The document includes excerpts from the privacy authorities in Italy, Belgium, Spain and UK, which support the points stated above, in the spirit of avoiding unreasonable unnecessary burdens being placed on individual businesses.
The requirement for opt out is also on the third party to provide Legislations looked at:
As supported by the authorities, the right approach to follow for any cookie related pro-cesses and consent gathering solution implemented on a website is the following:
This is the process iubenda chooses to adopt on purpose. We think that any other process would be and will be prohibitive on any website owner, as third party cookie names could change at any time and without notice, putting on the website owner the burden of watching constantly over each single third party, looking for cookie changes that are outside of the owner’s control.
When it comes to the four singled out countries, there is no evidence that cookies must be named one by one or that there is an explicit requirement that the obligation of the opt-out is exclusively on the website provider. On the contrary, the exact implementation seems to be largely left to the website provider and the authorities point to some best practices and examples which are outlined within the body of this document for detailed reference.
*It’s also worth noting here that IAB’s industry-wide Transparency and Consent Framework (TCF) also does not support listing out the names of individual cookies.
The term “opt-in” refers to when a positive/affirmative action is required in order to grant the consent in the first place as opposed to “opt-out”, which is where the consent is already assumed, giving the user only the option to withdraw consent.
So for example, if your sign-up form used a checkbox that was pre-ticked, you would have implemented the “opt-out” method as the user is required to opt-out or withdraw the (assumed) consent.
Alternatively, if your sign-up form used a checkbox that was un-ticked, therefore requiring the user to take the positive action of actually ticking the box in order to provide consent, you would have implemented an “opt-in” method.
Generally, opt-out is allowed for US-American email marketing messages, while opt-in is required under European and Canadian data protection rules. Opt-in is also usually considered to be “best practice” in many countries, even not specifically required. For this reason, it is often the best and safest course of action.
The Italian Data Protection Authority (the Garante Privacy) expressly stated the following in the relevant resolution – please see “Simplified Arrangements to Provide Information and Obtain Consent Regarding Cookies” adopted on the 8th of May 2014 (“DPA Provision”):
(…) account should be taken of the entity installing cookies on the user’s terminal, which may be the manager of the website visited by the user – which can be referred to as the “publisher” for the sake of convenience – or the manager of another website that installs the cookies by way of the former – which is a so-called “third party”… There are several reasons why it would appear impossible to require a publisher to provide information on and obtain consent for the installation of cookies on his own website also with regard to those installed by “third parties”.
In the first place, a publisher would be required to always be equipped with the tools and the legal and business skills to take upon himself the obligations of third parties – thus, the publisher would be required to check, from time to time, that what is declared by the third parties corresponds to the purposes they are actually aiming at via their cookies. This is a daunting task because a publisher often has no direct contacts with all the third parties installing cookies via his website, nor does he/she know the logic underlying the respective processing. Furthermore, it is not seldom the case that licensees step in between a publisher and the said third parties, which makes it ultimately highly difficult for the publisher to keep track of the activities of all the stakeholders.
Secondly, third parties’ cookies might be modified by the third parties with time, and it would prove rather dysfunctional to require publishers to keep track also of these subsequent changes. Furthermore, one should also consider that publishers – a category including natural persons and SMEs – are often the “weaker” party in this context. Conversely, third parties are usually large companies of substantial economic import that work as a rule with several publishers, so that one publisher may often have to do with a considerable number of third parties.
For all of the above reasons, this DPA is of the opinion that publishers may not be required to include, on the home page of their websites, also the notices relating to the cookies installed by third parties via the publishers’ websites. From all the above, we can conclude that third-party cookies do not need to be named one by one by the website owner (the “publisher” in the DPA Provision), because since the publisher is in no position to single them out, it shall not be able to name them one by one in its privacy notice.
The DPA provision does not expressly answer this question but the answer can be implicitly inferred from the following lines which refer to the extended cookie notice:
The notice must also contain an updated link to the information notices and consent forms of the third parties the publisher has agreed to let install cookies via his own website. If the publisher is not directly in touch with third parties, he will have to include the links to the websites of the intermediaries or brokers between him and those third parties… In order to keep publishers’ responsibilities separate from those vested in third parties as regards the information provided and the consent obtained via the publishers’ websites for the said third parties’ cookies, it is considered necessary for the publishers to acquire the aforementioned links from the third parties (including licensees, if any) at the time of entering into the respective agreements.
If, as stated above, the publisher has no control whatsoever on the cookies installed by the third parties it stands to reason that it cannot possibly offer its users the means to opt out. Therefore, a link should be provided to the third-party privacy notices and opt-out from such cookies should be provided by the same third parties involved.
Finally, the Italian DPA emphasises that the user must be informed that they have the possibility to communicate their choices by way of browser settings. If the technology underlying the website is compatible with the user’s browser version, the publisher may make available a direct link to the settings configuration section in the browser.
The Belgian data protection authority (the Commission de la protection de la vie privée) has published a recommendation about cookies (Projet de recommandation concernant l’utilisation des cookies, attached). From the document we can take away the following:
The information to be provided to Users with regards to cookies are the purposes of each type or category of cookies, personal data collected, retention time, opt-out tools, transfer of personal data to third party (see p. 37).
