non-essential cookies require prior consent.
2. Legitimate interest cannot be a ground for cookie usage.
3. Consent must be freely given, specific, informed, and unambiguous.
4. Rejecting cookies must be as easy for the user as it is to give consent.
5. Withdrawing cookies must be as easy as giving consent.
6. Pre-ticked boxes are not lawful.
7. Consent cannot be bundled into the Terms of the website.
8. Provide information about the cookies.
9. Cookie walls are not allowed.
10. Referring to browser settings for rejecting cookies is not lawful.
11. Consent must be demonstrable.
Click to read more on the requirements of Traficom Cookie Guidelines.
13. Latvian DVI Cookie Guidelines
13.1 What is Latvian DVI?
Data State Inspectorate (DVI) is the national data protection authority (DPA) in Latvia. The authority is in charge of enforcing GDPR in Latvia.
13.2 What are Latvian DVI Cookie Guidelines
13.3 What are the requirements of the Latvian DPA Cookie Guidelines?
In order to comply with the Latvian DVI Cookie Guidelines, you should satisfy the following requirements:
1. Provide clear and comprehensible information to the users
2. Use multi-layered approach
3. Keep the cookie notice until the user makes a decision
4. Consent must conform with GDPR standards
5. Have both “Accept” and “Reject” options
6. Closing the banner cannot be considered consent
7. Do not rely on browser settings for consent
8. Consent must be demonstrable
9. Consent must be withdrawn easily
10. Renew consent regularly
Read more about the Latvian DPA Cookie Guidelines.
Similarities and Differences between National DPA Cookie Guidelines
National DPA cookie guidelines include a lot of similarities as well as certain differences. In this section, we will talk about these similarities and differences in detail.
What are the similarities between the national DPA cookie guidelines?
The cookie guidelines issued by most national DPAs are quite similar to each other. This is because they mainly rely on the EDPB Consent Guidelines (also referred to as the “Cookie Guidelines”) and the Planet 49 case. The ket takeaways from the aforementioned sources are:
EDPB Consent Guidelines
2. Scrolling/browsing cannot be relied on as a means of indication of consent as it does not satisfy the requirement of clear and affirmative action by users.
Planet 49 case
2. When consent is required for the placement of cookies under the ePrivacy Directive, the GDPR standard of consent applies (freely given, specific, informed, and unambiguous).
3. Consent cannot be bundled as it does not meet the “specificity” requirement under the GDPR. Thus, websites must request consent for different cookie usage purposes (granular consent).
4. Information must be given to visitors, including, among other matters, the duration of the cookie lifespan and whether third parties will have access to these technologies, and the categories of third-party recipients of cookies.
5. Regardless of whether the cookies constitute personal data or not Article 5(3) of the e-Privacy Directive (the cookie consent rule) applies to any information placed or accessed from an individual's device.
The cookie guidelines issued by most national DPAs are formed around the aforementioned rules and principles. There, however, exist some minor differences among them.
What are the differences in national DPA Cookie guidelines?
Differences relating to national DPA cookie guidelines are mainly about issues that are regulated by some national DPA cookie guidelines are not regulated by others. It must be noted this does not imply that there are major differences in such cases. It is just that certain countries’ cookie guidelines are not as explicit as others and do not set out rules on certain specific issues relating to cookies. For example, not every national DPA provides rules concerning the UI design of cookie banners (i.e., rules relating to “Accept” and “Reject” buttons).
Other than that, some minor differences exist between cookie guidelines issued by national DPAs. These differences, which will be described below, do not contradict each other severely but vary slightly from each other based on certain nuances. For example, under almost all national DPA cookie guidelines, cookie walls are generally forbidden. But some of them allow cookie walls to be used in certain limited circumstances (i.e., when cookie walls are used only to limit access to certain website sections if consent is not provided).
Below are the common differences found in most national DPA cookie guidelines.
1. Cookie consent retention period
Some cookie guidelines set out lifespan for cookie choices made by users, whether acceptance or refusal. These lifespan rules may vary from country to country. For example, CNIL, as a best practice, considers that a 6-month period is appropriate for the validity of choice made by a user. On the other hand, the Spanish DPA (AEPD) suggests that cookie choice should be renewed every 24 months, and Luxembourg DPA (CNPD) requires renewing consent every 12 months. The Italian DPA, Garante, shares the same view as the French CNIL and considers 6 months is appropriate for consent renewal.
Some national DPA cookie guidelines do not set a specific period for the validity of cookie consent choice but require that cookie choice lifespan be proportionate and limited to the purposes for which they are used (i.e., ICO).
However, some of the national DPA cookie guidelines are silent regarding cookie choice lifespan.
2. Cookie walls
Cookie walls are generally declared unlawful by the EDPB Consent Guidelines. Most national DPAs follow the standard set by the EDPB. That said, there are some slight differences relating to rules on cookie walls established under national DPA cookie guidelines.
