In the spirit of avoiding unreasonable unnecessary burdens being placed on individual businesses, the document includes the decisions of different privacy authorities in regard to the mentioning of third-party party cookie names and pointing users to opt-out mechanisms.
As supported by the authorities, the right approach to follow for any cookie related processes and consent gathering solution implemented on a website is the following:
This is the process iubenda chooses to adopt on purpose. We think that any other process would be and will be prohibitive on any website owner, as third-party cookie names could change at any time and without notice, putting on the website owner the burden of watching constantly over each single third party, looking for cookie changes that are outside of the owner’s control and thus prone to failure.
The majority of the singled-out countries do not require that cookies must be named one by one or that the obligation of the opt-out is exclusively on the website provider. On the contrary, the exact implementation seems to be largely left to the website provider and the authorities point to some best practices and examples which are outlined within the body of this document for detailed reference.
*It’s also worth noting here that IAB’s industry-wide Transparency and Consent Framework (TCF) also does not support listing out the names of individual cookies.
The term “opt-in” refers to when a positive/affirmative action is required in order to grant the consent in the first place as opposed to “opt-out”, which is where the consent is already assumed, giving the user only the option to withdraw consent.
So for example:
Generally, opt-out is allowed for US-American email marketing messages, while opt-in is required under European and Canadian data protection rules. Opt-in is also usually considered to be “best practice” in many countries, even not specifically required. For this reason, it is often the best and safest course of action.
The Italian Data Protection Authority (the Garante Privacy) expressly stated the following in the relevant resolution – please see “Simplified Arrangements to Provide Information and Obtain Consent Regarding Cookies” adopted on the 8th of May 2014 (“DPA Provision”):
(…) account should be taken of the entity installing cookies on the user’s terminal, which may be the manager of the website visited by the user – which can be referred to as the “publisher” for the sake of convenience – or the manager of another website that installs the cookies by way of the former – which is a so-called “third party”… There are several reasons why it would appear impossible to require a publisher to provide information on and obtain consent for the installation of cookies on his own website also with regard to those installed by “third parties”.
In the first place, a publisher would be required to always be equipped with the tools and the legal and business skills to take upon himself the obligations of third parties – thus, the publisher would be required to check, from time to time, that what is declared by the third parties corresponds to the purposes they are actually aiming at via their cookies. This is a daunting task because a publisher often has no direct contacts with all the third parties installing cookies via his website, nor does he/she know the logic underlying the respective processing. Furthermore, it is not seldom the case that licensees step in between a publisher and the said third parties, which makes it ultimately highly difficult for the publisher to keep track of the activities of all the stakeholders.
Secondly, third parties’ cookies might be modified by the third parties with time, and it would prove rather dysfunctional to require publishers to keep track also of these subsequent changes. Furthermore, one should also consider that publishers – a category including natural persons and SMEs – are often the “weaker” party in this context. Conversely, third parties are usually large companies of substantial economic import that work as a rule with several publishers, so that one publisher may often have to do with a considerable number of third parties.
For all of the above reasons, this DPA is of the opinion that publishers may not be required to include, on the home page of their websites, also the notices relating to the cookies installed by third parties via the publishers’ websites. From all the above, we can conclude that third-party cookies do not need to be named one by one by the website owner (the “publisher” in the DPA Provision), because since the publisher is in no position to single them out, it shall not be able to name them one by one in its privacy notice.
The DPA provision does not expressly answer this question but the answer can be implicitly inferred from the following lines which refer to the extended cookie notice:
The notice must also contain an updated link to the information notices and consent forms of the third parties the publisher has agreed to let install cookies via his own website. If the publisher is not directly in touch with third parties, he will have to include the links to the websites of the intermediaries or brokers between him and those third parties… In order to keep publishers’ responsibilities separate from those vested in third parties as regards the information provided and the consent obtained via the publishers’ websites for the said third parties’ cookies, it is considered necessary for the publishers to acquire the aforementioned links from the third parties (including licensees, if any) at the time of entering into the respective agreements.
