The Cookie Crumbles: Diverging Approaches to Cookie Consent Requirements
The Cookie Crumbles: Diverging Approaches to Cookie Consent Requirements
Following a relatively quiet period, we are now experiencing a flurry of local regulatory guidance and enforcement, with at least 17 fines being imposed for violations of cookie transparency and consent requirements since December 2020. With this renewed regulatory attention, it is worth taking a closer look at the local requirements and where they currently diverge.
The current EU and UK cookie requirements follow the provisions of the Privacy and Electronic Communications Directive (“ePrivacy Directive”), which dates back to 2003. The ePrivacy Directive had to be implemented into UK and EU Member States’ local laws, which led to a patchwork of slightly different approaches on how to deal with cookies.
The purpose of the upcoming EU ePrivacy Regulation (the “Regulation”) is to update and harmonize the requirements. While we continue to wait for the finalization of the Regulation, we do see some harmonization on an EU level primarily by the Court of Justice for the European Union (CJEU) and the European Data Protection Board (EDPB):
In addition, a number of local data protection authorities (DPAs) are either issuing guidance and/or enforcing compliance with the cookie rules. Regulatory enforcement has ramped up recently, with more than 17 fines issued since December 2020, with fines totaling almost 246 million euros. It is interesting to note that this includes very small fines (as low as 374 euros, imposed by a German court) but also very high fines (up to 150 million euros, imposed by the French CNIL). It is also worth noting that all of these fines involve transparency and/or consent infringements.
The various decisions and guidance have resulted in a patchwork of rules that may vary according to each applicable EU Member State and make it difficult for multijurisdictional organizations to comply with all of the various requirements.
In order to assess the similarities and differences among the current regulatory approaches to cookie consent requirements, we have reviewed the guidance of the DPAs in the UK, France, Italy, Luxembourg, Germany and the Netherlands. The exercise showed that the regulatory guidance contains many similarities, for example, on the topics of transparency and consent requirements. However, there are also certain key topics on which the DPAs disagree. For example:
In the chart below, we have summarized the regulatory guidance for the UK, France, Italy, Luxembourg, Germany and the Netherlands on seven key topics of similarity or divergence. Hopefully, the Regulation will be adopted soon, and it will eliminate the differences between the EU Member States. Until that time, however, multinationals using cookies need to consider several sets of requirements.
Examples of Diverging Cookie Requirements
Topic | United Kingdom (ICO Guidance) | France (CNIL Guidance) | Italy (Garante Privacy Guidance) | Luxembourg (CNPD Guidance) | Germany (DPC Guidance) | The Netherlands (AP Guidance) |
Requirements for valid cookie consent | Standard UK GDPR requirements.
| Standard GDPR requirements. In addition, withholding consent must be as easy as giving consent; if consenting takes one click, withholding consent must also be one click. | Standard GDPR requirements. | Standard GDPR requirements. | Standard GDPR requirements. In addition, “Accept all Cookies” only constitutes valid consent if certain requirements are met. | Standard GDPR requirements. |
Cookie walls | Not allowed. | Allowed if the user can access a similar service without cookie consent. | Not allowed. | |||
Consent by using website | Not allowed. | Scrolling on a web page may constitute valid consent if it is part of a complex process that allows the user to unambiguously indicate their wishes in this manner. | Not allowed. | |||
Essential cookies | Consent is not required for essential cookies. Essential cookies are cookies that are strictly necessary (i) to provide the service requested by the user and/or (ii) for the transmission of a communication over an electronic communications network. | |||||
Analytics cookies | Consent is required for both first- and third-party analytics cookies. | Consent is not required for first-party analytics cookies, provided that certain conditions are met. | Consent is not required for both first- and third-party analytics cookies, provided that certain conditions are met. | Consent is required for both first- and third-party analytics cookies, and additional requirements apply to the use of analytics cookies that are strictly necessary to provide a service. | Consent requirements depend on a case-by-case assessment of whether analytics cookies are strictly necessary. | Consent is not required for analytics cookies if they are only used to count visitors. |
Transparency obligations | Standard UK GDPR requirements. The cookies and their purposes must be clearly stated, along with any third parties that may access the information, and the retention period of the cookies. | Standard GDPR requirements. | Standard GDPR requirements. Companies are encouraged to consider whether multilayered notices can be used to provide information that is easy to understand on the medium that is used. | Standard GDPR requirements. The use of a two-layered system with a pop-up and a cookie policy is recommended.
| Standard GDPR requirements. Users must be informed about the retention period of cookies and whether and which third parties can access the information. | Standard GDPR requirements. |
Retention period | Cookies’ lifespans must be limited to the duration necessary to achieve their intended purpose. Standard general date settings such as “12/31/9999” are not permissible. | Cookies storage must be limited to the duration necessary to achieve their intended purpose. A retention period of | Cookies storage must be limited to the duration necessary to achieve their intended purpose. | Cookies should only have a retention period of 12 months. | Cookies storage must be limited to the duration necessary to achieve their intended purpose. | Cookies storage must be limited to the duration necessary to achieve their intended purpose. A storage period of more than 6 months is usually considered excessive. |
That is the million-dollar question, and – although depending on the practices of your organization – key actions to consider are: