Back to blog

Everything you need to know about cookie consent in the EU

Analytics Data privacy & security

Written by

Published August 26, 2021

Everything you need to know about cookie consent in the EU

We Europeans love cookies. There is Italian cantuccini, German lebkuchen, French navette and Dutch stroopwafels. But love only goes so far. A type of cookie we’re not a fan of is the digital cookie. Cookies on the internet are used to remember our preferences or track us across the World Wide Web. This can have some serious privacy implications. That’s why the European Union has a strict set of rules that govern the use of cookies. (And there’s more to come!) 

Most of the time, when people talk about online consent, they think about cookies. Cookies and consent for their use are governed, on a European level, by two regulatory instruments: the General Data Protection Regulation (GDPR) and the ePrivacy Directive. Both instruments depend (partly) on national interpretation. The directive because it depends on national implementation, and the GDPR because it grants countries some freedom in certain areas. This means that rules can vary across Member States. Some key differences are set out in this blog.

Consent can only be used as a legal basis for processing when it is a freely given, specific, informed, and unambiguous indication of the data subject’s wishes. It must be given by a clear affirmative action. This applies to all kinds of data processing, including processing of data with cookies. 

When asking for consent, companies should inform the data subject about the types of cookies they use and what they use them for. Furthermore, they can’t force consent, as it should be freely given. No negative consequences may arise from refusing to give consent. 

Consent is not required for cookies whose sole purpose is to carry out the transmission of a communication over a network: this means cookies that are used to identify endpoints and allow for data to be transferred between devices. Consent is also not required for cookies that are essential to provide an information society service requested by the user. This means cookies that remember the content of your cart, or your preferred language.

We’ve all seen websites with a cookie banner stating that “by using this site, you agree to the use of cookies”. This concept is called ‘implied consent’. The rationale behind implied consent is simple: if you don’t want cookies, don’t visit this website.

An example of a cookie banner that relies on implied consent

Most European Union (EU) member states prohibit this practice. Some member states, such as the Czech Republic, Italy, and Slovenia, allow implied consent under certain conditions. The Czech Republic, for example, puts a lot of trust in the technical skills of their citizens. If you don’t set up your browser to automatically refuse cookies, you give your implied consent to use them [1]. Italy puts its own spin on implied consent. Inactivity on the user’s part or simply scrolling down a webpage is not regarded as consent. 

However, when scrolling down a website is part of a complex series of actions which form a specific pattern clearly showing the choice of the user to the owner of the website, it can be treated as consent [2]. This type of consent puts a heavy burden of proof on the website owner. Slovenia is the third country that knows a form of implied consent. Implied consent is assumed for privacy-friendly analytical cookies.

Is consent needed for analytical cookies? We already saw that Slovenia assumes implied consent for privacy-friendly analytical cookies. But how about other Member States? Europe is divided with regard to this issue. The basic rule is that consent is needed for analytical cookies because they’re not regarded as purely functional cookies. Some Member States, however, allow the use of analytical cookies without consent. For example, the Netherlands, Italy, and France allow the use of analytical cookies without consent when these cookies are privacy-friendly.

What are privacy-friendly analytical cookies?

Again, the rules may vary a bit between Member States, but the general rule is: the statistics may only be used for your own website, and they must safeguard the privacy rights of visitors. In the Netherlands, for example, analytical cookies are only privacy-friendly if they use anonymized IP-addresses and if they don’t create User IDs. Furthermore, sharing the analytical data with other parties for advertising should also be disabled.  

Germany and Spain, like the Netherlands, Italy, and France, also allow the use of privacy-friendly analytical cookies without consent, but only if they are first-party cookies. This means that the analytical cookies and the software behind them must be hosted on servers belonging to the website owner. So, for Germany and Spain, an on-premises solution, such as one offered by Piwik PRO, is required.

Using privacy-friendly analytical cookies is always a good move. Even if a country still requires consent, users are perhaps more likely to give it when their privacy isn’t at stake. So, clearly inform your website’s visitors about how important analytical cookies are for the development and maintenance of your site and that you’re using privacy-friendly analytical cookies. If you ask them nicely, there is a good chance they will agree.

