Major European Data Protection Authorities revise cookie requirements

Major European Data Protection Authorities revise cookie requirements

The Major European Data Protection Authorities ICO, CNIL and BayLDA has revised their cookie requirements. Cookie pop-up banners under scrutiny. Here we explain the new requirements and guide you to stay GDPR cookie compliant.

In July 2019, both the U.K. Information Commissioner's Office (ICO) and the French Data Protection Authority, CNIL, published new requirements for the use of cookies on websites. Thus, they followed in the steps of German BayLDA (Bavarian Data Protection Authority) who in March 2019 set new standards for websites' use of cookies to collect and process their users' personal data.

Here we will walk you through the key points of the three DPA's cookie requirements based on a easy-to-read chart crafted by International Law firm Bird & Bird Partners Gabriel Voisin and Ruth Boardman.

In the list, we look at the differences and similarities of the new cookie requirements by ICO, CNIL and BayLDA.

What are the similarities?

  • Do new requirements only apply to cookies?
    • No! All DPA's consider the requirements to apply to any technology which can store and access information on a user's device. This includes pixels, tags, developmental kits in mobile phone applications, fingerprinting etc.
  • Implied consent
    • Consent is required! And consent must be informed, specific, freely given, and unambiguous before it counts as valid consent. Simply to state in a cookie pop-up banner that "continuing to browse the website you accept cookies" is not considered consent, all DPA's stress.
  • Granular consent
    • Terms and conditions cannot be used as a method for obtaining consent (breaches Article 7(2) of GDPR).
  • List of parties
    • The consent must cover each purpose for which personal data will be processed i.e. websites must obtain consent for specific purposes, e.g. functional, statistical or marketing purposes.
  • Territorial scope
    • In order for a consent to be informed, the user must be able to identify all parties (first and third) processing the data. Websites should therefore name all parties processing data which require user consent.

What are the differences?

  • Grace period (period for implementation of requirements)
    • Only the French CNIL incorporates a six-month grace period in which companies are expected to comply with the new cookie requirements. No grace from ICO or BayLDA. 
  • Are cookie walls allowed?
    • Both CNIL and BayLDA state, that cookies walls are not allowed. Cookie walls are not compliant as the user would suffer adverse consequences if they refuse to accept cookies.
  • Do analytic cookies require consent?
    • Different opinions rule here. ICO is clear on the topic: there is no exception: analytic cookies require consent. BayLDA on the other hand says no, unless the analytic cookies transfer personal data to a third party. CNIl state: not always. Certain analytic cookies can be exempted from prior consent if they meet cumulative requirements by CNIL. NOTE: Google Analytics transfers personal data to third parties and therefore requires prior and valid consent.
  • Lawful basis for subsequent processing of personal data
    • For ICO, legitimate interest is not the appropriate lawful basis for the processing of personal data relating to cookies. Because consent is required under ePrivacy rules, consent should also be the legal basis under GDPR. Both CNIL and BayLDA suggest that consent would not be the only possible basis for processing of personal data.
  • Nudging user to give consent
    • Giving prominence, or highlighting, the 'accept-cookies-button' is according to ICO not allowed for. The German authorities state, that a simple pop-up with an 'accept button' does not suffice as the user has to be given the possibility to decline cookies. CNIL is still discussing the issue.
  • Cookie lifespan
    • Information collected through trackers can be kept for a maximum of 25 months, says CNIL. And cookies benefitting from prior consent: 13 months. Both the ICO and BayLDA do not specify the lifespan of cookies but specify that the lifespan of cookies must be proportionate in relation to the intended outcome and limited to what is necessary to achieve the purpose.

Your next step to become/stay cookie compliant

  • Take control of your cookies
    • Get a complete overview of which cookies your website uses. Cookie Information scans your website for cookies and other tracking technologies to provide you with a complete overview. We send you the report within 48 hours [free].
  • Inform your users of cookies in your site
    • Tell your visitors and clients which cookies your website uses and what type of data they collect. Cookie Information uses our automated scan to provide your website with a complete and informative cookie policy.
  • Obtain your users' consent 
    • Collect your users' consent directly in a cookie pop-up banner. Cookie Information provides websites with a professional cookie consent solution which includes a cookie pop-up that collects and stores your users' consents up to five years (as required by law). Furthermore, you can customize the banner with your company logo. 

Get A free assessment of your website's cookie compliance level

If you would like to test your website's cookie compliance, fill the form in the right sidebar. You can also use the link here:

Link: Test your website

Or you can book a meeting with our compliance experts: 

Link: Book a meeting


Link: The easy-to-read chart by Bird & Bird (pdf)