Sweeping Up the Bad (Website) Cookies

Several recent actions from regulators in Europe have clarified the requirements surrounding cookie consent on websites, reminding website operators that consent must be freely given, specific, informed, and unambiguous.

Most recently, the DPC released its findings from a study on current cookie practices on popular websites in diverse sectors, and the report identified multiple compliance gaps that widely exist on many websites. Although the US does not currently have cookie requirements, these guidance notes can provide best practice guidelines for consideration, particularly for websites with a multi-national target.

First, obtain proper consent for cookies and do not “nudge” consent.

Website visitors (“users”) should not be “nudged” to accept cookies through either pre-ticked boxes or slides pre-set to consent. The accept/deny options for consent should be equally accessible and the “accept” option should not be more prominent than the “deny” option. Lastly, language surrounding accept/deny options should be clear, and should not use ambiguous language such as “Ok, got it!” as acceptance given that this is not a clear expression of consent.

Second, audit cookies to ensure only essential cookies are set in the absence of user consent.

Essential cookies are those necessary for users to utilize the website and its features. Examples are cookies that allow shopping carts to hold onto chosen items or cookies that detect website operational issues. Most analytical cookies are not essential. Similarly, a cookie used to later send a message to a user to come back and purchase what is in the cart is no longer essential because it is being used for marketing purposes. Another EU regulator, the Belgian Data Protection Authority, has explained this by describing essential cookies as those that benefit the user and the website, not just the website alone. Additionally, obtain consent even where users are assigned a randomly generated number and the data collection is “pseudonymized.” The bar for de-identifying personal information in Europe is quite high and difficult to obtain.

Third, review the overall design and clarity of the cookie banner and notice.

The cookie banner design matters and the cookie banner display should be noticeable and clear. The DPC found that cookie banners were often badly designed, barely visible, or otherwise poorly presented. Additionally, the cookie notice should clearly state the purpose and lifespan of cookies and pixels, as well as provide clarity on the identity of cookie controllers.

Fourth, provide users the tools to withdraw consent as easily as the users provided consent in the first place.

The DPC found lack of clarity on how users can withdraw consent. The DPC suggested that websites utilize radio buttons as a means of user control for this issue. Additionally, cookie walls, where the website is inaccessible unless cookies are accepted, should not be used.

Although the DPC does not provide examples, it may be helpful to look at how radio buttons are used on other regulator websites. For reference, an example radio button and cookie banner can be found on the UK Information Commissioner’s website. See example below:


 

According to the DPC, a suggested consent display is an overall “ACCEPT ALL” and “REJECT ALL” option as a first layer, and then an additional “manage settings” option as a second layer where users can utilize more granular consents. Conversely, a simple statement indicating that consent is needed to provide cookies with just an “Accept” button is not acceptable.

Finally, enforcement begins October 6, 2020 and there is a potential fine of 2% global turnover for non-compliance.

Controllers and processors should audit and review current cookie practices to ensure that they are ready and prepared in the event of regulatory inquiry by October this year.

Continue Reading