April 29, 2022

The One Stop Guide to EU Cookie Guidelines

Cookies and similar tracking technologies (cookies) are tools used to collect data about internet users for various purposes, including remarketing and audience measurement. Read all about Cookie Guidelines here.

Cookies and similar tracking technologies (cookies) are tools used to collect data about internet users for various purposes, including remarketing and audience measurement. The rise of dependence on tracking cookies placed by the websites on the devices of their visitors or users has grown concerns among internet users. In order to tackle this growing concern, regulators are making use of all available legal tools. The General Data Protection Regulation (GDPR) and the EU ePrivacy Directive already throw light on the requirements of using cookies. Furthermore, EU national data protection authorities and the European Data Protection Board (EDPB) have issued guidelines to clear up how cookie laws are interpreted and are likely to be applied.

Cookie guidelines issued by the EDPB

The European Data Protection Board issued its guidelines on consent in May 2020. The guidelines set out rules, among other things, concerning the cookies. These guidelines played a crucial role in establishing some of the fundamental rules in the field of cookies and other similar technologies.

What is EDPB?

The European Data Protection Board (EDPB) is an independent body contributing to the consistent application of data protection rules throughout the European Union (EU). It promotes cooperation between the EU’s data protection authorities (DPA). The EDPB was established by the General Data Protection Regulation (GDPR) and is based in Brussels.

The EDPB replaced the Article 29 Working Party (WP29), an independent European working party that dealt with issues relating to the protection of privacy and personal data until 25 May 2018, the time of entry into the application of the GDPR.

The EDPB is composed of representatives of the national DPAs of the EU Member States and the European Data Protection Supervisor (EDPS), which is the body that ensures the EU institutions and bodies respect people's right to privacy when processing their personal data. The supervisory authorities of Norway, Lichtenstein, and Iceland are also members of the EDPB without the right to vote and to be elected as a chair or deputy chairs. 

The EDPB is entrusted with the following tasks and duties:

  • Providing general guidance (including guidelines, recommendations, and best practices) in order to clarify the GDPR and to contribute to the consistent application of the GDPR;
  • Rendering formal opinions based on Article 64 of the GDPR;
  • Adopting binding decisions based on Article 65 of the GDPR in case of disagreement between the national DPAs;
  • Promoting cooperation among the national DPAs.

What are EDPB Cookie Guidelines?

On 4 May 2020, the EDPB adopted the Guidelines 05/2020 on consent under Regulation 2016/679 (“Consent Guidelines”). These guidelines are also referred to as the “Cookie Guidelines.” However, it must be emphasized that the Guidelines are not mainly about cookies, but it throws light on some of the main topics relating to the cookies. The EDPB Cookie Guidelines ensure a harmonized approach on the conditionality of consent and the unambiguous indication of wishes. 

Two most relevant clarifications that came out with the EDPB Cookie Guidelines concern:

  • The validity of consent given by an individual to the use of cookies when access to a website is conditioned on that individual giving such consent (also commonly referred to as “cookie wall’); and
  • The validity of consent given by an individual to the use of cookies when such consent is given by the individual by scrolling through a website.

EDPB Stance on Cookie Walls

The Guidelines state that “in order for consent to be freely given, access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment of a user (so-called cookie walls).” That is obvious from this provision that cookie walls are prohibited. 

Cookie walls do not give individuals a genuine choice since access to the content or functionality of a website is made conditional on the individuals' acceptance of all cookies, and they are denied the right to reject the placement of cookies on their devices. 

EDPB Clarification on Scrolling/Swiping the Website

Until the Guidelines came out in May 2020, many websites were relying on scrolling or swiping through the website as an indication of consent to websites’ tracking policies. The EDPB made it clear that this practice is illegal, stating “actions such as scrolling or swiping through a webpage or similar user activity will not under any circumstances satisfy the requirement of a clear and affirmative action.”

The rationale behind this clarification is that scrolling or swiping is not an unambiguous indication of consent by an individual since it could also be an indication of rejection. Since it is not technically possible to differentiate whether the users wished to accept or reject the placement of cookies by scrolling or swiping the website, it does not fulfill the requirement of unambiguous consent under the GDPR.

Are EDPB guidelines binding?

No, the EDPB Guidelines are not binding in themselves. However, it should be noted that the Guidelines reflect the common position and understanding that the authorities agree to apply consistently. That is why compliance with the EDPB Guidelines is crucial to ensure compliance with the GDPR and national data protection laws. 

Who must comply with EDPB guidelines?

Since the EDPB Cookie Guidelines are not binding, there is no direct obligation on organizations to comply with them. However, the Guidelines provide clarity on how national DPAs would interpret and apply the provisions of the GDPR. This fact makes the Guidelines an important piece of legal instrument. Therefore, organizations subject to the GDPR are encouraged to comply with the EDPB Cookie Guidelines in order to avoid getting sanctioned for GDPR violations. 

Organizations that are subject to the GDPR are those:

  • Established in the EU; or
  • Offering goods and services to people in the EU; or
  • Monitoring the behavior of people in the EU.

It is apparent that the EDPB Cookie Guidelines have significant implications for companies with an establishment in the EU and those dealing with people from the EU.  

Cookie guidelines of national DPAs

Some national data protection authorities of the EU member states have issued a set of guidelines in order to regulate the use of cookies by websites and mobile applications in their territories. These guidelines provide non-mandatory rules but are significant pieces of soft law instruments for compliance with the GDPR, and national data protection and cookie laws.

What is a Data Protection Authority (DPA)?

