In July of 2019, the major European DPA’s revised their cookie requirements.
Both the UK Information Commissioner’s Office (ICO) and the French Data Protection Authority, CNIL, followed in the footsteps of German BayLDA (Bavarian Data Protection Authority) who in March 2019 published its requirements for the use of cookies to collect and process personal data.
Here we will walk you through the key points of the three DPA’s revisions of the cookie requirements based on an easy-to-read chart crafted by International Law firm Bird & Bird Partners Gabriel Voisin and Ruth Boardman.
In the list, we look at the differences and similarities of the new cookie requirements by ICO, CNIL and BayLDA.
What are the similarities between the revised cookie requirements?
- Do new requirements only apply to cookies?
- No! All DPA's consider the requirements to apply to any technology which can store and access information on a user's device. This includes pixels, tags, developmental kits in mobile phone applications, fingerprinting etc.
- Is implied consent allowed?
- No! Consent is required across the board! And consent must be informed, specific, freely given, and unambiguous before it counts as valid consent. Simply to state in a cookie pop-up banner that "continuing to browse the website you accept cookies" is not considered consent, all DPA's stress.
- Must I collect granular consent?
- Yes! Terms and conditions cannot be used as a method for obtaining consent (breaches Article 7(2) of GDPR).
- Must I list all parties who process data?
- Yes! The consent must cover each purpose for which personal data will be processed i.e. websites must obtain consent for specific purposes, e.g. functional, statistical or marketing purposes.
- Territorial scope
- In order for a consent to be informed, the user must be able to identify all parties (first and third) processing the data. Websites should therefore name all parties processing data which require user consent.
What are the differences between the DPA's revised requirements?
- Grace period (period for implementation of requirements)
- Only the French CNIL incorporates a six-month grace period in which companies are expected to comply with the new cookie requirements. No grace from ICO or BayLDA.
- Are cookie walls allowed?
- Both CNIL and BayLDA state, that cookies walls are not allowed. Cookie walls are not compliant as the user would suffer adverse consequences if they refuse to accept cookies.
- Do analytic cookies require consent?
- Different opinions rule here. ICO is clear on the topic: there is no exception: analytic cookies require consent. BayLDA on the other hand says no, unless the analytic cookies transfer personal data to a third party. CNIl state: not always. Certain analytic cookies can be exempted from prior consent if they meet cumulative requirements by CNIL. NOTE: Google Analytics transfers personal data to third parties and therefore requires prior and valid consent.
- Lawful basis for subsequent processing of personal data
- For ICO, legitimate interest is not the appropriate lawful basis for the processing of personal data relating to cookies. Because consent is required under ePrivacy rules, consent should also be the legal basis under GDPR. Both CNIL and BayLDA suggest that consent would not be the only possible basis for processing of personal data.
- Nudging user to give consent
- Giving prominence, or highlighting, the 'accept-cookies-button' is according to ICO not allowed for. The German authorities state, that a simple pop-up with an 'accept button' does not suffice as the user has to be given the possibility to decline cookies. CNIL is still discussing the issue.
- Cookie lifespan
- Information collected through trackers can be kept for a maximum of 25 months, says CNIL. And cookies benefitting from prior consent: 13 months. Both the ICO and BayLDA do not specify the lifespan of cookies but specify that the lifespan of cookies must be proportionate in relation to the intended outcome and limited to what is necessary to achieve the purpose.
Are you in control of your cookies?
Here’s a short checklist to get an overview if you’re current cookie consent solution (cookie banner) complies with the GDPR in your country.
Checklist for collecting
valid consent to cookies
- Block cookies before you get consent
- Offer an easy way for your user to decline cookies
- Inform your users of cookies
- Respect their privacy choices
- Provide an easy way for change or withdraw consent
- Store their consents for 5 years
You can always book a meeting with Cookie Information to discuss your current solution or if you need a solid and GDPR compliant cookie consent solution. Book a meeting with our compliance team today!
