Posternak Blankstein & Lund LLP is now Arent Fox. Read the press release

‘Click Here to Accept Updated Cookie Guidance’

Data protection authorities in the UK and France have released updated guidance for website operators that use cookies on their websites. This new guidance may mandate changes to existing cookie banners and provides further clarification regarding the requirements imposed upon website operators under European privacy law.

What is a Cookie?

In the world of digital technology, a cookie is more than milk’s favorite companion. Indeed, the term “cookie” is often used to refer to a number of technologies placed on webpages that are used for various purposes, including web beacons, clear gifs and tracking pixels. Here, we will use the term “cookie” to generally refer to all of these technologies. Cookies may be first party or third party, persistent or session, and strictly necessary or non-essential. First party cookies are those set directly by the website the user is visiting, while third party cookies are set by a domain other than the one the user is visiting (e.g., a third party service provider). Cookies that expire at the end of a browser session are called session cookies, while those that can be stored for longer are called persistent cookies. Strictly necessary cookies are, for example, those that help ensure the content of a page loads quickly and effectively, while cookies used for analytics or advertising purposes are more for internal website operator purposes and are not deemed strictly necessary.

Cookie Requirements

As background, the use of cookies falls under the purview of the ePrivacy Directive, a 2002 EU law on data protection and privacy in the digital age often referred to as the “Cookie Directive.” While a revised ePrivacy Regulation is pending, the Directive remains in force at this time. Under the Cookie Directive, where a website uses cookies, it must provide notice of the cookies used and their purposes, and obtain consent from a user before placing cookies on the user’s device unless those cookies are “strictly necessary” or essential to provide a service explicitly requested by the user. The standard for obtaining consent for non-essential cookies is governed by the EU General Data Protection Regulation (GDPR), which indicates that consent must be a “freely given, specific, informed and unambiguous” indication of the user’s wishes.

Revised Guidance

Both the UK and French regulators have taken steps to clarify their position on cookies, and both have come to a similar conclusion—implied consent is not ok for non-essential cookies.

In the UK, shortly following the admission that its own cookie banner was noncompliant with the GDPR, the UK Information Commissioner’s Office (ICO) released updated guidance on the use of cookies. While some of the guidance is not necessarily new, it does serve to clarify some misunderstandings that the agency noticed in the implementation of cookie banners by various websites. In its blog post announcing the new guidance, the ICO cleared up five misunderstandings that have developed in the GDPR’s first year:

  1. Organizations cannot rely on implied consent for the use of cookies. Pre-ticked boxes, silence or inactivity does not constitute valid consent. This means users must take clear and positive actions to consent to non-essential cookies.
  2. Analytics cookies are not strictly necessary. While analytics certainly provide organizations with useful information, they are not part of the functionality that a user requests when using a website, therefore consent is required.
  3. Cookie walls that restrict access to a website until users consent are not permitted. This approach is unlikely to represent valid consent, however, there are differing opinions and practical considerations around the use of partial cookie walls. The ICO will be seeking submissions on this point from interested parties. For now, any website operator considering a cookie wall should carefully document its thought process before implementing one.
  4. Organizations cannot rely on legitimate interests to set cookies. Consent is always required for non-essential cookies.
  5. The ICO does not want online services to stop using cookies. The ICO recognizes that cookies and similar technologies are important in ensuring the functionality and convenience of digital services, but would like cookies to be used in a compliant way.

Similarly, in France, the French data protection authority, the Commission nationale de l’informatique et des libertés (CNIL), announced its 2019-2020 action plan that includes replacing its 2013 recommendations on cookies and other tracking technologies. Like the ICO, the CNIL is clarifying that implied consent will not suffice in their view either. Because guidelines from the European Data Protection Board explicitly exclude scrolling down, swiping or browsing a website or application as valid consent, the CNIL’s 2013 recommendations, which allow obtaining consent through these means, is no longer in line with the applicable rules. The CNIL’s new guidance is expected soon. From publication, the CNIL will give stakeholders 12 months to comply with the new guidance. During this transition period, scrolling down, swiping or browsing will still be acceptable. It is important to note, however, that the CNIL will still investigate complaints to ensure that, among other things, no cookie is placed until the user has actively consented.

Practical Tips

We recommend reviewing existing cookie notice and consent mechanisms to ensure they are in line with this new guidance. Some helpful first steps for website operators include the following:

  • Ensure that non-essential cookies are not placed on the website landing page. Non-essential cookies may be placed after the user accepts cookies, but should not be placed before. Given this, it is helpful for some operators to not have such cookies on the landing page.
  • Clearly inform users about what cookies are being used and what they do prior to placing such cookies because it is important that any consent given by a user is clearly informed. This can be done in the cookie banner that directs users to a more detailed explanation in the privacy policy or cookie policy.
  • When using third party cookies, clearly identify the third parties and explain what they will do with the information collected to comply with the GDPR’s informed consent requirements. As above, this can be done using a cookie banner that directs users to a more detailed explanation in the privacy policy or cookie policy.
  • Obtain affirmative opt-in to non-essential cookies. This means that a user should be required to tick a box, switch a toggle to “on” or take another affirmative step to demonstrate consent to non-essential cookies.
  • Allow users to continue to use the website if they do not consent to non-essential cookies because use of a website must not be conditioned upon a user providing more information (including through cookies) than is needed to serve the website to such user.
  • Provide users with an easily accessible means to control non-essential cookies.

Contacts

Continue Reading