Iubenda logo

Documentation

Table of Contents

Cookies and the GDPR: What’s Really Required?

Update May 2020: The The European Data Protection Board (EDPB) has updated their guidelines specifically related to recommended consent collection mechanisms. More on that here.

When you think about data law and privacy legislations, cookies easily come to mind as they’re directly related to both. This often leads to the common misconception that the Cookie Law (ePrivacy directive) has been repealed by the General Data Protection Regulation (GDPR), which in fact, it has not. Instead, you can think of the ePrivacy Directive and GDPR as working together and complementing each other.

In short
  • The Cookie Law was not repealed by the GDPR and still applies.
  • Cookie law requires users’ informed consent before storing cookies on a user’s device and/or tracking them.
  • Consent to cookies must be informed and based on an explicit affirmative action; subject to the local authority, these actions may include continued browsing, clicking, scrolling the page or some method that requires the user to actively proceed.
  • While the Cookie Law does not explicitly require that records of consent be kept, only proof, however, many Data Protection Authorities across the EU have aligned their cookie rules to GDPR requirements. This means that, depending on the country relevant to you, you may be required to maintain records of cookie consent as required under the GDPR.
  • The cookie law does not require that you individually list third-party cookies, only that you state their category and purpose.
  • While the Cookie Law does not require that you manage consent for third-party cookies directly on your site/app, you are required to inform users of third-party cookie usage, the purpose of the cookies and link to the relevant third-party privacy/cookie policies.

The ePrivacy Directive 2002/58/EC (or Cookie Law) was established to put guidelines and expectations in place for electronic privacy, including email marketing and cookie usage, and it still applies today. As mentioned above, you can think of the ePrivacy Directive as currently “complementing” the GDPR in a sense, rather than being repealed by it.

Generally, Directives set certain agreed-upon goals and guidelines in place with member states being free to decide how to make these directives into national legislation. Regulations, on the other hand, are legally binding across all Member States from the moment they are put into effect and they are enforced according to union-wide established rules.

With that said, the ePrivacy Directive is, in fact, going to be repealed soon by the ePrivacy Regulation. The ePrivacy Regulation is expected to be finalized in the near future and will work alongside the GDPR to regulate the requirements for the use of cookies, electronic communications, and related data/privacy protection. As the Regulation is still under heavy discussion, it is not yet clear if it will maintain values similar to the Directive.

The Cookie Law requires users’ informed consent before storing cookies on a user’s device and/or tracking them.

This means that if your site/app (or any third-party service used by your site/app) uses cookies, you must inform users about your data collection activities and give them the option to choose whether it’s allowed or not; you must obtain informed consent prior to the installation of those cookies.

In practice, you’ll need to show a cookie banner at the user’s first visit, implement a cookie policy and allow the user to provide consent – unless your website uses solely exempt cookies, which is highly unlikely. Prior to consent, no cookies — except for exempt cookies — can be installed.

You’ll need to show a cookie banner at the user’s first visit, implement a cookie policy and allow the user to provide consent. Prior to consent, no cookies — except for exempt cookies — can be installed

Showing a cookie banner at the user’s first visit

The cookie notice must:

  • briefly explain the purpose of the installation of cookies that the site uses;
  • clearly state which action will signify consent;
  • be sufficiently conspicuous so as to make it noticeable;
  • link to (a cookie policy) or make available details of cookie purpose, usage, and related third-party activity.
Cookie Solution banner example

Implementing a cookie policy

The cookie policy must:

  • indicate the type of the cookies installed (e.g. statistical, advertising etc.);
  • describe in detail the purpose of installation of cookies;
  • indicate all third-parties that install or that could install cookies, with a link to their respective policies, and any opt-out forms (where available);
  • be available in all languages in which the service is provided.

Blocking cookies before consent

In compliance with the general principles of privacy legislation, which prevent the processing before consent, the cookie law does not allow the installation of cookies before obtaining user consent. In practice, this means that you may have to employ a form of script blocking prior to user consent.

Consent to cookies

Consent to cookies must be informed and explicit, and can be provided by a clear affirmative (opt-in) action. Therefore, if you use mechanisms such as checkboxes, they must not be pre-checked.

The Working Party document on the Cookie Law states:

To ensure that a consent mechanism for cookies satisfies the conditions in each Member State such consent mechanism should include each of the main elements specific information, prior consent, indication of wishes expressed by user’s active behaviour and an ability to choose freely.

Subject to the local authority, these active behaviors may include continued browsing, clicking, scrolling the page or some method that requires the user to actively proceed; this is somewhat left up to your discretion. Some website/app owners may favor a click-to-consent method over scrolling/continued-browsing methods as the former is less likely to be performed by user error.

Active behaviors may include continued browsing, clicking, scrolling the page or some method that requires the user to actively proceed

It’s worth noting here that the Italian Data Protection Authority (the Garante Privacy) specifically recognizes “performing a scrolling action” and “clicking on one of the internal links of the page” as valid indications of affirmative consent. Because the ePrivacy is, in fact, a Directive, the specifics of how requirements should be met are heavily dependent on individual Member State law. It should be noted however, that the Italian DPA does explicitly state that the recommendations were created before the GDPR came into force and that this fact should also be considered when making a decision in this regard. At the time of writing, the Spanish DPA also does not explicitly ban consent on scroll. Since it is impossible for us to know which specific circumstance applies to your particular case, we do give you the option to easily enable or disable the Cookie Solution’s “scroll to consent” feature as needed.

Caution

The Europead Data Protection Board (EDPB) has updated their guidelines on consent: Guidelines 05/2020 on consent under Regulation 2016/679. This update is important as it aims to remove any ambiguity on the official position regarding several aspects of cookie usage. Perhaps most significantly, these latest guidelines clearly state that Cookie Walls are prohibited and that the EDPB does not consider consent via scrolling or continued browsing to be valid. 

With that said, these latest guidelines are in contradiction with some local Member State laws, most notably, those of Italy and Spain. Therefore, in such cases, it’s difficult to say with any certainty to what extent the latest guidelines will apply or be enforced as ultimately, it will be up to the local Data Protection Authority to decide. 

In regards to the refusal of consent or opting-out after consent has been given, the law states that users must be “given the possibility” to refuse or withdraw their consent. The Working Party document further elaborates on this point by stating that in regards to withdrawing or refusing consent, you must provide:

  • information on how users can withdraw consent and the action required to do so;
  • a means by which the user can choose to accept or decline cookies.

This means or mechanism may not have to be hosted directly by you. In some cases under member state law, browser settings are considered to be an acceptable means of withdrawing consent.

The particular consent collection mechanisms considered to be valid may vary by member state

Listing third-party cookies

In general, the directive does not specifically require that you list and name individual third-party cookies, however, you are required to clearly state their categories and purpose.

This decision by the Authority is likely deliberate as to require such would mean that individual website/app owners would bear the burden of constantly watching over every single third-party cookie, looking for changes that are outside of their control; this would be largely unreasonable, inefficient and likely unhelpful to users.

To further expand on this point, here’s an excerpt from the ICO’s Cookie Guide:

It could be an option to provide long lists of all cookies implemented, but for most users a broader explanation of the way cookies operate and of the categories of cookies used will be helpful. A description of the types of things analytical cookies are used for on the site will be more likely to satisfy the requirements than simply listing all the cookies you use with basic references to their function.

This sentiment is even further elaborated upon by the Italian Data Protection Authority (the Garante Privacy) which expressly states:

There are several reasons why it would appear impossible to require a publisher to provide information on and obtain consent for the installation of cookies on his own website also with regard to those installed by “third parties”.

In the first place, a publisher would be required to always be equipped with the tools and the legal and business skills to take upon himself the obligations of third parties – thus, the publisher would be required to check, from time to time, that what is declared by the third parties corresponds to the purposes they are actually aiming at via their cookies. This is a daunting task because a publisher often has no direct contacts with all the third parties installing cookies via his website, nor does he/she know the logic underlying the respective processing.

Furthermore, it is not seldom the case that licensees step in between a publisher and the said third parties, which makes it ultimately highly difficult for the publisher to keep track of the activities of all the stakeholders.

Secondly, third parties’ cookies might be modified by the third parties with time, and it would prove rather dysfunctional to require publishers to keep track also of these subsequent changes.

Furthermore, one should also consider that publishers – a category including natural persons and SMEs – are often the “weaker” party in this context. Conversely, third parties are usually large companies of substantial economic import that work as a rule with several publishers, so that one publisher may often have to do with a considerable number of third parties.

For all of the above reasons, this DPA is of the opinion that publishers may not be required to include, on the home page of their websites, also the notices relating to the cookies installed by third parties via the publishers’ websites.

“Freely given” consent

The law mandates that the consent collected must be freely given by the user in order for it to be considered valid. Using coercive methods to obtain consent can make the consent collected invalid. The law does make some concessions (within reason) in cases where the actual ability to provide particular site services are directly affected by the consent or lack thereof.

The Working Party document states:

Websites should not make conditional “general access” to the site on acceptance of all cookies but can only limit certain content if the user does not consent to cookies.

Therefore, while certain content (within legitimate reason) can be restricted based on cookie preferences, users’ ability to generally access your site must not be coerced or conditional upon their consent.

Exemptions to the consent requirement

Some cookies are exempt from the consent requirement and therefore are not subject to preventive blocking (though you’re still required to inform users about your use of cookies – see caution box below). The exemptions are as follows:

  • Technical cookies strictly necessary for the provision of the service. These include preference cookies, session cookies, load balancing, etc.
  • Statistical cookies managed directly by you (not third-parties), providing that the data is not used for profiling¹
  • Anonymized statistical third-party cookies (e.g. Google Analytics)²

¹This exemption may not be applicable for many regions and is therefore subject to specific local regulations. For example, this is not allowed under the UK’s ICO guidelines, and the French authority requires the analytics software provider to be appointed as a processor in order for these cookies to be exempt.

²This exemption mainly applies to Italy, may not be applicable for all regions and is therefore subject to specific local regulations.

Caution

The exemption to the consent requirement only clearly applies to non-tracking technical cookies strictly necessary for the functioning of services that were expressly requested by the user.
A real-world example of this would be an e-commerce site that allows users to “hold” items in their cart while they’re using the site or for the duration of a session. In this scenario, the technical cookies are both necessary for the functioning of the purchasing service and are explicitly requested by the user when they indicate that they would like to add the item to the cart. Do note, however, that these session-based technical cookies are not tracking cookies.

Other examples of these technical cookies would be user-centric session-based cookies used to detect authentication abuses, load-balancing session cookies, and Multimedia player session cookies related to and necessary for the provision of services requested by the user.

So does this mean that I don’t need to have a Cookie Banner in such cases?

Firstly, it’s critical to note that even where this exception to the consent requirement applies, you’ll still need to inform the user of your use of cookies via a cookie policy.The banner is not necessarily required in this specific instance if the cookie policy is easily accessible and visible from every page of the site.

Proof of consent vs Records of consent

While Cookie Law indicates that proof of consent rather than records of consent be kept, many EU member states now require that records of consent be kept in alignment with the GDPR. The following example explains the idea of proof of consent.

Imagine that the ability to run cookies is a room, the cookie management solution is the door and the consent is the act of rotating the door handle; you can only enter through the door into the room if the door handle is rotated (the act of giving consent). In this example, if you’ve entered the room it can only be because the door handle was rotated and, therefore, your presence in the room is sufficient proof of this fact.

While actually keeping track of the consent acquired is not specifically mentioned by the Directive, some Member State guidelines may require it. Italy, for example, requires that:

The publisher must in any case keep track of the user’s consent. To that end, an ad-hoc technical cookie might be relied upon… The availability of this type of “documentation” of the user’s preferences will enable the publisher not to display the information notice on subsequent visits made by that user to the website.

This means that making use of a technical cookie in such a way (as quoted) is sufficient and may be relied upon to meet the State’s requirement of “keeping track” of the consent acquired.

It’s important to note that some EU Data Protection Authorities now require that records of consent – rather than simply proof – be kept. If this applies to your particular situation, you will need to maintain valid records of consent.

How iubenda can help you manage cookie consent

iubenda Cookie Solution - Cookie Banner

Our comprehensive cookie management solution simplifies compliance with provisions of the European Cookie Law. As an IAB verified Consent Management Platform (CMP) our Cookie Solution allows you to meet industry standards and pass consent preferences to advertisers in a compliant way.

It allows you to:

  • easily inform users via cookie banner and a dedicated cookie policy page (which is automatically linked to your privacy policy and integrates what’s necessary for cookie law compliance);
  • obtain and save cookie consent settings;
  • collect granular, per purpose consent;
  • preventively block scripts prior to consent;
  • apply IAB’s TCF with a single click;
  • maintain records of consent via integration with our Consent Solution (integration available upon request).

Our Cookie Solution adequately informs the user of:

  • potential cookies, their purpose and how they’re used;
  • third-party cookies, their type and their purpose (with direct links to the relevant third-party policies);
  • their (various) options in regards to opting-in/providing consent and opting-out/withdrawing consent;
  • which action will signify consent;
  • how they can manage their cookie preferences.

Our solution allows for the acquisition of active consent via:

  • continued browsing;
  • scrolling;
  • specific clicking action.

It gives you further options to:

  • Choose between “with prior consent” (script blocking prior to user consent and reactivation after consent) or “no prior consent” (no prior script blocking); using the “with prior consent” option ensures that before providing consent, the user can open the cookie policy and opt-out of any of the tracking scripts by using the opt-out tools provided by each third party. Remember script blocking prior to consent is required in some regions including the EU.
  • Add explicit “Accept” and “Reject” buttons as required under some member state laws.
  • Customize the location and look of your cookie notice, e.g. changing banner colors to match your website, applying your logo, and custom branding.
  • Keep track of and save consent settings for each user for up to 12 months from the last site visit, as legally required.
  • Easily embed into your site. Choose between directly pasting the embed code into the head section of your site’s pages or using a plugin (currently we have plugins available for WordPress, Joomla!, PrestaShop and Magento).

Manage cookie consent with the Cookie Solution

Easy to run, fast and customizable

Generate a cookie banner

See also