L’information relative aux cookies sera de préférence fournie par types de cookies ou finalités de ces cookies (m.n. 156). (…) Elle porte aumoins sur les points suivants:
- les finalités des accès et/ou des inscriptions pour chaque type de cookie ou catégorie de finalités de ces cookies;
- les catégories d’informations stockées;
- les durées de conservation des informations;
- les modalités pour l’effacement des informations;
- les éventuelles communications à des tiers et les informations qui leur sont communiquées. (m.n. 157)
There is no mention to be found that cookies must be named one by one.
The document merely states that website owners must inform Users about the way to withdraw their consent to accepting cookies (see p. 40).
176. L’utilisateur doit pouvoir à tout moment et de manière aisée retirer le consentement qu’il a précédemment donné. Cette possibilité lui sera donnée dans le cadre de l’information relative à la politique d’utilisation des cookies
Cookies statistiques (…) Pour certaines analyses, nous utilisons Google Analytics qui peut être désactivé de différentes façons selon les navigateurs utilisés (modules et extensions tierces, blocage du site www.google-analytics.com/*, …)
Cookies tiers (…)
Ces cookies peuvent être bloqués ou effacés par les options de votre navigateur.
The national authority for data protection (the Agencia Española de Protección de Datos) has issued a number of documents regarding cookies, notably a “Cookie Guide” and a legal opinion (Informe jurídico 196/2014, “Informe”) about the question, whether cookies must be mentioned one-by-one.
The answers to the question boils down to the following:
Cookies do not need to be mentioned one by one, it’s sufficient to inform about the types of cookies implemented, their purposes and the procedure to opt-out (see p. 4 of the Informe).
Comenzaremos indicando que en opinión de esta Agencia la normativa estudiada pretende que el usuario sea suficientemente informado sobre la utilización de dispositivos de almacenamiento y recuperación de datos en su equipo terminal, siendo esencial que dicha información verse sobre las finalidades de dichos dispositivos. Ahora bien, la normativa no exige que la información detalle el nombre de los dispositivos, puesto que lo esencial es informar sobre los extremos indicados más arriba, y singularmente sobre el uso de cookies, quién las utiliza y para qué. Por tanto, no es necesario mostrar la segunda capa de información en una tabla o de otro modo en que se especifiquen los nombres de todas y cada una de las cookies.
In order to inform the User about how to opt-out from receiving cookies, the Controller may provide its own tools, instructions about how to set preferences on the User’s browser or “common opt-out tools” (see p. 18 of the Cookie Guide).
Información sobre la forma de desactivar o eliminar las cookies enunciadas a través de las funcionalidades facilitadas por el editor, las herramientas proporcionadas por el navegador o el terminal o través de las plataformas comunes que pudieran existir, para esta finalidad, así como la forma de revocación del consentimiento ya prestado
There is no explicit mention of the fact that tools provided by third parties themselves are sufficient, but we deduce this from the fact that the three different solutions mentioned (own tools, browser settings, common tools) are considered all equivalent and equally valid.
Moreover, the document further states that Controllers must merely “provide information about how to withdraw consent to accepting cookies” (p. 23) and that the Spanish data protection law does not determine, who is responsible for providing information about third-party-cookies (Controller or third-party), so that both entities must cooperate to these ends (p. 24) and be deemed responsible (p. 25).
There is no mention that the opt-out tools must be provided by the Controller.
By the way: the “Informe jurídico 0011/2014” only deals with the fact that cookies must be opted into, and not out of. The only thing it says about opt-out tools is that Controllers must provide a simple and free way to opt-out from receiving cookies (which essentially repeats the point made above: these tools don’t necessarily need to be provided by the Controller).
From the ICO website (PECR stands for Privacy in Electronic Communications Regulations):
PECR do not set out exactly what information you must provide or how to provide it – this is up to you. The only requirement is that it must be “clear and comprehensive” information about your purposes.
It could be an option to provide long lists of all cookies implemented, but for most users a broader explanation of the way cookies operate and of the categories of cookies used will be helpful (see p. 18). Long tables or detailed lists of all the cookies operating on the site may be the type of information that some users will want to consider. For most users it may be helpful to provide a broader explanation of the way cookies operate and the categories of cookies that you use on your website. A description of the types of things analytical cookies are used for on the site will be more likely to satisfy the requirements than simply listing all the cookies you use with basic references to their function.
In any case, there is no requirement to mention cookies one by one. In fact, the document also provides a best-practice example in which cookies are only described per categories (same spot as above).
Example: The cookies we use are “analytical” cookies. They allow us to recognise and count the number of visitors and to see how visitors move around the site when they’re using it. This helps us to improve the way our website works, for example by making sure users are finding what they need easily. Read more about the individual analytical cookies we use and how to recognise them [link]
Regarding withdrawal, the document (or website) do not elaborate much, or in detail.
The document only states that website owners must provide information to Users about how to withdraw consent. It does not state anything about which tools are deemed acceptable to these ends, but it mentions repeatedly browser settings as an acceptable mean to withdraw consent.