Data Protection Authorities (DPAs) are independent public authorities that supervise the application of the data protection laws through investigative and corrective powers through investigative and corrective powers.  They provide expert advice on data protection issues, handle complaints lodged against violations of the GDPR and the relevant national data protection laws, and issue fines and other corrective measures on organizations acting in breach of the GDPR and national data protection laws. Each EU Member State has its own DPA. Examples include the Commission Nationale de l'Informatique et des Libertés (CNIL) of France, the Agencia Española de Protección de Datos (AEPD) of Spain, and the Garante per la Protezione dei Dati Personali (Garante) of Italy. 

Check the full list of the DPAs across the EU here.

What are national cookie guidelines?

National cookie guidelines are non-binding legal instruments that are issued by EU national DPAs. These cookie guidelines set out clarifications on various aspects of cookie usage by websites that are subject to the jurisdiction of particular DPAs. Cookie consent requirements, rejection, and withdrawal of consent, the validity of cookie walls are some of the common issues that are dealt with within the national cookie guidelines.

Several national DPAs have issued cookie guidelines, and many are expected to issue guidelines in the coming months or years. While there may be some differences among the national cookies guidelines, the core principles remain the same, which are formed by the EDPB Cookie Guidelines and the Planet 49 case. These basic principles are:

  • Don’t place cookies before obtaining consent;
  • Don’t use pre-ticket boxes;
  • Don’t use a “cookie wall”;
  • Allow users to separately consent to each category of cookies;
  • Display your Privacy Policy and/or Cookie Policy before obtaining consent.

Are national cookie guidelines binding?

By themselves, the national cookie guidelines are not binding. However, it must be noted that these cookie guidelines provide strong references for organizations to anticipate how the national DPA may conduct its compliance investigations. Furthermore, the national DPAs have powers to impose sanctions on organizations, and it is likely that they would use the cookie guidelines issued by them as a point of reference. 

Who must comply with national cookie guidelines?

National cookie guidelines issued by the national DPAs in the EU are non-binding instruments. However, as they highlight how the national DPAs would use these cookie guidelines to characterize a non-compliance with the GDPR and national data protection laws, they are important legal instruments for businesses. Thus, compliance with national cookie guidelines is recommended for those who fall under the territorial scope of the relevant DPA. For example, CNIL Cookie Guidelines are relevant for organizations with an establishment in France. Additionally, since the GDPR applies “extraterritorially,” meaning to organizations established outside, we may conclude that if an organization that is not with an establishment in France offers goods or services or monitors the behavior of French people, then that organization becomes subject to CNIL’s authority.  

To summarize what is pointed out above, the national cookie guidelines should be complied with by organizations:

  • With an establishment in a particular EU country; or
  • Offering goods or services to the people of a specific EU country; or
  • Monitoring the behavior of the people of a specific EU country.

What are the penalties for violating national cookie guidelines

The national cookie guidelines do not set out monetary penalties or any other sanctions for non-compliance in themselves. Non-compliance with cookie guidelines will lead to non-compliance with national data protection laws and the GDPR. Therefore, monetary fines and other sanctions set out under the GDPR will be applicable. 

For less severe infringements, GDPR sets out a fine of up to EUR 10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher. For more severe infringements, the monetary fines can be EUR 20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.

Non-compliance with cookie rules has ended up in huge fines on big corporations. Therefore, companies are encouraged not to take for granted the national cookie guidelines and allocate resources to understand them and comply with them insofar as they are applicable to them. Some national DPAs are particularly active in enforcing cookie rules, such as the CNIL - the French DPA.

For example, in December 2020, the CNIL imposed large fines on two big tech companies for their violation of cookie rules. These companies "placed advertising cookies on users' computers... without obtaining prior consent and without providing adequate information". As a result of the violation, Google received two monetary fines resulting in EUR 100 million, and Amazon received a monetary fine of EUR 35 million. CNIL’s sanctions do not end with the aforementioned fines. The French DPA has recently imposed two large fines on two big multinational tech companies. 

The CNIL cookie guidelines set out that rejecting consent for the use of cookies must be as easy as giving it. That means if you need just one click in order to place cookies on the users' devices then you shall enable refusal of consent in the same manner - through one single click. The French DPA recently imposed significant fines on Google and Facebook for non-compliance with the aforementioned rules. Google was sanctioned in the amount of EUR 150 million, and Facebook was sanctioned in the amount of EUR 60 million. The justification of the CNIL was that these companies (websites) “offer a button allowing the user to immediately accept cookies. However, they do not provide an equivalent solution (button or other), enabling the Internet user to easily refuse the deposit of these cookies. Several clicks are required to refuse all cookies, against a single one to accept them.”. 

Consequently, it is highly recommended that organizations comply with the national cookie guidelines in order to avoid any hefty fines that they may be subject to. 

National Cookie Guidelines explained

The requirements of national cookie guidelines mainly overlap. However, there are some differences among them. In order to ensure you are compliant, you should check what guidelines are applicable to you and ensure you understand and allocate resources to comply with their requirements.

1. German DSK Cookie Guidelines 

The association of German state data protection authorities - DSK cookie guidelines provide clarity on the use of cookies by German websites and mobile applications.

1.1 What is DSK?

Private sector companies in Germany are subject to the jurisdiction of state data protection authorities (DPAs) such as Hamburg DPA (HmbBfDI), Berlin DPA (BlnBDI), etc. The DSK (short for “Datenschutzkonferenz” in German) is an association of German state data protection authorities. The DSK deals with and comments on the data protection issues in Germany. It serves as a coordinating body and makes no binding decisions on the organizations.

