The ePrivacy Directive 2002/58/EC (or Cookie Law) was established to put guidelines and expectations in place for electronic privacy, including email marketing and cookie usage, and it still applies today. You can think of the ePrivacy Directive as currently “working alongside” the GDPR in a sense, rather than being repealed by it.
The Cookie Law requires users’ informed consent before storing cookies on a user’s device and/or tracking them.
The banner must:
Blocking cookies before consent:
In compliance with the general principles of privacy legislation, which prevent the processing before consent, the cookie law does not allow the installation of cookies before obtaining user consent. In practice, this means that you may have to employ a form of script blocking prior to user consent.
Consent to cookies:
Consent to cookies must be informed and explicit, and can be provided by a clear affirmative (opt-in) action.
The Working Party document on the Cookie Law states:
to ensure that a consent mechanism for cookies satisfies the conditions in each Member State such consent mechanism should include each of the main elements specific information, prior consent, indication of wishes expressed by user’s active behaviour and an ability to choose freely.
Subject to the local authority, these active behaviors may include continued browsing, clicking, scrolling the page or some method that requires the user to actively proceed; this is somewhat left up to your discretion. Some website/app owners may favor a click-to-consent method over scrolling/continued-browsing methods as the former is less likely to be performed by user error.
In regards to the refusal of consent or opting-out after consent has been given, the law states that users must be “given the possibility” to refuse or withdraw their consent. The Working Party document further elaborates on this point by stating that in regards to withdrawing or refusing consent, you must provide:
This means or mechanism does not have to be hosted directly by you. In most cases under member state law, browser settings are considered to be an acceptable means of withdrawing consent (our solution goes a bit further than this by pointing to the browser options, third-party tools and by linking to the third party providers, who are ultimately responsible for managing the opt-out for their own tracking tools). It is further worth clarifying here that the Cookie Law does not require that you provide users with the means to toggle cookie preferences directly on your site/app, only that you conspicuously provide the option for obtaining informed consent, provide a means for the withdrawal of consent and guarantee, via prior blocking, that no tracking is performed before the user has provided consent.
Listing third-party cookies
In general, the directive does not specifically require that you list and name individual third-party cookies, however, you are required to clearly state their categories and purpose. This decision by the Authority is likely deliberate as to require such would mean that individual website/app owners would bear the burden of constantly watching over every single third-party cookie, looking for changes that are outside of their control; this would be largely unreasonable, inefficient and likely unhelpful to users. To further expand on this point, here’s an excerpt from the ICO’s Cookie Guide:
It could be an option to provide long lists of all cookies implemented, but for most users a broader explanation of the way cookies operate and of the categories of cookies used will be helpful. A description of the types of things analytical cookies are used for on the site will be more likely to satisfy the requirements than simply listing all the cookies you use with basic references to their function.
This sentiment is even further elaborated upon by the Italian Data Protection Authority (the Garante Privacy) which expressly states:
There are several reasons why it would appear impossible to require a publisher to provide information on and obtain consent for the installation of cookies on his own website also with regard to those installed by “third parties“.
In the first place, a publisher would be required to always be equipped with the tools and the legal and business skills to take upon himself the obligations of third parties – thus, the publisher would be required to check, from time to time, that what is declared by the third parties corresponds to the purposes they are actually aiming at via their cookies. This is a daunting task because a publisher often has no direct contacts with all the third parties installing cookies via his website, nor does he/she know the logic underlying the respective processing. Furthermore, it is not seldom the case that licensees step in between a publisher and the said third parties, which makes it ultimately highly difficult for the publisher to keep track of the activities of all the stakeholders.
Secondly, third parties’ cookies might be modified by the third parties with time, and it would prove rather dysfunctional to require publishers to keep track also of these subsequent changes.
Furthermore, one should also consider that publishers – a category including natural persons and SMEs – are often the “weaker” party in this context. Conversely, third parties are usually large companies of substantial economic import that work as a rule with several publishers, so that one publisher may often have to do with a considerable number of third parties.
For all of the above reasons, this DPA is of the opinion that publishers may not be required to include, on the home page of their websites, also the notices relating to the cookies installed by third parties via the publishers’ websites.
“Freely given” consent:
The law mandates that the consent attained must be freely given in order for it to be considered valid. Using coercive methods for obtaining can, therefore, render the consent attained under such methods invalid. The law does make some concessions (within reason) where the rendering of particular site services are affected by the consent or lack thereof. The Working Party document states:
websites should not make conditional ‘general access’ to the site on acceptance of all cookies but can only limit certain content if the user does not consent to cookies.
Therefore, while certain content (within legitimate reason) can be restricted based on cookie preferences, users’ ability to generally access your site must not be coerced or conditional upon their consent.
Exemptions to the consent requirement:
*This exemption is may not be applicable for all regions and is therefore subject to specific local regulations.
Proof of consent vs Records of consent:
The Cookie Law does not require that records of consent be kept but instead indicates that you should be able to prove that consent occurred (even if that consent has been withdrawn). The simple way to do this would be to use a cookie solution that employs a prior blocking mechanism as under such circumstances, cookie installing scripts will only be run after consent is attained. In this way, the very fact that scripts were run may be used as sufficient proof of consent.
To further illustrate this point, imagine that the ability to run cookies is a room, the cookie solution is the door and the consent is the act of rotating the door handle; you can only enter through the door into the room if the door handle is rotated (the act of giving consent). In this example, if you’ve entered the room it can only be because the door handle was rotated and, therefore, your presence in the room is sufficient proof of this fact.
While actually keeping track of the consent acquired is not specifically mentioned by the Directive, some Member State guidelines may require it. Italy, for example, requires that.
the publisher must in any case keep track of the user’s consent. To that end, an ad-hoc technical cookie might be relied upon . . . The availability of this type of “documentation” of the user’s preferences will enable the publisher not to display the information notice on subsequent visits made by that user to the website.
This means that making use of a technical cookie in such a way (as quoted) is sufficient and may be relied upon to meet the State’s requirement of “keeping track” of the consent acquired. The Authority prescribes a maximum validity (the ability to “remember” or “keep track” of the consent) of 12 months from the last site visit. The iubenda Cookie Solutionmakes use of this method of “consent tracking”.
Our solution adequately informs the user of:
Our solution allows for the acquisition of active consent via:
It’s easy to run, fast and customizable. You can see how it works here
For more information on our cookie solution click here or