The Cookie Crumbles: Diverging Approaches to Cookie Consent Requirements

05 May 2022

Client Alert

Following a relatively quiet period, we are now experiencing a flurry of local regulatory guidance and enforcement, with at least 17 fines being imposed for violations of cookie transparency and consent requirements since December 2020. With this renewed regulatory attention, it is worth taking a closer look at the local requirements and where they currently diverge.

Background and Limited Harmonization

The current EU and UK cookie requirements follow the provisions of the Privacy and Electronic Communications Directive (“ePrivacy Directive”), which dates back to 2003. The ePrivacy Directive had to be implemented into UK and EU Member States’ local laws, which led to a patchwork of slightly different approaches on how to deal with cookies.

The purpose of the upcoming EU ePrivacy Regulation (the “Regulation”) is to update and harmonize the requirements. While we continue to wait for the finalization of the Regulation, we do see some harmonization on an EU level primarily by the Court of Justice for the European Union (CJEU) and the European Data Protection Board (EDPB):

The rulings of the CJEU are binding throughout the EU. So when the CJEU clarified the cookie consent requirements in the Planet49 case, the ruling provided a basis for the requirements in all 27 EU Member States. For more details on the CJEU’s ruling in the Planet49 case, please refer to our client alert.
The EDPB also contributed to limited harmonization through its guidance and opinions. For example, in its Consent Guidelines, the EDPB clarified that the use of cookie walls (i.e., pop-ups that prevent access to websites before cookie consent is given) cannot result in a valid consent. While the EDPB’s opinions are not legally binding, they give a good indication of how the European regulators will decide certain issues if your organization is subjected to a regulatory investigation.

In addition, a number of local data protection authorities (DPAs) are either issuing guidance and/or enforcing compliance with the cookie rules. Regulatory enforcement has ramped up recently, with more than 17 fines issued since December 2020, with fines totaling almost 246 million euros. It is interesting to note that this includes very small fines (as low as 374 euros, imposed by a German court) but also very high fines (up to 150 million euros, imposed by the French CNIL). It is also worth noting that all of these fines involve transparency and/or consent infringements.

The various decisions and guidance have resulted in a patchwork of rules that may vary according to each applicable EU Member State and make it difficult for multijurisdictional organizations to comply with all of the various requirements.

Diverging Approaches to Cookie Consent Requirements

In order to assess the similarities and differences among the current regulatory approaches to cookie consent requirements, we have reviewed the guidance of the DPAs in the UK, France, Italy, Luxembourg, Germany and the Netherlands. The exercise showed that the regulatory guidance contains many similarities, for example, on the topics of transparency and consent requirements. However, there are also certain key topics on which the DPAs disagree. For example:

Consent for analytics cookies: Certain types of analytics cookies may be used without consent in France, Italy and the Netherlands, but in Luxembourg, Germany and the UK, consent is in general required (unless the analytics cookies are strictly necessary for providing a service that is requested by the user, which is rarely the case).
Consent by scrolling and cookie walls: Consent by scrolling on a web page and the use of cookie walls are – in certain circumstances – allowed in Italy, while they are prohibited in Luxembourg, France, Germany, the Netherlands and the UK.
Retention periods: The six DPAs agree that cookies cannot have a retention period that exceeds what is necessary for the purpose for which the cookies are used, but the three DPAs that provide a specific period (in France, Luxembourg and the Netherlands) diverge as to whether a period of more than 6, 12 or 13 months will generally be considered excessive.

In the chart below, we have summarized the regulatory guidance for the UK, France, Italy, Luxembourg, Germany and the Netherlands on seven key topics of similarity or divergence. Hopefully, the Regulation will be adopted soon, and it will eliminate the differences between the EU Member States. Until that time, however, multinationals using cookies need to consider several sets of requirements.

