“Cookie” Compliance? Updated Guidance from the EU that Cannot be Ignored

Written by John Falzone, VP Privacy Certified
April 10, 2020

On April 6, 2020, the Irish Data Protection Authority issued updated guidance on the lawful use of cookies and other tracking technologies under the e-Privacy Directive, joining data protection authorities (DPAs) in the United Kingdom, France, Germany, and Spain—each of which has issued updated guidance since the implementation of the General Data Protection Regulation (GDPR). While the DPAs do not agree on everything—and most of the European Union (EU) member states have not issued updated guidance yet—a consensus is developing on several key issues. Here are 5 that will greatly aid your journey toward cookie compliance:

  • Cookies are not just cookies. Although the ePrivacy Directive is sometimes referred to as the EU Cookie Law, it is not limited to HTTP browser cookies. The term “cookie” is used generically to refer to all online tracking technologies, including tracking pixels, software development kits (SDKs), fingerprinting techniques, plugins, etc.
  • Apps and other online services are included. The ePrivacy Directive and member states’ implementing laws apply to any technology that stores or accesses information on a user’s device. This might include, but is not limited to, websites, mobile apps, emails, and connected devices.
  • The exemption for “strictly necessary” technology is limited. Many companies have interpreted the exemption for strictly necessary technology to include tracking technologies utilized for analytics and even marketing. The DPAs largely agree, however, that marketing, advertising and analytics trackers are not strictly necessary and, therefore, require user consent. Here are some examples of what might be considered essential and what likely is not:
    Essential and Not Essential Cookies. “Cookie” Compliance? Updated Guidance from the EU.
  • User consent must meet GDPR standards. In other words, consent must be:
    • Informed. At the very least, users must be told what types of cookies are being utilized and for what purposes before they can provide adequate consent.
    • Specific. Bundled consent, where a user is forced to consent to all cookies or no cookies, is not permitted. Users must be given the option to consent to certain types of cookies, while rejecting others.
    • Freely given. While there is some disagreement on this point, the consensus amongst DPAs is that users generally cannot be banned from an online service because they refuse to provide consent.
    • Affirmative. Implied consent and pre-checked boxes are not adequate. Users must demonstrate an affirmative choice to opt-in to non-essential technologies, even when those technologies do not collect personal information. The user interface must make clear how a user chooses to say yes and how a user may choose to say no. Moreover, it must provide an easy way for the user to change his or her mind.
    • Examples. If you are not sure what works and what doesn’t, we recommend you take a look at what the UK’s ICO and France’s CNIL are doing on their sites.
      ESRB recommends you take a look at what the UK’s ICO and France’s CNIL are doing on their sites.
      Manage your cookie preferences. ESRB Privacy Certified blog post.
  • Use of third-party tools is not enough. Use of third-party consent management tools designed with GDPR’s consent requirements in mind is certainly a good start. But alone, it is not enough. You are responsible for ensuring the tool is tailored to your specific online services. This is not a case where one size fits all. Moreover, you must ensure the tool does what it says it does. Test it. Are non-essential trackers loading before a user provides consent? Are they loading even after a user refuses consent? If so, there is still work to be done.

Have more questions about “cookie” compliance? Feel free to reach out to us through our Contact page to learn more about our program. Be sure to follow us on Twitter and LinkedIn for more privacy-related updates.