Since then the e-Privacy Directive has required obtaining the consent of users in order to store or access information (typically cookies or similar tracking technologies) on their devices. The only exemptions to this requirement are where this is for the sole purpose of transmitting a communication or where it is strictly necessary to provide an internet service explicitly requested by the user.
In May 2011, the UK became the first EU Member State to implement this obligation into national law. Other countries have been following suit ever since. Over the years, regulatory authorities have been providing guidance about how to comply with the cookie consent obligation in practice. In 2013, the Article 29 Working Party provided a pan-European view on this issue. They argued that a website operator wishing to comply with the e-Privacy regime would need to implement a mechanism including some key elements, namely:
- specific information,
- prior consent,
- indication of wishes expressed by the user’s active behaviour, and
- ability to choose freely.
In 2018, the General Data Protection Regulation (GDPR) introduced a strengthened concept of consent, which by effect of EU data protection law, is applicable to the consent required under the e-Privacy Directive. The GDPR stresses that consent should amount to an unambiguous indication of wishes expressed by active behaviour. To reiterate this point, the Court of Justice of the European Union (CJEU) set out in its Planet49 decision of October 2019 some key aspects applicable to the cookie consent obligation, namely:
- Consent must be active, rather than passive.
- Consent must be unambiguous. According to the CJEU, “only active behaviour on the part of the data subject with a view to giving his or her consent may fulfil that requirement.”
- Simply giving users the chance to opt out by un-checking a pre-checked box does not constitute valid consent since “consent given in the form of a preselected tick in a checkbox does not imply active behaviour on the part of the website user.”
- Consent must be specific. This means that “it must relate specifically to the processing of the data in question and cannot be inferred from an indication of the data subject’s wishes for other purposes.”
How do current practices fare against these requirements?
Against this background, websites have adopted different types of mechanisms aimed at meeting the cookie consent requirement. Here are some of the most commonly adopted approaches and how they fare against the standards required by law as interpreted by the courts.
Notice only approach
Some websites simply provide a very brief notice and ignore the consent requirement altogether. In some cases it may be possible to opt-out of cookies by changing the settings.
Consent assumed from use of a website
|We’ve placed cookies on your device to help make this website better. By continuing to use the site we assume you consent to this.|
This approach acknowledges that the website operator has already placed cookies on the device and an assumption is made that the user will accept this. Not only there is no specific action to provide consent, but cookies are dropped by default.
Consent implied from user’s other actions
Historically, this has been one of the most common approaches to cookie consent because in the past, regulators have suggested that it might be possible to imply the user’s consent from their actions when this was specifically brought to their attention. However, even if the placing of cookies is suspended until the user takes any further action (such as clicking on a link), this practice fails the Planet49 decision test that consent must be specific and not simply inferred from actions taken for other purposes.
Mixture of implied consent with affirmative action
Some websites appear to be transitioning from the implied consent approach without completely abandoning it. The wording of the banner states that the use of the site amounts to consent, but it also includes an “Agree’ button. Retaining implied consent makes this approach inconsistent with the Planet49 decision.
Cookie wall or barrier page
Some websites present the user with a banner that prevents access to any content until the user has agreed to proceed on that basis. In this situation, there is no doubt that the user must take affirmative action to specifically consent to cookies. This approach will meet the Planet49 decision test but potentially faces the challenge of no complying with the “freely given” requirement.
Verdict: Arguably compliant, as long as the regulators and courts accept a “take it or leave” approach to cookie consent compliance.
Single “Accept” button
This approach simply requires users to click on an “Agree” or “Accept” button for any non-exempt cookies to be used. For this practice to be compliant, such cookies can only be deployed once the user has clicked on the button.
Choice of accepting or rejecting cookies
By providing a choice between accepting or rejecting non-exempt cookies, this provides a best-practice approach to cookie consent compliance.
Verdict: Compliant and best practice.
Practical recommendations for compliance
Getting cookie consent right is still work in progress for most websites. In summary, practical recommendations to ensure compliance include:
- Only cookies that are strictly necessary for the functionality of the website can be placed before the user’s affirmative action.
- Analytics cookies, advertising cookies and social media cookies can only be placed after the user has provided their valid consent.
- All websites using cookies must include a cookie banner and a Cookies Policy.
- Cookie banners must include a brief but meaningful description of the purposes for placing and using cookies.
- Cookie banners must provide a choice to accept or reject non-strictly necessary cookies.
- Websites must include functionality to allow users to easily withdraw their consent.
- Assuming the user’s acceptance and relying on the use of a website as a form of consent must be avoided.
- The use of pre-ticked consent boxes must also be avoided.
- The technical functionality employed to collect consent must demonstrate that consent was given.
Eduardo Ustaran is co-director of the Privacy and Cybersecurity practice of Hogan Lovells and an internationally recognised expert in privacy and data protection law. Email email@example.com. Twitter @EUstaran.