Hogan Lovells 2024 Election Impact and Congressional Outlook Report
Almost five years ago, EU legislators shocked the Internet world by changing the legal requirement for the use of cookies and similar device identification techniques from “notice and opt-out” to “notice and consent.” At first, there was a sense of disbelief about whether this sudden legal twist was for real. As the dust settled, it became clear that what had been common practice until then—sticking a generic paragraph about the use of cookies in the privacy policy and referring users to the browser’s menu for further control—was no longer enough to comply with the new requirement.
Eventually, different mechanisms aimed at complying with the law whilst preserving the normal functioning of the Internet emerged. These ranged from the pure opt-in box approach to momentarily waving a cookie warning to users entering a website for the first time. In reality, these mechanisms differed in the level of compliance they achieved, so the EU data protection authorities were at pains to clarify what they regarded as good enough and what didn’t meet the consent requirement.
In the end, deploying an “implied consent” mechanism was generally regarded as the minimum baseline for compliance across the EU. Implied consent did not mean simply returning to the old “notice and opt-out” approach.
In order to be regarded as valid consent, this approach needs to meet the following criteria:
Prominent cookie notice – As a starting point, the website must deploy some kind of visible notice, such as a banner or pop-up, which alerts visitors to the use of cookies. The users’ indication of wishes is impliedly given when they see a cookie notice, understand its meaning and rely on the functionality available to make their cookie choices. This means that the notice provided must be made available for long enough to be seen and digested before cookies are actually dropped onto the user’s device.
Action that amounts to consent – The cookie banner or pop-up must spell out as clearly and prominently as possible what specific action or conduct will amount to consent. As a minimum, the notice must state that if a visitor continues to use the site without changing the settings, then the website operator will assume that the visitor is happy to receive cookies. Only after the user has taken that action will it be lawful to proceed to drop the cookies onto the device.
Control mechanism – As part of the process of obtaining consent, website users must be able to make their choices freely and refuse the use of cookies—other than those that fall under the strictly necessary exemption—at any time and through simple means.
Clear and comprehensive information – This is the final—and hopefully easy—bit. Clear and comprehensive information about the use of cookies must always be available (for example, in a cookie policy) to satisfy the ongoing transparency requirements.
The bottom line is that if a website operator deploys a mechanism that properly meets these features, it will be regarded as compliant with the consent requirement.
So what’s the problem then?
The problem is that the EU data protection authorities have realised a large number of websites are cutting corners and whilst they appear to follow the implied consent approach, some of the essential features of this model are in fact missing. For example, the Dutch data protection authority has recently taken enforcement action targeting both website operators and ad networks because cookies were in fact being dropped simultaneously to the notice being given. This meant that users’ consent was basically being taken for granted as they downloaded a webpage.
Now the mighty CNIL has warned French website operators that it intends to audit the level of compliance with this requirement in October. That’s not a massive notice to get your house—well, your website or mobile app—in order, but then again, this has been the law for nearly five years. Will this lead to a drop of enforcement in a sea of noncompliance? Possibly, but do you want to be the next target?
This originally was posted to the International Association of Privacy Professionals’ (IAPP) Privacy Perspectives Blog on July 22, and is reprinted in its entirety with permission from the IAPP.
Authored by Eduardo Ustaran