1.2 What are the DSK cookie guidelines?

The German DSK issued its cookie guidelines in April 2019. After the German Federal Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia (TTDSG) entered into force on 1 January 2021, the DSK issued its Guidance for Providers of Telemedia Services, which was primarily concerned with the “cookie provision” of the new German law. The guidelines focus on the TTDSG's consent requirements and exceptions for cookie consent.

Read more about DSK cookie guidelines.

1.3 What are the requirements of the German DSK cookie guidelines?

You must do the following to comply with the German DSK cookie consent guidelines:  

  1. Set tracking cookies only if you have explicit prior consent from your website visitors. 
  2. Avoid requiring users to accept tracking cookies to access your website's content.
  3. Allow users to opt-out of tracking cookies. 
  4. You do not need to obtain valid GDPR cookie consent for essential cookies
  5. Take precautions with the embedded content 
  6. Disclose all the cookies you use on your website and communicate the purpose of each to your users in your cookie and privacy policies. 
  7. Do not use pre-checked consent boxes

Find out more on the requirements of the German DSK cookie guidelines

2. ICO Cookie Guidelines

The Information Commissioner’s Office of the United Kingdom (ICO) has published its cookie guidelines in July 2019 which concerns cookies and other similar technologies. 

2.1 What is the ICO?

ICO stands for the Information Commissioner’s Office of the United Kingdom. This is the UK’s public authority in charge of enforcing the country's data protection laws. Among other things, it publishes guidelines that help businesses easily comply with privacy laws (UK Data Privacy Act 2018, UK GDPR).

2.2 What are the ICO Cookie Guidelines

On July 3, 2019, the ICO cookie guidelines were issued to address cookies and similar technologies in detail. The guidelines are critical for online services such as websites and mobile apps. The ICO cookie guidelines help businesses understand how the GDPR and the UK Privacy and Electronic Communications Regulation (PECR) are interpreted and applied.

Click here to learn more about ICO Cookie Guidelines.

2.3 What are the requirements of the ICO Cookie Guidelines?

ICO Cookie Guidelines require you to inform your users about the use of cookies. A good practice is to show them a cookie banner where they can choose their privacy preferences and read your privacy policy and cookie declaration. 

Users must accept cookies through affirmative action (i.e., clicking on the "ACCEPT" button or something similar). The user should tick the checkboxes for each purpose of collection/processing. Pre-ticked boxes are not allowed. 

In general, cookie walls are not permitted in obtaining users' consent. However, using cookie walls as a condition of access to specific website content is possible.

Remaining or browsing the website does not imply accepting cookies and other tracking technologies.

Click to learn more about the requirements of the ICO Cookie Guidelines.

3. CNIL Cookie Guidelines

The French DPA - CNIL has issued guidelines and recommendations concerning cookies. These guidelines and recommendations provide rules and best practices for websites and mobile applications to comply with data protection and cookie laws in France. 

3.1 What is CNIL?

CNIL stands for Commission Nationale de l’informatique et des Libertés, the French national data protection authority. The French Data Protection Act of January 6, 1978, established CNIL France as an independent administrative authority responsible for ensuring the protection of personal data in computer files and processing operations, both public and private. They have the authority to enforce the data protection laws in France.

3.2 What are CNIL Cookie Guidelines?

On October 1, 2020, CNIL published its revised cookie guidelines, that was initially published On July 18, 2019, and partially annulled by the Highest Administrative Court of France. CNIL also published its final recommendations on the practical modalities for obtaining users’ consent (“Recommendations”) and a set of questions and answers about the recommendations (“FAQs”). 

More about CNIL Cookie Guidelines.

3.3 What are the requirements of CNIL Cookie Guidelines?

Users must be able to refuse consent to the use of cookies as easily as they can accept them. Users' inaction or silence (such as scrolling through and browsing) must be interpreted as a refusal to use cookies. Furthermore, users must have the right to withdraw consent at any time, and withdrawal must be as simple as giving consent.

The CNIL does not completely prohibit cookie walls. Cookie walls are permissible and legal in certain circumstances. Their legality must be determined on a case-by-case basis. When cookie walls are used, you have to ensure that you provide the user with clear information about the consequences when the user accepts or denies consent and, in particular, information about the impossibility of accessing the content or service without consent must be provided.

Click to read more on the requirements of CNIL Cookie Guidelines.

3.4 What are CNIL Recommendations?

In addition to the CNIL cookie guidelines, the French DPA provided recommendations for following the cookie guidelines. Some of the most salient points from the CNIL recommendations are:

  • Before presenting individuals with the option to accept or reject cookies, the cookie consent banner must provide information about the purpose of cookies or the cookie category.
  • The purpose of the cookie or the cookie category must be presented with a brief and highlighted title, followed by a brief description of the purpose.
  • The cookie banner must include a link that points to a cookie policy (or privacy policy) page containing detailed information about cookies. 
  • The "Accept All” and “Reject All” buttons must be at the same level and prominence. 
  • Avoid pre-ticked boxes or pre-activated toggle switches. 
  • Allow for granular consent
  • Renew cookie choice after 6 months 

More about CNIL Cookie Recommendations.

4. Spain AEPD Cookie Guidelines

The Spanish DPA - AEPD issued its cookie guidelines that set out rules for compliance with cookie laws in Spain.

4.1 What is the AEPD?

AEPD is short for Agencia Española de Protección de Datos which means “Spanish Agency for Data Protection.” Their role is to guarantee that Spaniards follow European and national data protection laws. AEPD is the official supervisory authority for personal data protection matters in Spain.

