We Europeans love cookies. There is Italian cantuccini, German lebkuchen, French navette and Dutch stroopwafels. But love only goes so far.
Most of the time, when people talk about online consent, they think about cookies. Cookies and consent for their use are governed, on a European level, by two regulatory instruments: the General Data Protection Regulation (GDPR) and the ePrivacy Directive.
Both instruments depend (partly) on national interpretation – the directive because it depends on national implementation and the GDPR because it grants countries some freedom in certain areas. This means that rules for cookie consent can vary across the member states.
This blog post sets out to explain the concept of cookie consent in the EU, the rules that are in place in different countries and tips on cookie banner best practices.
Consent can only be used as a legal basis for processing when it is a freely given, specific, informed, and unambiguous indication of the data subject’s wishes. It must be given by clear affirmative action. This applies to all kinds of data processing, including the processing of data with cookies.
When asking for consent, companies should inform the data subject about the types of cookies they use and what they use them for. Furthermore, they can’t force visitors to grant consent. No negative consequences may arise from refusing to give consent.
There are some exceptions where cookie consent isn’t required under the GDPR, specifically:
- For cookies whose sole purpose is to carry out the transmission of a communication over a network. This means cookies that are used to identify endpoints and allow for data to be transferred between devices.
- For cookies that are essential to provide an information society service requested by the user. This means cookies that remember the content of your cart or your preferred language.
Most EU member states prohibit this practice. But some of them, such as the Czech Republic, Italy, and Slovenia, allow implied consent under certain conditions:
- Italy puts its own spin on implied consent. Inactivity on the user’s part or simply scrolling down a webpage is not regarded as consent. However, when scrolling down a website is part of a complex series of actions that form a specific pattern clearly showing the choice of the user to the owner of the website, it can be treated as consent . This type of consent puts a heavy burden of proof on the website owner.
- Slovenia is the third country that knows a form of implied consent. Implied consent is assumed for privacy-friendly analytical cookies.
Is consent needed for analytical cookies? We already saw that Slovenia assumes implied consent for privacy-friendly analytical cookies. But how about other Member States?
Europe is divided with regard to this issue. The basic rule is that consent is needed for analytical cookies because they’re not regarded as purely functional cookies. Some Member States, however, allow the use of analytical cookies without consent.
For example, the Netherlands, Italy, and France allow the use of analytical cookies without consent when these cookies are privacy-friendly.
What are privacy-friendly analytical cookies?
Again, the rules may vary a bit between the Member States, but the general rule is: the statistics may only be used for your own website, and they must safeguard the privacy rights of visitors.
For example, in the Netherlands, analytical cookies are only privacy-friendly if they use anonymized IP addresses and don’t create User IDs. Furthermore, sharing analytical data with other parties for advertising should also be disabled.
Germany and Spain, like the Netherlands, Italy, and France, also allow the use of privacy-friendly analytical cookies without consent, but only if they are first-party cookies. This means that the analytical cookies and the software behind them must be hosted on servers belonging to the website owner. So, for Germany and Spain, an on-premises solution, such as one offered by Piwik PRO, is required.
Using privacy-friendly analytical cookies is always a good move. Even if a country still requires consent, users are perhaps more likely to give it when their privacy isn’t at stake.
So, clearly inform your website’s visitors about how important analytical cookies are for the development and maintenance of your site and that you’re using privacy-friendly analytical cookies. If you are transparent and give them the ability to make their choice, there is a good chance they will agree.
If you’d like to learn more about privacy-friendly analytics, be sure to read this blog post: What is privacy-friendly analytics?
Consent or get out! A cookie banner that blocks all content until you give your consent is not allowed. This is one of the rules most European countries agree on (or haven’t shared their opinion on yet).
Austria is the only member state with a limited exception to this ban on cookie walls. News websites can have a cookie wall if they provide an alternative option to pay for access to the article or a subscription to the website.
This exception is a topic of discussion in more member states. This makes it something to keep an eye out for.
With some cookie banners, you can’t see the forest for the trees. You have to navigate a jungle of checkboxes, toggles, and buttons to indicate that you don’t want cookies.
Even though granular consent must be an option, making a cookie banner hard to navigate and understand is not permitted under the GDPR. The GDPR requires the information to be clear and unambiguous. As a rule of thumb, you could say that a hard-to-navigate cookie banner makes for unclear information.
Companies should avoid those long and very granular cookie banners. Not only because they’re frustrating for customers/users and make the information unclear, but also because of the judgment by the Court of Justice of the European Union (CJEU) in the Planet49 case.
In this judgment, the CJEU concluded that using pre-checked boxes doesn’t constitute valid consent under the GDPR. Companies can’t ‘help’ their users by pre-checking all boxes – users must do it themselves.
The reason for this is that consent must be an affirmative action. This judgment has deprived cookie-banner jungles of their charm. In the past, you could theoretically use a cookie banner with a thousand pre-ticked boxes, and nobody would deselect them all. Now, you could add a thousand boxes, but they should all be empty. Only true fans of your service would tick a thousand boxes just so they could give you their personal data.
Even if pre-ticked boxes were still allowed, using extensive and detailed cookie banners is not allowed under the GDPR. The GDPR states that giving consent should be just as easy as not giving consent. When using an elaborate and complicated cookie banner with individual reject buttons but a single accept all button, what is harder to do – giving or not giving your consent?
So, don’t use complicated cookie banners, and don’t use pre-ticked boxes.
Learn more about CJEU consent requirement rulings: The CJEU sheds more light on trackers and consent requirements
We’ve discussed the don’ts, but what about the dos? Just like the other things we’ve already mentioned, there are EU-wide dos and local dos.
At the very least, a cookie banner should include:
- Information on what categories of cookies will be installed, by whom, and for what purpose.
Some countries, however, have specific rules on what a cookie banner must look like. Take Greece, for example. In Greece, the visitor’s choice shouldn’t be affected by the website’s design (so accept and reject buttons should preferably be the same size and color).
To help you remember the differences in cookie consent requirements between EU countries, here is a breakdown of what we’ve discussed:
You might also like: When design goes awry – How dark patterns conflict with GDPR and CCPA
Even though cookies are governed by EU legislation, there are a lot of differences across countries, creating a diverse cookie consent landscape.
Even though this is subject to change, it’s always a good idea to follow these guidelines in your cookie consent banner:
- Don’t use cookie walls
- Don’t use implied consent
- Don’t use complicated cookie banners
- Don’t use pre-ticked boxes
- Don’t make it hard (or impossible) for users to reject cookies
- Use privacy-friendly analytics
- Provide an informative and clear cookie banner
If you want to make sure you’re doing everything by the book, contact ICTRecht at firstname.lastname@example.org. It’s always possible to talk about your options over a nice cup of coffee and some cookies (that you can easily reject!).