For example, CNIL cookie guidelines do not ban cookie walls entirely. It allows the use of cookie walls if its lawfulness is assessed on a case-by-case basis. Other than that, ICO states that the use of cookie walls as a condition of access to specific website content is possible. Specific website content means that you should not make “general website access” conditional on users accepting non-essential cookies, but you can only limit certain content of the website if the user does not consent.
3. Analytics cookies
One of the main differences found in the national DPA cookie guidelines is whether analytics cookies require prior consent or not. As a general rule, analytics cookies are subject to the requirement of prior consent. However, some national cookie guidelines exempt analytics cookies within certain strict limitations. For example, CNIL provides that certain analytics solutions could be exempt from the consent requirement. The consent exemption for analytics cookies applies subject to the following conditions:
- These cookies must be limited to measuring the audience of the site only on behalf of the site owner;
- They must only be used to produce anonymous statistical data;
- They must not allow the tracking of persons across different sites;
- They must not be combined with other data and must not be shared with third parties.
In addition, the Italian DPA - Garante Cookie Guidelines set out that analytics cookies can be considered technical cookies (and thus, be exempt from consent requirement) under strict conditions. For analytics cookies to be treated as technical cookies, it is essential to prevent direct identification of the data subject or, in other words, keep your users anonymous.
4. Prominence of cookie options given to users
Some cookie guidelines require websites to follow certain rules relating to cookie banner designs. These requirements are mainly about options given to users to accept or reject cookies and the prominence of these options.
While most national cookie guidelines are quite strict in this matter, several national cookie guidelines are silent concerning the same matter.
As an example, CNIL sets out that the “Accept all” and the “Reject all” buttons must be equally prominent (at the same level, with the same appearance). It constitutes a clear and simple way to allow the users to express their choices.
ICO considers that a consent mechanism that emphasizes the “agree” button over the “reject” button represents a non-compliant approach, as the online service is influencing users towards the “accept” option.
Greek DPA provides that your cookie banner design must not influence the user’s cookie consent choice (i.e., through having a design that emphasizes the “Accept” button over the “Reject” one. The Hellenic DPA recommends that the design of your cookie banner should have the same font size and color emphasis for all buttons and be easy to read.
On the contrary, some national DPA cookie guidelines do not provide any rules relating to cookie options. For example, the national cookie guidelines issued by the Belgian DPA and the Finnish DPA provide no explicit requirement on this matter.
Compliance with Cookie Guidelines with Secure Privacy
This section sets out how you can comply with the cookie guidelines issued by EU national DPA cookie guidelines with Secure Privacy.
What is Secure Privacy?
Secure Privacy is a company offering cookie consent management software. Secure Privacy provides a complete solution for your website and cookie consent needs. It offers a simple, easy-to-use interface that allows you to manage and automate your cookies compliance.
What are the features of Secure Privacy software?
Secure Privacy software has the following features:
1. Customizable cookie consent banner
You can add highly customizable cookie consent banners to your website. It is simple to use and can be put on your website within minutes.
3. Automated website cookie scanning
Secure Privacy website cookie scanner software will scan every cookie and other tracking tools on your website and will help you comply with GDPR, CCPA, and LGPD requirements.
4. Consent preference center
The consent preference center allows visitors of a website to opt-in or opt-out of cookies at any time. This feature allows visitors to withdraw their consent as easily as they give cookie consent.
5. Automated cookie consent recording
Secure Privacy automatically log all cookie acceptance and declines for its customers.
6. Multi-language support
Secure Privacy supports more than 70+ languages.
How to Obtain Valid GDPR Cookie Consent with Secure Privacy?
With Secure Privacy’s GDPR cookie banner, you can obtain valid cookie consent from users. Our solution helps you to ensure that:
- You do not bundle consents. Instead, Secure Privacy’s GDPR cookie banner ensures that consent is obtained for all purposes by allowing users to select the types of cookies to which they consent.
- You include an opt-in for every type of cookie on your website that is not pre-checked to show user consent.
- You provide information on how to withdraw consent for using cookies within your cookie notice and a mechanism to guarantee that your visitors re-affirm their consent after every six months.
- You record consents in a way that can show the visitors' ability to withdraw.
- You include a link to the cookie notice to give users additional information, such as the third parties that will have access to their personal data in case they give consent to the installation of a third-party analytics cookie.
More than 14,000 complaints filed with the CNIL in 2021
When processing personal data on your website, you must be sure to follow a number of rules and recommendations. If you do not, you expose yourself to fines and procedures.
What is the Latvian DPA Cookie Guidelines and How Can You Comply with Them?
In this guide, we explore the Latvian DPA Cookie Consent Guidelines.
The One Stop Guide to EU Cookie Guidelines
Cookies and similar tracking technologies (cookies) are tools used to collect data about internet users for various purposes, including remarketing and audience measurement. Read all about Cookie Guidelines here.
- Cookie banner