 

4.2 What are the AEPD Cookie Guidelines?

In November 2019, the Spanish DPA published its guidance on the use of cookies and other similar tracking technologies (“Cookie Guidelines”). The DPA published an updated version of the Cookie Guidelines on 28 July 2020. The updated guidelines were published to reflect the changes made to the Consent Guidelines issued by the EDPB. 

4.3 What are the requirements of the AEPD Guidelines?

The Spanish DPA cookie guidelines require you to adhere to the guidelines by doing the following:

  • Users must be informed about cookies in a concise, understandable, clear, and unambiguous manner.
  • During consent collection, the information about cookies cannot be more than two clicks away from the first page. The main information is to be provided in two layers, the main layer, and a detailed, optional layer, in a clearly visible notice.
  • Consent must be an indication of affirmative action. Consent can be obtained by clicking on the "I consent" or "I accept" buttons or other terms of a similar nature.
  • Cookie choice, whether acceptance or refusal made by users must not be kept forever. It must be renewed at least every 24 months.
  • Cookie walls and pre-ticked boxes must be avoided.

Click to read more about AEPD Cookie Guidelines.

4.4. What does an AEPD compliant cookie banner look like?

According to the Spanish DPA cookie guidelines, information about cookies can be provided in two layers. 

The first layer must be identified by a generally used term, such as “cookies,” and must contain the following information:

  • The identity of the website's owner. 
  • Identification of the purposes of the cookies used on the website.
  • Information on whether such cookies are solely the website manager's cookies or whether third-party cookies are also used. 
  • General information on the types of data that will be collected and used if user profiling is used (for example, when behavioral advertising cookies are used). 
  • The manner in which users can accept, set up, and reject cookie use, including a warning that if they proceed with certain actions, it will be assumed that users accept cookie use.
  • A clearly visible link to a second informative layer 

The second layer must contain more detailed information about cookies (i.e., cookie policy). 

Click here for more information about AEPD compliant cookie banners

5. Netherlands AP Cookie Guidelines

The Dutch DPA published its cookie guidelines following its survey of a number of Dutch websites for GDPR compliant cookie consent requirements.

5.1 What is the Autoriteit Persoonsgegevens?

Autoriteit Persoonsgegevens (AP) is the Dutch Data Protection Authority. This independent administrative body has been appointed by law in the Netherlands as the supervisory authority for the processing of personal data. The AP is located in The Hague.

5.2 What are the Dutch DPA Cookie Guidelines?

In December 2019, the Dutch Data Protection Authority released cookie consent guidelines to help website owners in the Netherlands deploy cookies in a GDPR-compliant way. This came in the aftermath of the Dutch DPA survey of a total of 175 websites in the Netherlands which concluded that 50% of those audited were found to be non-compliant with GDPR cookie consent requirements.

5.3 What are the requirements of the Dutch DPA Cookie Guidelines?

According to the Autoriteit Persoonsgegevens (AP), you must; 

  1. Ensure your website remains accessible if a user does not provide cookie consent (Avoid “Cookie Walls”)
  2. Obtain Prior Consent Before Deploying Non-Essential Cookies 
  3. Give Users Control over their Consent Choices
  4. Pre-ticked boxes are not allowed

Click here for more information on the Dutch DPA Cookie Guidelines.

6. Italian Garante Cookie Guidelines

The Italian DPA issued updated cookie guidelines in June 2021 which sets out updated rules on cookies and similar technologies.  

6.1 What is Italian Garante?

The Italian Data Protection Authority (Garante per la protezione dei dati personali, or simply Garante) is an independent authority set up to protect fundamental rights and freedoms in connection with the processing of personal data and to ensure respect for individuals' dignity. 

6.2 What are the Garante Cookie Guidelines?

The Italian DPA adopted a resolution, on 8 May 2014, about the simplified arrangements for information notices and obtaining consent for the use of cookies. Since then, there have been several amendments to the applicable legal framework in Italy, including the entry into effect of the EU General Data Protection Regulation (GDPR). 

On 10 June 2021, the Garante published its updated guidelines concerning cookies and other tracking tools (Cookie Guidelines). The Cookie Guidelines aim to ensure that website owners comply with both the GDPR and the ePrivacy Directive. 

6.3 What are the requirements of the Garante Cookie Guidelines?

The Italian DPA Cookie Guidelines set out that:

1. You must obtain consent before setting non-technical cookies (cookies that are not strictly necessary for the website to function). 

2. Users visiting your site for the first time must be shown a cookie banner that is clearly distinguishable from other components of the website. 

3. Scrolling cannot be relied on as a means of valid consent. 

4. Cookie walls are not legal.

5. Analytics cookies can be used without consent only when it is not possible to single out a data subject. 

6. At least 6 months must elapse before you can show your cookie banner again. 

Click to read more on Italian DPA Cookie Guidelines.

7. Denmark Datatilsynet Cookie Guidelines

In Denmark several organizations, including the national DPA - Datatilsynet have issued cookie guidelines. These guidelines provide necessary information for websites and mobile applications to comply with the GDPR and national data protection and cookie laws. 

7.1 What is Datatilsynet?

The Danish Data Protection Agency - Datatilsynet is the independent authority that supervises compliance with the rules on the protection of personal data. Datatilsynet provides guidance and advice as well as deals with complaints and makes inspections.