If, as stated above, the publisher has no control whatsoever on the cookies installed by the third parties it stands to reason that it cannot possibly offer its users the means to opt out. Therefore, a link should be provided to the third-party privacy notices and opt-out from such cookies should be provided by the same third parties involved.
Finally, the Italian DPA emphasises that the user must be informed that they have the possibility to communicate their choices by way of browser settings. If the technology underlying the website is compatible with the user’s browser version, the publisher may make available a direct link to the settings configuration section in the browser.
The Belgian data protection authority (the Commission de la protection de la vie privée) has published a recommendation about cookies (Projet de recommandation concernant l’utilisation des cookies, attached). From the document we can take away the following:
The information to be provided to Users with regards to cookies are the purposes of each type or category of cookies, personal data collected, retention time, opt-out tools, transfer of personal data to third party (see p. 37).
L’information relative aux cookies sera de préférence fournie par types de cookies ou finalités de ces cookies (m.n. 156). (…) Elle porte aumoins sur les points suivants:
- les finalités des accès et/ou des inscriptions pour chaque type de cookie ou catégorie de finalités de ces cookies;
- les catégories d’informations stockées;
- les durées de conservation des informations;
- les modalités pour l’effacement des informations;
- les éventuelles communications à des tiers et les informations qui leur sont communiquées. (m.n. 157)
There is no mention to be found that cookies must be named one by one.
The document merely states that website owners must inform Users about the way to withdraw their consent to accepting cookies (see p. 40).
176. L’utilisateur doit pouvoir à tout moment et de manière aisée retirer le consentement qu’il a précédemment donné. Cette possibilité lui sera donnée dans le cadre de l’information relative à la politique d’utilisation des cookies
Cookies statistiques (…) Pour certaines analyses, nous utilisons Google Analytics qui peut être désactivé de différentes façons selon les navigateurs utilisés (modules et extensions tierces, blocage du site www.google-analytics.com/*, …)
Cookies tiers (…)
Ces cookies peuvent être bloqués ou effacés par les options de votre navigateur.
The national authority for data protection (the Agencia Española de Protección de Datos) has issued a number of documents regarding cookies, notably a “Cookie Guide” and a legal opinion (Informe jurídico 196/2014, “Informe”) about the question, whether cookies must be mentioned one-by-one.
The answers to the question boils down to the following:
Cookies do not need to be mentioned one by one, it’s sufficient to inform about the types of cookies implemented, their purposes and the procedure to opt-out (see p. 4 of the Informe).
Comenzaremos indicando que en opinión de esta Agencia la normativa estudiada pretende que el usuario sea suficientemente informado sobre la utilización de dispositivos de almacenamiento y recuperación de datos en su equipo terminal, siendo esencial que dicha información verse sobre las finalidades de dichos dispositivos. Ahora bien, la normativa no exige que la información detalle el nombre de los dispositivos, puesto que lo esencial es informar sobre los extremos indicados más arriba, y singularmente sobre el uso de cookies, quién las utiliza y para qué. Por tanto, no es necesario mostrar la segunda capa de información en una tabla o de otro modo en que se especifiquen los nombres de todas y cada una de las cookies.
In order to inform the User about how to opt-out from receiving cookies, the Controller may provide its own tools, instructions about how to set preferences on the User’s browser or “common opt-out tools” (see p. 18 of the Cookie Guide).
Información sobre la forma de desactivar o eliminar las cookies enunciadas a través de las funcionalidades facilitadas por el editor, las herramientas proporcionadas por el navegador o el terminal o través de las plataformas comunes que pudieran existir, para esta finalidad, así como la forma de revocación del consentimiento ya prestado
There is no explicit mention of the fact that tools provided by third parties themselves are sufficient, but we deduce this from the fact that the three different solutions mentioned (own tools, browser settings, common tools) are considered all equivalent and equally valid.
Moreover, the document further states that Controllers must merely “provide information about how to withdraw consent to accepting cookies” (p. 23) and that the Spanish data protection law does not determine, who is responsible for providing information about third-party-cookies (Controller or third-party), so that both entities must cooperate to these ends (p. 24) and be deemed responsible (p. 25).
