Hogan Lovells 2024 Election Impact and Congressional Outlook Report
One could be forgiven for thinking that knowing how to comply with a legal obligation that has been in place for nearly a decade would be clear cut. However, widespread practice tells us that this is far from the truth. In November 2009, as part of wider reforms to the European telecommunications regulatory framework, the European Union introduced various amendments to the existing Directive 2002/58/EC (‘e-Privacy Directive’), including to the provisions regulating the use of cookies.
Since then the e-Privacy Directive has required obtaining the consent of users in order to store or access information (typically cookies or similar tracking technologies) on their devices. The only exemptions to this requirement are where this is for the sole purpose of transmitting a communication or where it is strictly necessary to provide an Internet service explicitly requested by the user.
In May 2011, the UK became the first EU Member State to implement this obligation into national law. Other countries have been following suit ever since. Over the years, regulatory authorities have been providing guidance about how to comply with the cookie consent obligation in practice. In 2013, the Article 29 Working Party provided a pan-European view on this issue and argued that a website operator wishing to comply with the e-Privacy regime would need to implement a mechanism including some key elements, namely:
In 2018, the General Data Protection Regulation (‘GDPR’) introduced a strengthened concept of consent, which by effect of EU data protection law, is applicable to the consent required under the e-Privacy Directive. The GDPR stresses that consent should amount to an unambiguous indication of wishes expressed by active behaviour. To reiterate this point, the Court of Justice of the European Union (‘CJEU’) set out in its Planet49 decision of October 2019 some key aspects applicable to the cookie consent obligation, namely:
Against this background, websites have adopted different types of mechanisms aimed at meeting the cookie consent requirement. Here are some of the most commonly adopted approaches and how they fare against the standards required by law as interpreted by the courts.
Notice only approach
“This website uses cookies to improve your experience. Find out more.”
Some websites simply provide a very brief notice and ignore the consent requirement altogether. In some cases it may be possible to opt-out of cookies by changing the settings.
Verdict: Non-compliant.
Consent assumed from use of a website
“We’ve placed cookies on your device to help make this website better. By continuing to use the site we assume you consent to this.”
This approach acknowledges that the website operator has already placed cookies on the device and an assumption is made that the user will accept this. Not only there is no specific action to provide consent, but cookies are dropped by default.
Verdict: Non-compliant.
Consent implied from user’s other actions
“We use cookies to give you the best online experience. By accessing the website you give your consent to our use of cookies.”
Historically, this has been one of the most common approaches to cookie consent because in the past, regulators have suggested that it might be possible to imply the user’s consent from their actions when this was specifically brought to their attention. However, even if the placing of cookies is suspended until the user takes any further action (such as clicking on a link), this practice fails the Planet49 decision test that consent must be specific and not simply inferred from actions taken for other purposes.
Verdict: Non-compliant.
Mixture of implied consent with affirmative action
“We use cookies to improve and personalise your experience. By continuing to use the site, you agree to our use of cookies. [AGREE]”
Some websites appear to be transitioning from the implied consent approach without completely abandoning it. The wording of the banner states that the use of the site amounts to consent, but it also includes an ‘Agree’ button. Retaining implied consent makes this approach inconsistent with the Planet49 decision.
Verdict: Non-compliant.
Cookie wall or barrier page
“To access our site, you must agree to our use cookies as explained in our Cookies Policy. [PROCEED]”
Some websites present the user with a banner that prevents access to any content until the user has agreed to proceed on that basis. In this situation, there is no doubt that the user must take affirmative action to specifically consent to cookies. This approach will meet the Planet49 decision test but potentially faces the challenge of not complying with the ‘freely given’ requirement.
Verdict: Arguably compliant, as long as the regulators and courts accept a ‘take it or leave’ approach to cookie consent compliance.
Single ‘Accept’ button
“We use cookies to deliver our online services as set out in our Cookies Policy. To consent to our use of cookies, click Accept. [ACCEPT]”
This approach simply requires users to click on an ‘Agree’ or ‘Accept’ button for any non-exempt cookies to be used. For this practice to be compliant, such cookies can only be deployed once the user has clicked on the button.
Verdict: Compliant.
Choice of accepting or rejecting cookies
“This website uses cookies to improve the quality of our website. You can accept or reject cookies by clicking on the buttons. [ACCEPT] [REJECT]”
By providing a choice between accepting or rejecting non-exempt cookies, this provides a best-practice approach to cookie consent compliance.
Verdict: Compliant and best practice.
The image at the top of this article is the European Commission’s own cookie consent dialogue on the Europa site. Their cookie policy is at https://ec.europa.eu/info/cookies_en.
Getting cookie consent right is still work in progress for most websites. In summary, practical recommendations to ensure compliance include:
This article was originally published in The Internet Newsletter for Lawyers, which can be read here.
Authored by Eduardo Ustaran