7.2 What are cookie laws in Denmark?

In Denmark, there are two primary laws to consider when it comes to cookies. They are as follows:

  • The Danish Cookie Law (Cookiebekendtgørelsen); and,
  • The General Data Protection Regulation of the EU - GDPR (and the Data Protection Act of Denmark).

The Danish Cookie Law is administered by the Danish Business Authority (Erhvervsstyrelsen), whereas the GDPR and its national implementation are administered by Datatilsynet. 

7.3 What are Danish DPA Cookie Guidelines?

There are three pieces of guidelines relating to cookies that were published by the Danish authorities. 

1. The Danish DPA (Datatilsynet) cookie consent guidelines were released on February 20, 2020, to provide clarity for website owners to ease compliance with GDPR personal data processing requirements.

2. The Danish Business Authority has published guidance on the use of cookies, on 10 December 2019.

3. Datatilsynet, the Danish Business Authority, and the Danish Council for Digital Security issued joint guidance on the requirements for the use of cookies on 12 February 2021.

Click here to find more about the Danish Cookie Guidelines.

7.4 What are the requirements of the Danish DPA Cookie Guidelines?

According to Danish DPA cookie consent guidelines, your personal data processing activities are GDPR compliant if and only if the following conditions are met: 

  • You do not process data before prior consent is given.
  • You provide users with information about the different types of cookies you have on your website, their purposes, and reasons why you need to process their personal information.
  • You receive consent based on affirmative action when a user visits your website to show that they have definitely agreed to the processing of their personal data.
  • In accordance with the granularity requirement, you make it simple for the visitor to provide consent for specific purposes and not others. 
  • You make it easy for users to withdraw their consent, just as you make it easy for them to give it. This includes the text as well as the visual elements of your cookie banner.
  • You are keeping logs of what users have given consent to and how you obtained their consent.

Click to read more on the requirements of the Danish Cookie Guidelines.

8. Belgium DPA Cookie Guidelines

The Belgian DPA cookie guidelines provide clarity on the use of cookies and other similar technologies. 

8.1 What is the Belgium DPA?

The Data Protection Authority (in French L'Autorité de protection des données - APD, in Dutch Gegevensbeschermingsautoriteit - GBA) is an independent supervisory body responsible for ensuring compliance with the fundamental principles of personal data protection. The Authority was created in December 2017 as a national Data Protection Authority.

8.2 What are the Belgium DPA Cookie Guidelines?

In December 2019, the Belgian DPA enforced a regulatory fine of EUR 15,000 on a website that provides legal news in the country. The company's illegal use of cookies was the primary reason for this penalty. However, the Belgian DPA’s decision was challenged by different stakeholders because there was no clear framework in place to help businesses comply with GDPR cookie requirements once the EU’s precedent-setting data privacy law came into force. 

In response to this, on April 9, 2020, the DPA prepared and published new Consolidated Cookie Guidance on the Belgian DPA website. 

8.3 What are the requirements of the Belgium DPA Cookie Guidelines?

The Belgian DPA’s Cookie Guidance provides clear guidelines you need to follow to ensure you obtain valid cookie consent in accordance with GDPR requirements. They are as follows: 

  • You must seek consent for all non-essential cookies. 
  • For cookie consent to be considered valid, it must be informed. 
  • You must allow users to provide granular consent. 
  • Obtaining unambiguous consent is mandatory. 
  • Cookie walls are Invalid under the GDPR. 
  • Users must be allowed to withdraw consent easily. 
  • You must offer proof that you obtain valid GDPR cookie consent from your website users. 

Read more about the Belgian DPA Cookie Guidelines.

9. Greek DPA Cookie Guidelines

The Greek DPA cookie guidelines were published following the audit carried out by the DPA for the use of cookies by the most famous Greek websites.

9.1 What is the Greek DPA?

The Hellenic Data Protection Authority (HDPA) is an independent public authority in Greece and has its seat in Athens. The HDPA is responsible for supervising the implementation of the General Data Protection Regulation (GDPR), national data protection act, and other regulations concerning the protection of the individual from the processing of personal data, as well as the exercise of the duties assigned to it each time.

9.2 What are the Greek DPA Cookie Guidelines?

The Greek DPA Cookie Consent Guidelines meant to help businesses meet GDPR compliance requirements were published on February 25, 2020. The Guidelines were adopted following the completion of an audit carried out by the HDPA for the use of cookies by the most famous Greek websites, in which the HDPA found that most of the audited websites were non-compliant with the GDPR.

Click to read more on the Greek DPA Cookie Guidelines.

9.3 What cookies require prior consent under the Greek DPA Cookie Guidelines? 

According to the Greek DPA cookie consent guidelines: 

  1. Before you place cookies or similar tracking technology, you must receive prior consent from the user first, regardless of whether you process their personal data or not. 
  2. Only cookies and trackers deemed necessary for either the normal functioning of your website or for the delivery of service clearly requested by the user are exempt from the prior consent requirement. 

Click to read more on prior consent requirements under the Greek DPA Cookie Guidelines.

9.4 What are the Greek DPA’s Requirements for a Compliant Cookie Notice?

The Hellenic DPA’s cookie consent guidelines require you to give users information about cookies and why it is important for them to provide prior consent through relevant mechanisms such as cookie banners or pop-up windows. 

Click to read more on the Greek DPA compliant cookie notices.