Examples of Diverging Cookie Requirements

Topic	United Kingdom (ICO Guidance)	France (CNIL Guidance)	Italy (Garante Privacy Guidance)	Luxembourg (CNPD Guidance)	Germany (DPC Guidance)	The Netherlands (AP Guidance)
Requirements for valid cookie consent	Standard UK GDPR requirements.	Standard GDPR requirements. In addition, withholding consent must be as easy as giving consent; if consenting takes one click, withholding consent must also be one click.	Standard GDPR requirements.	Standard GDPR requirements.	Standard GDPR requirements. In addition, “Accept all Cookies” only constitutes valid consent if certain requirements are met.	Standard GDPR requirements.
Cookie walls	Not allowed.		Allowed if the user can access a similar service without cookie consent.	Not allowed.
Consent by using website	Not allowed.		Scrolling on a web page may constitute valid consent if it is part of a complex process that allows the user to unambiguously indicate their wishes in this manner.	Not allowed.
Essential cookies	Consent is not required for essential cookies. Essential cookies are cookies that are strictly necessary (i) to provide the service requested by the user and/or (ii) for the transmission of a communication over an electronic communications network.
Analytics cookies	Consent is required for both first- and third-party analytics cookies.	Consent is not required for first-party analytics cookies, provided that certain conditions are met.	Consent is not required for both first- and third-party analytics cookies, provided that certain conditions are met.	Consent is required for both first- and third-party analytics cookies, and additional requirements apply to the use of analytics cookies that are strictly necessary to provide a service.	Consent requirements depend on a case-by-case assessment of whether analytics cookies are strictly necessary.	Consent is not required for analytics cookies if they are only used to count visitors.
Transparency obligations	Standard UK GDPR requirements. The cookies and their purposes must be clearly stated, along with any third parties that may access the information, and the retention period of the cookies.	Standard GDPR requirements.	Standard GDPR requirements. Companies are encouraged to consider whether multilayered notices can be used to provide information that is easy to understand on the medium that is used.	Standard GDPR requirements. The use of a two-layered system with a pop-up and a cookie policy is recommended.	Standard GDPR requirements. Users must be informed about the retention period of cookies and whether and which third parties can access the information.	Standard GDPR requirements.
Retention period	Cookies’ lifespans must be limited to the duration necessary to achieve their intended purpose. Standard general date settings such as “12/31/9999” are not permissible.	Cookies storage must be limited to the duration necessary to achieve their intended purpose. A retention period of up to 13 months is usually considered to be appropriate.	Cookies storage must be limited to the duration necessary to achieve their intended purpose.	Cookies should only have a retention period of 12 months.	Cookies storage must be limited to the duration necessary to achieve their intended purpose.	Cookies storage must be limited to the duration necessary to achieve their intended purpose. A storage period of more than 6 months is usually considered excessive.

What does this mean for our organization?

That is the million-dollar question, and – although depending on the practices of your organization – key actions to consider are:

Review your current approach to cookie compliance and determine when it was last updated (e.g., if your organization has started using device fingerprinting after the last update, the cookie compliance program likely needs updating in any case).
Review your current (and upcoming) projects that involve the use of cookies and similar technologies, and confirm that the use of such technologies is adequate, correct and up-to-date.
Determine which countries’ ePrivacy rules are applicable to your organization and what the differences are between the relevant countries.
Determine what approach best suits your organization, considering the current state of affairs in the EU. For example, do you want to have a pan-EU or a country-by-country approach? Is your organization’s risk appetite still the same as it was prior to the recent enforcement actions and the new regulatory guidance?
Consider whether and how your organization’s documents and processes (e.g., cookie notice, cookie tool, consent banner, cookie guidelines for your business, retention practices) need updating according to the chosen approach.
Continue monitoring relevant developments in the EU (and in the rest of the world) and considering how they affect your organization’s compliance program.
Consider how to keep your cookie compliance program up-to-date, and the relevant personnel sufficiently informed and trained on the current and upcoming developments.
Start socializing the increased enforcement actions in the EU and the possibility of the upcoming ePrivacy Regulation within your organization. It will likely be worthwhile keeping the relevant stakeholders informed so that they know why additional resources might be needed. It will make them understand the importance of keeping up compliance efforts, and also likely contribute to swift decision making, resulting in fewer surprises for those stakeholders, thus also making your job easier.

Alja Poler De Zwart

apolerdezwart@mofo.com

32 23407360

Marijn Storm

mstorm@mofo.com

31 (20) 7931531

We are Morrison Foerster — a global firm of exceptional credentials. Our clients include some of the largest financial institutions, investment banks, and Fortune 100, technology, and life sciences companies. Our lawyers are committed to achieving innovative and business-minded results for our clients, while preserving the differences that make us stronger.

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Prior results do not guarantee a similar outcome.