Most of the time, when people talk about online consent, they think about cookies. Cookies and consent for their use are governed, on a European level, by two regulatory instruments: the General Data Protection Regulation (GDPR) and the ePrivacy Directive. Both instruments depend (partly) on national interpretation. The directive because it depends on national implementation, and the GDPR because it grants countries some freedom in certain areas. This means that rules can vary across Member States. Some key differences are set out in this blog.
Consent can only be used as a legal basis for processing when it is a freely given, specific, informed, and unambiguous indication of the data subject’s wishes. It must be given by a clear affirmative action. This applies to all kinds of data processing, including processing of data with cookies.
When asking for consent, companies should inform the data subject about the types of cookies they use and what they use them for. Furthermore, they can’t force consent, as it should be freely given. No negative consequences may arise from refusing to give consent.
Consent is not required for cookies whose sole purpose is to carry out the transmission of a communication over a network: this means cookies that are used to identify endpoints and allow for data to be transferred between devices. Consent is also not required for cookies that are essential to provide an information society service requested by the user. This means cookies that remember the content of your cart, or your preferred language.
However, when scrolling down a website is part of a complex series of actions which form a specific pattern clearly showing the choice of the user to the owner of the website, it can be treated as consent . This type of consent puts a heavy burden of proof on the website owner. Slovenia is the third country that knows a form of implied consent. Implied consent is assumed for privacy-friendly analytical cookies.
Is consent needed for analytical cookies? We already saw that Slovenia assumes implied consent for privacy-friendly analytical cookies. But how about other Member States? Europe is divided with regard to this issue. The basic rule is that consent is needed for analytical cookies because they’re not regarded as purely functional cookies. Some Member States, however, allow the use of analytical cookies without consent. For example, the Netherlands, Italy, and France allow the use of analytical cookies without consent when these cookies are privacy-friendly.
What are privacy-friendly analytical cookies?
Again, the rules may vary a bit between Member States, but the general rule is: the statistics may only be used for your own website, and they must safeguard the privacy rights of visitors. In the Netherlands, for example, analytical cookies are only privacy-friendly if they use anonymized IP-addresses and if they don’t create User IDs. Furthermore, sharing the analytical data with other parties for advertising should also be disabled.
Germany and Spain, like the Netherlands, Italy, and France, also allow the use of privacy-friendly analytical cookies without consent, but only if they are first-party cookies. This means that the analytical cookies and the software behind them must be hosted on servers belonging to the website owner. So, for Germany and Spain, an on-premises solution, such as one offered by Piwik PRO, is required.
Using privacy-friendly analytical cookies is always a good move. Even if a country still requires consent, users are perhaps more likely to give it when their privacy isn’t at stake. So, clearly inform your website’s visitors about how important analytical cookies are for the development and maintenance of your site and that you’re using privacy-friendly analytical cookies. If you ask them nicely, there is a good chance they will agree.
If you’d like to learn more about privacy-friendly analytics, be sure to read this blog post: What is privacy-friendly analytics?
Consent or get out! A cookie banner that blocks all content until you give your consent is not allowed. This is one of the rules most European countries agree on (or haven’t shared their opinion on yet). Austria is the only member state with a limited exception to this ban on cookie walls. News websites can have a cookie wall if they provide an alternative option to buy access to the article or a subscription to the website. This exception is a topic of discussion in more Member States. This makes it something to keep an eye out for.
With some cookie banners, you can’t see the forest for the trees. You have to navigate a jungle of checkboxes, toggles, and buttons to indicate that you don’t want cookies. Even though granular consent must be an option, making a cookie banner hard to navigate and understand is not permitted under the GDPR. The GDPR requires the information to be clear and unambiguous. As a rule of thumb, you could say that a hard to navigate cookie banner makes for unclear information.
Companies should avoid those long and very granular cookie banners. Not only because they’re frustrating for customers/users and make the information unclear, but also because of the judgement by the Court of Justice of the European Union (CJEU) in the Planet49 case.
In this judgement, the CJEU concluded that using pre-checked boxes doesn’t constitute valid consent under the GDPR. Companies can’t ‘help’ their users by pre-checking all boxes – users must do it themselves. The reason for this is that consent must be an affirmative action. This judgement has deprived cookie banner jungles of their charm. In the past, you could theoretically use a cookie banner with a thousand pre-ticked boxes, and nobody would deselect them all. Now, you could add a thousand boxes, but they should all be empty. Only true fans of your service would tick a thousand boxes just so they could give you their personal data.
Even if pre-ticked boxes were still allowed, using those long and very granular cookie banners is not allowed under the GDPR. The GDPR requires that giving consent should be just as easy as not giving consent. When using an elaborate and complicated cookie banner with individual reject buttons, but a single accept all button, what is harder to do – giving or not giving your consent?
So, don’t use complicated cookie banners and don’t use pre-ticked boxes.
You might also like: When design goes awry – How dark patterns conflict with GDPR and CCPA
Even though this is subject to change, it’s always a good idea to follow these following guidelines:
- Don’t use cookie walls
- Don’t use implied consent
- Don’t use complicated cookie banners
- Don’t use pre-ticked boxes
- Don’t make it hard (or impossible) for users to reject cookies
- Use privacy-friendly analytics
- Provide an informative and clear cookie banner
If you want to make sure you’re doing everything by the book, contact ICTRecht at firstname.lastname@example.org. It’s always possible to talk about your options over a nice cup of coffee and some cookies (that you can easily reject!).