9.5 How do I Obtain Valid Cookie Consent under the Greek DPA Cookie Consent Guidelines? 

As a data controller, to comply with the Greek DPA cookie consent guidelines, you must ensure that; 

  1. The prior consent you receive is given through affirmative action from the user. Using pre-checked consent boxes or relying on a user's scrolling action is not considered a valid way to obtain valid consent. 
  2. Your users have an easy way to withdraw their consent the same way it was easy to give it.
  3. You allow users to accept or reject the use of non-essential trackers through the same number of actions (e.g., clicks)
  4. Your cookie banner design does not have an influence on the user’s cookie consent choice, e.g., through having a design that emphasizes the ‘ACCEPT’ button over the ‘REJECT’ one.  The Hellenic DPA recommends that the design of your cookie banner has the same font size and color emphasis for all buttons and is easy to read.

Click for more information on valid cookie consent under the Greek DPA Cookie Guidelines.

10. Irish DPA Cookie Guidelines

The Irish Data Protection Commission issued a cookie guidance note following the examination of the cookie policies and practices of a number of Irish websites. 

10.1 What is the Irish DPC?

The Data Protection Commission (DPC) is the independent national authority in Ireland responsible for upholding the fundamental right of individuals in the EU to have their personal data protected. The DPC is the Irish supervisory authority for the General Data Protection Regulation (GDPR) and also has functions and powers related to other important regulatory frameworks, including the Irish ePrivacy Regulations (2011) and the EU Directive known as the Law Enforcement Directive.

10.2 What are the Irish DPC Cookie Guidelines?

In April 2020, the Irish Data Protection Commission (DPC) released a report known as the ‘cookie sweep survey’, that examined the cookie policies and practices of 38 unnamed firms operating in Ireland. 

The Irish DPC used a three-color coding system to assess the level of compliance of data controllers: Red, Green, and Amber. While Green denoted full compliance, Red denoted non-compliance. Only two of the 38 entities examined received the full 'Green' rating from the Irish DPC. 

Read more about the ‘cookie sweep survey.’

In April 2020, the Irish DPC issued a guidance note concerning cookies and similar technologies. Organizations were given a 6-month grace period (until October 2020) to bring their cookie usage in line with the guidance. 

10.3 What are the key takeaways from the Irish DPC cookie guidance?

According to the DPC, businesses must obtain user consent in line with GDPR requirements. This means the consent must be: freely given, specific, informed, and unambiguous. However, the guidelines provide two crucial exceptions, which are: the communications exemption, and the strictly necessary exemption.

If you allow third parties to add plugins, widgets, pixel trackers, or "like" buttons, you need to be aware of the kind of data shared with these third parties. 

The Irish DPC requires you to obtain prior and valid GDPR cookie consent from users before placing this category of cookies in their devices. While first-party analytics cookies are unlikely to raise privacy issues when strictly limited to statistical purposes on your website, third-party analytics cookies are subject to GDPR compliance enforcement actions. 

If you maintain records of your consumers’ consent to the installation of cookies on their devices, the Irish DPC guidance note specifies that the period after which their consent should be re-obtained must not exceed six months from the time it was first given. Similarly, if a user declines to consent to the use of cookies, you may request their consent again after six months. 

Read more on the Irish DPA Cookie Guidance.

11. Luxembourg DPA Cookie Guidelines

The Luxembourg DPA issued its guidelines on cookies and similar technologies in October 2021 that aim to help websites and mobile applications comply with the GDPR and national data protection and cookie laws.

11.1 What is CNPD?

The National Data Protection Commission (Commission Nationale pour la Protection des DonnéesCNPD) is an independent public institution and acts as the official data protection authority in the Grand Duchy of Luxembourg. It verifies the legality of the processing of personal data and ensures the protection of personal freedoms and fundamental rights in terms of data protection and privacy.

11.2 What are the Luxembourg DPA Cookie Guidelines?

The Luxembourg DPA - CNPD published its guidelines on cookies and similar technologies (Cookies) on October 26, 2021. The guidelines aim to help website operators and mobile app operators in complying with the applicable legal framework in Luxembourg. 

The cookie guidelines differentiate between essential cookies and non-essential cookies. The essential cookies are those for which consent is not required. On the other hand, non-essential cookies require prior consent from users. 

11.3 What are the requirements of the Luxembourg DPA Cookie Guidelines?

In order to comply with Luxembourg DPA cookie guidelines, you must ensure to meet the following requirements:

1. There is no need to obtain consent for essential cookies. 

2. Provide information about the use of essential cookies. 

3. You must obtain consent to use non-essential cookies. 

4. You cannot use dark patterns for obtaining consent. 

5. Withdrawing consent must be as easy as giving it. 

6. You must request consent after 12 months after obtaining the first consent. 

7. Have a two-layered cookie banner. 

Read more on the Luxembourg DPA Cookie Guidelines.

12. Finnish DPA Cookie Guidelines

The Finnish Transport and Communications Agency - Traficom published its updated cookie guidelines in May 2021 based on the ruling of the Finnish DPA - Data Protection Ombudsman.

12.1 What is Finland DPA?

The Office of the Data Protection Ombudsman is a national supervisory authority in Finland that supervises compliance with data protection legislation. The Data Protection Ombudsman imposes administrative fines under the General Data Protection Regulation and issues statements on significant questions related to the application of the legislation governing the processing of personal data. 

More on Finland DPA.

12.3 What are the Traficom Cookie Guidelines?

In April 2020, Traficom published a ruling that declared it possible to give consent to cookies through browser settings. However, a month later, in May 2020, the Finnish DPA, the Data Protection Ombudsman, issued a decision that contradicted the ruling made by the Traficom.

In May 2021, Traficom changed its cookie guidelines to reflect the decision of the Ombudsman.

Read more on Finnish DPA Cookie Guidelines.

