Getting cookie consent right

One could be forgiven for thinking that knowing how to comply with a legal obligation that has been in place for nearly a decade would be clear cut. However, widespread practice tells us that this is far from the truth. In November 2009, as part of wider reforms to the European telecommunications regulatory framework, the European Union introduced various amendments to the existing Directive 2002/58/EC (e-Privacy Directive), including to the provisions regulating the use of cookies.

Since then the e-Privacy Directive has required obtaining the consent of users in order to store or access information (typically cookies or similar tracking technologies) on their devices. The only exemptions to this requirement are where this is for the sole purpose of transmitting a communication or where it is strictly necessary to provide an internet service explicitly requested by the user.

In May 2011, the UK became the first EU Member State to implement this obligation into national law. Other countries have been following suit ever since. Over the years, regulatory authorities have been providing guidance about how to comply with the cookie consent obligation in practice. In 2013, the Article 29 Working Party provided a pan-European view on this issue. They argued that a website operator wishing to comply with the e-Privacy regime would need to implement a mechanism including some key elements, namely:

  • specific information,
  • prior consent,
  • indication of wishes expressed by the user’s active behaviour, and
  • ability to choose freely.

In 2018, the General Data Protection Regulation (GDPR) introduced a strengthened concept of consent, which by effect of EU data protection law, is applicable to the consent required under the e-Privacy Directive. The GDPR stresses that consent should amount to an unambiguous indication of wishes expressed by active behaviour. To reiterate this point, the Court of Justice of the European Union (CJEU) set out in its Planet49 decision of October 2019 some key aspects applicable to the cookie consent obligation, namely:

  • Consent must be active, rather than passive.
  • Consent must be unambiguous. According to the CJEU, “only active behaviour on the part of the data subject with a view to giving his or her consent may fulfil that requirement.”
  • Simply giving users the chance to opt out by un-checking a pre-checked box does not constitute valid consent since “consent given in the form of a preselected tick in a checkbox does not imply active behaviour on the part of the website user.”
  • Consent must be specific. This means that “it must relate specifically to the processing of the data in question and cannot be inferred from an indication of the data subject’s wishes for other purposes.”

How do current practices fare against these requirements?

Against this background, websites have adopted different types of mechanisms aimed at meeting the cookie consent requirement. Here are some of the most commonly adopted approaches and how they fare against the standards required by law as interpreted by the courts.

Notice only approach
This website uses cookies to improve your experience. Find out more.

Some websites simply provide a very brief notice and ignore the consent requirement altogether. In some cases it may be possible to opt-out of cookies by changing the settings.

Verdict: Non-compliant.

Consent assumed from use of a website
We’ve placed cookies on your device to help make this website better. By continuing to use the site we assume you consent to this.

This approach acknowledges that the website operator has already placed cookies on the device and an assumption is made that the user will accept this. Not only there is no specific action to provide consent, but cookies are dropped by default.

Verdict: Non-compliant.

Consent implied from user’s other actions
We use cookies to give you the best online experience. By accessing the website you give your consent to our use of cookies.

Historically, this has been one of the most common approaches to cookie consent because in the past, regulators have suggested that it might be possible to imply the user’s consent from their actions when this was specifically brought to their attention. However, even if the placing of cookies is suspended until the user takes any further action (such as clicking on a link), this practice fails the Planet49 decision test that consent must be specific and not simply inferred from actions taken for other purposes.

Verdict: Non-compliant.

Mixture of implied consent with affirmative action
We use cookies to improve and personalise your experience. By continuing to use the site, you agree to our use of cookies. [AGREE]

Some websites appear to be transitioning from the implied consent approach without completely abandoning it. The wording of the banner states that the use of the site amounts to consent, but it also includes an “Agree’ button. Retaining implied consent makes this approach inconsistent with the Planet49 decision.

Verdict: Non-compliant.

Cookie wall or barrier page
To access our site you must agree to our use cookies as explained in our Cookies Policy. [PROCEED]

Some websites present the user with a banner that prevents access to any content until the user has agreed to proceed on that basis. In this situation, there is no doubt that the user must take affirmative action to specifically consent to cookies. This approach will meet the Planet49 decision test but potentially faces the challenge of no complying with the “freely given” requirement.

Verdict: Arguably compliant, as long as the regulators and courts accept a “take it or leave” approach to cookie consent compliance.

Single “Accept” button
We use cookies to deliver our online services as set out in our Cookies Policy. To consent to our use of cookies, click Accept. [ACCEPT]

This approach simply requires users to click on an “Agree” or “Accept” button for any non-exempt cookies to be used. For this practice to be compliant, such cookies can only be deployed once the user has clicked on the button.

Verdict: Compliant.

Choice of accepting or rejecting cookies
This website uses cookies to improve the quality of our website. You can accept or reject cookies by clicking on the buttons. [ACCEPT] [REJECT]

By providing a choice between accepting or rejecting non-exempt cookies, this provides a best-practice approach to cookie consent compliance.

Verdict: Compliant and best practice.

The image at the top of this article is the European Commission’s own cookie consent dialogue on the Europa site. Their cookie policy is at https://ec.europa.eu/info/cookies_en.

Practical recommendations for compliance

Getting cookie consent right is still work in progress for most websites. In summary, practical recommendations to ensure compliance include:

  • Only cookies that are strictly necessary for the functionality of the website can be placed before the user’s affirmative action.
  • Analytics cookies, advertising cookies and social media cookies can only be placed after the user has provided their valid consent.
  • All websites using cookies must include a cookie banner and a Cookies Policy.
  • Cookie banners must include a brief but meaningful description of the purposes for placing and using cookies.
  • Cookie banners must provide a choice to accept or reject non-strictly necessary cookies.
  • Websites must include functionality to allow users to easily withdraw their consent.
  • Assuming the user’s acceptance and relying on the use of a website as a form of consent must be avoided.
  • The use of pre-ticked consent boxes must also be avoided.
  • The technical functionality employed to collect consent must demonstrate that consent was given.

Eduardo Ustaran is co-director of the Privacy and Cybersecurity practice of Hogan Lovells and an internationally recognised expert in privacy and data protection law. Email eduardo.ustaran@hoganlovells.com. Twitter @EUstaran.

5 thoughts on “Getting cookie consent right

  1. thanks for this – I would challenge the view of ‘Compliant’ on the basis most sites do not actually hold cookies ahead of consent being requested let alone gained, nor do most offer any information as to cookies, the ultimate data recipient and such.

    The website (infolaw.co.uk) with the article – for instance sets nearly 30 cookies without any notice, or consideration of consent.
    http://cdn.privacyandcookies.eu/457e5c3289cf9a712ec247bf8e62b315/report.pdf

    Take FFW (where we first met) it has a notice about what cookies are ‘strictly necessary’ – yet many cookies are being set ahead consent (double click, Facebook, you tube, and many more).

    hoganlovells.com – your own website offers no information as to the cookies in use, let alone any ability to refuse the cookies in use.
    How can it be an informed choice if, no details of the cookies are offered, and no option to select all / some. Visitors to websites should and may ‘want’ the ability to opt-in and agree to usage of some cookies, they may want the cookies in place to allow website functionality – reject all is a poor approach.

    And of course there is the issue around what is being promised / sold – perhaps if software vendors were made jointly liable they would not be so flippant with promises of compliance.

    Our forthcoming report on the levels of compliance across the EU DPA’s makes for some interesting reading – some questions to be asked, happy to share a copy with yourself ahead of release.

Comments are closed.