If you’d like to learn more about privacy-friendly analytics, be sure to read this blog post: What is privacy-friendly analytics?

Consent or get out! A cookie banner that blocks all content until you give your consent is not allowed. This is one of the rules most European countries agree on (or haven’t shared their opinion on yet). Austria is the only member state with a limited exception to this ban on cookie walls. News websites can have a cookie wall if they provide an alternative option to buy access to the article or a subscription to the website. This exception is a topic of discussion in more Member States. This makes it something to keep an eye out for.

Welcome to the jungle: layout

With some cookie banners, you can’t see the forest for the trees. You have to navigate a jungle of checkboxes, toggles, and buttons to indicate that you don’t want cookies. Even though granular consent must be an option, making a cookie banner hard to navigate and understand is not permitted under the GDPR. The GDPR requires the information to be clear and unambiguous. As a rule of thumb, you could say that a hard to navigate cookie banner makes for unclear information. 

An example of an intricate cookie banner

Companies should avoid those long and very granular cookie banners. Not only because they’re frustrating for customers/users and make the information unclear, but also because of the judgement by the Court of Justice of the European Union (CJEU) in the Planet49 case. 

In this judgement, the CJEU concluded that using pre-checked boxes doesn’t constitute valid consent under the GDPR. Companies can’t ‘help’ their users by pre-checking all boxes – users must do it themselves. The reason for this is that consent must be an affirmative action. This judgement has deprived cookie banner jungles of their charm. In the past, you could theoretically use a cookie banner with a thousand pre-ticked boxes, and nobody would deselect them all. Now, you could add a thousand boxes, but they should all be empty. Only true fans of your service would tick a thousand boxes just so they could give you their personal data.

Even if pre-ticked boxes were still allowed, using those long and very granular cookie banners is not allowed under the GDPR. The GDPR requires that giving consent should be just as easy as not giving consent. When using an elaborate and complicated cookie banner with individual reject buttons, but a single accept all button, what is harder to do – giving or not giving your consent?

So, don’t use complicated cookie banners and don’t use pre-ticked boxes. 

We’ve discussed the don’ts, but what about the dos? Just like the other things we’ve already mentioned, there are EU-wide dos and local dos. A cookie banner should at least contain information on what categories of cookies will be installed, by whom, and for what purpose. Furthermore, you should always add a link to your privacy policy. Some countries, however, have specific rules on what a cookie banner must look like. Take Greece, for example. In Greece, the visitor’s choice shouldn’t be affected by the website’s design (so accept and reject buttons should preferably be the same size and color).

Final remarks

Even though cookies are governed by EU legislation, there are a lot of differences across countries, creating a diverse landscape. For the last couple of years, the EU legislator has been working on the ePrivacy Regulation. The aim of this regulation is to provide a single set of rules that apply to every EU state. But until this regulation is in force, we are faced with diverse and frequently changing rules. Data protection authorities regularly publish new guidelines and case law that could impact how you use cookies. 

Even though this is subject to change, it’s always a good idea to follow these following guidelines:

  • Don’t use cookie walls
  • Don’t use implied consent
  • Don’t use complicated cookie banners
  • Don’t use pre-ticked boxes
  • Don’t make it hard (or impossible) for users to reject cookies
  • Use privacy-friendly analytics
  • Provide an informative and clear cookie banner
  • Add a link to your privacy policy

If you want to make sure you’re doing everything by the book, contact ICTRecht at info@privacyverified.nl. It’s always possible to talk about your options over a nice cup of coffee and some cookies (that you can easily reject!).

Additional reading:

Author

Ruben van der Geest

ICTRecht

Ruben van der Geest is a privacy professional and tech enthusiast. He advises organizations on privacy and tech related issues. He is also one of the privacy experts that carry out the assessment for the GDPR compliance certification issued by Privacy Verified B.V.

See more posts by this author

Core – a new plan for Piwik PRO Analytics Suite

Privacy-compliant analytics, built-in consent management and EU hosting. For free.

Sign up for free