12.4 The Requirements of Traficom Guidelines

The cookie guidelines of Traficom set out requirements for website operators and mobile application operators. The guidelines also cover similar tracking technologies, including session and local storage, tracking pixels, web beacons, tags, and fingerprinting technologies. 

1. Non-essential cookies require prior consent. 

2. Legitimate interest cannot be a ground for cookie usage. 

3. Consent must be freely given, specific, informed, and unambiguous. 

4. Rejecting cookies must be as easy for the user as it is to give consent. 

5. Withdrawing cookies must be as easy as giving consent. 

6. Pre-ticked boxes are not lawful. 

7. Consent cannot be bundled into the Terms of the website. 

8. Provide information about the cookies. 

9. Cookie walls are not allowed. 

10. Referring to browser settings for rejecting cookies is not lawful. 

11. Consent must be demonstrable. 

Click to read more on the requirements of Traficom Cookie Guidelines.

13. Latvian DVI Cookie Guidelines

The Latvian DPA released its cookie guidelines in March 2022 setting out information on the requirements of cookie usage and a model cookie policy.

13.1 What is Latvian DVI?

Data State Inspectorate (DVI) is the national data protection authority (DPA) in Latvia. The authority is in charge of enforcing GDPR in Latvia.

13.2 What are Latvian DVI Cookie Guidelines

In March 2022, right after the results of the cookie audit was released, the Latvian Dast State Inspectorate published its cookie guidelines (“Cookie Guidelines”). The Cookie Guidelines set out information about cookies and their categories, requirements for lawful use of cookies by website owners and a model cookie policy for websites to publish on their sites. 

13.3 What are the requirements of the Latvian DPA Cookie Guidelines?

In order to comply with the Latvian DVI Cookie Guidelines, you should satisfy the following requirements:

1. Provide clear and comprehensible information to the users

2. Use multi-layered approach

3. Keep the cookie notice until the user makes a decision

4. Consent must conform with GDPR standards

5. Have both “Accept” and “Reject” options

6. Closing the banner cannot be considered consent

7. Do not rely on browser settings for consent

8. Consent must be demonstrable

9. Consent must be withdrawn easily

10. Renew consent regularly

Read more about the Latvian DPA Cookie Guidelines.

Similarities and Differences between National DPA Cookie Guidelines

National DPA cookie guidelines include a lot of similarities as well as certain differences. In this section, we will talk about these similarities and differences in detail.

What are the similarities between the national DPA cookie guidelines?

The cookie guidelines issued by most national DPAs are quite similar to each other. This is because they mainly rely on the EDPB Consent Guidelines (also referred to as the “Cookie Guidelines”) and the Planet 49 case. The ket takeaways from the aforementioned sources are:

EDPB Consent Guidelines

1. Cookie walls are not lawful as they do not give individuals a genuine choice over the use of cookies. 

2. Scrolling/browsing cannot be relied on as a means of indication of consent as it does not satisfy the requirement of clear and affirmative action by users. 

Planet 49 case

1. Pre-ticked check-boxes allowing the use of cookies do not constitute valid consent.

2. When consent is required for the placement of cookies under the ePrivacy Directive, the GDPR standard of consent applies (freely given, specific, informed, and unambiguous).

3. Consent cannot be bundled as it does not meet the “specificity” requirement under the GDPR. Thus, websites must request consent for different cookie usage purposes (granular consent). 

4. Information must be given to visitors, including, among other matters, the duration of the cookie lifespan and whether third parties will have access to these technologies, and the categories of third-party recipients of cookies.  

5. Regardless of whether the cookies constitute personal data or not Article 5(3) of the e-Privacy Directive (the cookie consent rule) applies to any information placed or accessed from an individual's device.

The cookie guidelines issued by most national DPAs are formed around the aforementioned rules and principles. There, however, exist some minor differences among them. 

What are the differences in national DPA Cookie guidelines?

Differences relating to national DPA cookie guidelines are mainly about issues that are regulated by some national DPA cookie guidelines are not regulated by others. It must be noted this does not imply that there are major differences in such cases. It is just that certain countries’ cookie guidelines are not as explicit as others and do not set out rules on certain specific issues relating to cookies. For example, not every national DPA provides rules concerning the UI design of cookie banners (i.e., rules relating to “Accept” and “Reject” buttons).

Other than that, some minor differences exist between cookie guidelines issued by national DPAs. These differences, which will be described below, do not contradict each other severely but vary slightly from each other based on certain nuances. For example, under almost all national DPA cookie guidelines, cookie walls are generally forbidden. But some of them allow cookie walls to be used in certain limited circumstances (i.e., when cookie walls are used only to limit access to certain website sections if consent is not provided).

Below are the common differences found in most national DPA cookie guidelines.

1. Cookie consent retention period 

Some cookie guidelines set out lifespan for cookie choices made by users, whether acceptance or refusal. These lifespan rules may vary from country to country. For example, CNIL, as a best practice, considers that a 6-month period is appropriate for the validity of choice made by a user. On the other hand, the Spanish DPA (AEPD) suggests that cookie choice should be renewed every 24 months, and Luxembourg DPA (CNPD) requires renewing consent every 12 months. The Italian DPA, Garante, shares the same view as the French CNIL and considers 6 months is appropriate for consent renewal. 

Some national DPA cookie guidelines do not set a specific period for the validity of cookie consent choice but require that cookie choice lifespan be proportionate and limited to the purposes for which they are used (i.e., ICO). 

However, some of the national DPA cookie guidelines are silent regarding cookie choice lifespan. 