There is no mention that the opt-out tools must be provided by the Controller.
By the way: the “Informe jurídico 0011/2014” only deals with the fact that cookies must be opted into, and not out of. The only thing it says about opt-out tools is that Controllers must provide a simple and free way to opt-out from receiving cookies (which essentially repeats the point made above: these tools don’t necessarily need to be provided by the Controller).
From the ICO website (PECR stands for Privacy in Electronic Communications Regulations):
PECR do not set out exactly what information you must provide or how to provide it – this is up to you. The only requirement is that it must be “clear and comprehensive” information about your purposes.
It could be an option to provide long lists of all cookies implemented, but for most users a broader explanation of the way cookies operate and of the categories of cookies used will be helpful (see p. 18). Long tables or detailed lists of all the cookies operating on the site may be the type of information that some users will want to consider. For most users it may be helpful to provide a broader explanation of the way cookies operate and the categories of cookies that you use on your website. A description of the types of things analytical cookies are used for on the site will be more likely to satisfy the requirements than simply listing all the cookies you use with basic references to their function.
In any case, there is no requirement to mention cookies one by one. In fact, the document also provides a best-practice example in which cookies are only described per categories (same spot as above).
Example: The cookies we use are “analytical” cookies. They allow us to recognise and count the number of visitors and to see how visitors move around the site when they’re using it. This helps us to improve the way our website works, for example by making sure users are finding what they need easily. Read more about the individual analytical cookies we use and how to recognise them [link]
Regarding withdrawal, the document (or website) do not elaborate much, or in detail.
The document only states that website owners must provide information to Users about how to withdraw consent. It does not state anything about which tools are deemed acceptable to these ends, but it mentions repeatedly browser settings as an acceptable mean to withdraw consent.
According to the Datatilsynet guidelines, the consent you collect is considered “informed” if a list of third-party controllers is disclosed:
in a “fold-out menu which is one-click-away in close association with the description of the purpose of the treatment”.
This wording suggests that there is no need to provide such information in the first layer of the banner, but it should be easily accessible, for example through an expandable link.
There is no mention of the names of third-party cookies, so we can assume it’s not necessary to disclose them.
However, according to the guidelines, consent is not considered valid if the procedure for obtaining it does not allow consenting separately to different processing activities and thus to be forced to consent to all purposes. In other words, consent should always be granular, so it’s necessary to – at the very least – disclose the different categories of cookies that the website is installing.
In the guidelines, there is no mention of this. The Danish Data Protection Authority states that it’s responsibility of the controller to ensure that data subjects can withdraw their consent in a simple and easily accessible way. Withdrawing consent should be as easy as giving it, but it is not a requirement that withdrawal must be done in the same way as consent was originally given.
There is no mention of this in the Compliance Recommendations, even though the Hellenic DPA stresses the requirement of granular consent.
Acceptance or rejection of consent must be given at the same layer and with the same number of actions, either to accept the use of trackers or to reject it, either all or each category separately. This implies that granular consent must be given either to each and every cookie or to each and every category of cookies.
The HDPA also does not mention anything about opt-out for third-party tools, but the withdrawal of consent must be available in the same manner and with the same ease with which it had been granted.
In Poland, there are no specific guidelines for cookies. All that concerns consent to cookies is inferred by the Polish Telecommunications Act.
Polish legislation does not make any reference whatsoever to the modes of obtaining consent, other than by configuring browser settings. Indeed, the “acceptance” or “rejection” of cookies from one’s device as well as obtaining further information or making granular choices is completely absent.
We can then assume that there is no requirement to mention the name of third-party cookies.
Since the legislation is quite blurred, there is no mention of this requirement as well.
Swedish Regulations do not explicitly mention this requirement, but the PTS Cookie Guidance does require that websites using cookies disclose:
Thus, there is no need to mention each third-party cookie that is used, but you need to disclose the third parties that may install cookies through your website.
There is no direct mention of this requirement. The Swedish PTS says that it must be easy for the user to withdrawconsent. And that the user must receive information on how this is done.
This information is often included in a third layer of the cookie banner.
There is no mention of this requirement.