2. Cookie walls 

Cookie walls are generally declared unlawful by the EDPB Consent Guidelines. Most national DPAs follow the standard set by the EDPB. That said, there are some slight differences relating to rules on cookie walls established under national DPA cookie guidelines. 

For example, CNIL cookie guidelines do not ban cookie walls entirely. It allows the use of cookie walls if its lawfulness is assessed on a case-by-case basis. Other than that, ICO states that the use of cookie walls as a condition of access to specific website content is possible. Specific website content means that you should not make “general website access” conditional on users accepting non-essential cookies, but you can only limit certain content of the website if the user does not consent.

3. Analytics cookies 

One of the main differences found in the national DPA cookie guidelines is whether analytics cookies require prior consent or not. As a general rule, analytics cookies are subject to the requirement of prior consent. However, some national cookie guidelines exempt analytics cookies within certain strict limitations. For example, CNIL provides that certain analytics solutions could be exempt from the consent requirement. The consent exemption for analytics cookies applies subject to the following conditions:

  • These cookies must be limited to measuring the audience of the site only on behalf of the site owner;
  • They must only be used to produce anonymous statistical data;
  • They must not allow the tracking of persons across different sites;
  • They must not be combined with other data and must not be shared with third parties.

In addition, the Italian DPA - Garante Cookie Guidelines set out that analytics cookies can be considered technical cookies (and thus, be exempt from consent requirement) under strict conditions. For analytics cookies to be treated as technical cookies, it is essential to prevent direct identification of the data subject or, in other words, keep your users anonymous.

4. Prominence of cookie options given to users 

Some cookie guidelines require websites to follow certain rules relating to cookie banner designs. These requirements are mainly about options given to users to accept or reject cookies and the prominence of these options. 

While most national cookie guidelines are quite strict in this matter, several national cookie guidelines are silent concerning the same matter. 

As an example, CNIL sets out that the “Accept all” and the “Reject all” buttons must be equally prominent (at the same level, with the same appearance). It constitutes a clear and simple way to allow the users to express their choices.

ICO considers that a consent mechanism that emphasizes the “agree” button over the “reject” button represents a non-compliant approach, as the online service is influencing users towards the “accept” option.

Greek DPA provides that your cookie banner design must not influence the user’s cookie consent choice (i.e., through having a design that emphasizes the “Accept” button over the “Reject” one.  The Hellenic DPA recommends that the design of your cookie banner should have the same font size and color emphasis for all buttons and be easy to read.

The Danish DPA suggests that you must provide equal opportunity to accept and reject the use of cookies and not mislead users with button sizes or colors. The Dutch DPA also suggests that the “Reject” and “Accept” options (either as buttons or links) should be of the same prominence.

On the contrary, some national DPA cookie guidelines do not provide any rules relating to cookie options. For example, the national cookie guidelines issued by the Belgian DPA and the Finnish DPA provide no explicit requirement on this matter. 

Compliance with Cookie Guidelines with Secure Privacy

This section sets out how you can comply with the cookie guidelines issued by EU national DPA cookie guidelines with Secure Privacy.

What is Secure Privacy?

Secure Privacy is a company offering cookie consent management software. Secure Privacy provides a complete solution for your website and cookie consent needs. It offers a simple, easy-to-use interface that allows you to manage and automate your cookies compliance.

What are the features of Secure Privacy software?

Secure Privacy software has the following features:

1. Customizable cookie consent banner

You can add highly customizable cookie consent banners to your website. It is simple to use and can be put on your website within minutes. 

2. Cookie and privacy policy generator

You can quickly generate a privacy/cookie policy to comply with the GDPR, CCPA, and other data privacy laws. The privacy/cookie policy can be edited within the platform without needing a developer. 

3. Automated website cookie scanning

Secure Privacy website cookie scanner software will scan every cookie and other tracking tools on your website and will help you comply with GDPR, CCPA, and LGPD requirements. 

4. Consent preference center

The consent preference center allows visitors of a website to opt-in or opt-out of cookies at any time. This feature allows visitors to withdraw their consent as easily as they give cookie consent.

5. Automated cookie consent recording

Secure Privacy automatically log all cookie acceptance and declines for its customers.

6. Multi-language support

Secure Privacy supports more than 70+ languages. 

How to Obtain Valid GDPR Cookie Consent with Secure Privacy?

With Secure Privacy’s GDPR cookie banner, you can obtain valid cookie consent from users. Our solution helps you to ensure that:

  • You implement a layered approach to seeking and explaining cookie consent to users. With the Secure Privacy cookie banner, you can first inform users about the need to use cookies and why their consent is required for their placement. Secondly, our banner also helps you explain to users the different types and analytics tools you use in your cookie notice.
  • You do not bundle consents. Instead, Secure Privacy’s GDPR cookie banner ensures that consent is obtained for all purposes by allowing users to select the types of cookies to which they consent.    
  • You include an opt-in for every type of cookie on your website that is not pre-checked to show user consent.
  • You provide information on how to withdraw consent for using cookies within your cookie notice and a mechanism to guarantee that your visitors re-affirm their consent after every six months.
  • You record consents in a way that can show the visitors' ability to withdraw.
  • You include a link to the cookie notice to give users additional information, such as the third parties that will have access to their personal data in case they give consent to the installation of a third-party analytics cookie.

If you would like to receive additional information on the EDPB’s or national DPAs’ cookies guidances or to have our data protection expert carry out a quick 'check-up' of your website, cookie consent banner, or your cookie policy, book a call today.