European Data Protection Regulators Issue Further Guidance on How to Obtain Cookie Consent

Introduction

In early October 2013, the body of European data protection regulators (Article 29 Working Party or WP29) issued a working document providing further guidance on obtaining consent in compliance with the EU cookie requirements (the guidance),¹ as set forth in the 2009 amended e-Privacy Directive.² This new guidance focuses on how to obtain valid consent for the installation and use of cookies by websites that operate "across all EU Member States." It is aimed at clarifying the existing situation and ensuring a harmonized approach for companies operating at a pan-EU level.

This document complements the previous WP29 opinions relevant for cookies and should thus be read together with the WP29 opinions on definition of consent, cookie consent exemption, and online behavioral advertising.³ In particular, it is important to realize that the WP29 has clarified in its previous opinions that cookie consent is not required for all types of cookies (i.e., there are some limited opt-out exceptions), but rather only for what they consider to be privacy-intrusive cookies. Thus, this guidance applies when opt-in consent is required, and analyzes what constitutes valid consent under the EU cookie rules.

Cookie Consent Requirements

The guidance focuses on four main elements that must jointly be complied with for consent to be valid. In particular, cookie consent should be:

1. Specific and informed: The WP29 reiterates its previous position that websites should provide a clear, comprehensive, and visible cookie notification on their entry page.⁴ It is recommended to display a prominent link to a designated webpage that includes specific information about a website's cookie practices, including the different types of cookies and their purposes, whether and what third parties access data collected through cookies, cookie expiration date, and other technical information. In addition, the WP29 recommends informing users about the various ways in which they could manage cookies (e.g., how to accept all, some, or no cookies and how to reset chosen settings in the future). The mechanism used to provide notice remains at the discretion of companies provided, that they include the above information.
2. Given prior to placing cookies: The WP29 confirms its earlier views⁵ on the timing of obtaining consent and suggests that consent has to be provided prior to setting or reading cookies. Furthermore, the WP29 encourages companies to provide users with a technical solution enabling access to the webpage without installing any cookies upfront, but instead first seeking users' consent.
3. The result of active behavior: According to the WP29, in order for users' consent to be valid, it must be based on positive action or other active behavior by the user. This active behavior can be triggered by a number of tools such as splash screens, banners, modal dialog boxes, and browser settings, but it should also be sufficient to use "any kind of signal" that is sufficiently clear to indicate users' wishes. Therefore, the WP29 does not prescribe a specific mechanism and leaves website publishers some (limited) freedom and flexibility (e.g., by having users tick a box or click on a button or content). It also accepts that active behavior can be construed as any "traceable user-client request towards the website, such as clicking on a link, image or other content on the entry website" based on which the website operator can be confident that the user has actively requested to engage with the website. Consequently, it does not explicitly preclude the use of implied consent, but companies should be in a position to prove (and document) that a consent request triggers an action by the user, which might prove to be difficult with implied consent.
4. Freely given and real choice: The guidance emphasizes that consent must be freely given and that users should be given a real choice regarding whether to accept or reject some or all cookies. Generally, the user should be able to continue browsing the website without receiving, or by only receiving, cookies that are necessary to provide the services. Therefore, some level of granularity should be provided to users, and, in particular, they should be given a choice to reject cookies that are not strictly necessary to provide the service (e.g., tracking cookies). The WP29 believes that an all-or-nothing approach would not work and that websites should inform users about the consequences of accepting or rejecting some or all of the cookies (e.g., installation of tracking cookies if cookies accepted, content limitation on the website if cookies rejected) and how users can modify their initial settings.

Concrete Examples

The WP29 lists five business practices currently used in Europe that, in its opinion, contain "useful components" of a consent mechanism, but that in isolation are unlikely to be sufficient to comply with all elements of the EU cookie consent requirements described above. According to the WP29, a valid cookie consent mechanism should be a mixture of some or all of the elements listed below:

• "An immediately visible notice that various types of cookies are being used by the website, providing information in a layered approach, typically providing a link, or series of links, where the user can find out more about types of cookies being used;
• an immediately visible notice that by using the website, the user agrees to cookies being set by the websites;
• information as to how the users can signify and later withdraw their wishes regarding cookies including information on the action required to express such a preference;
• a mechanism by which the user can choose to accept all or some or decline cookies; and
• an option for the user to subsequently change a prior preference regarding cookies."

Conclusions and Implications for Companies

The WP29 guidance expands on the existing WP29 opinions on this topic and specifies what constitutes a valid consent for the installation and use of cookies in the EU. In essence, the new guidance restates many of the established positions of WP29 with regard to cookies, but also in some cases tries to regulate or limit existing market practices. In particular, the WP29 somewhat goes against EU market trends when it indirectly suggests improvements or limitations to the widely used implied consent approach (i.e., affirming consent when the user continues using the website after proper notice of cookies has been provided). It does not, however, fully preclude companies from relying on implied consent provided that certain conditions are met. In the end, whether consent meets the requirements described in the guidance is a factual question that should be analyzed on a case-by-case basis.

This guidance comes at a time where most stakeholders thought that the cookies debate in the EU was reaching a point of maturity and where recognized market trends were emerging. Companies subject to the cookies rules should carefully assess whether some improvement to their current practices is required in light of this guidance. However, while the WP29 guidance is a good indication of the interpretation of EU regulators, it is not legally binding on companies and local authorities. Therefore, it remains to be seen how stakeholders will react to this new guidance and how national regulators will interpret such cookie consent requirements in light of their national laws and existing market practices.

¹ Working Document providing guidance on obtaining consent for cookies - WP 208.

² See Article 5(3) of the consolidated version of the amended e-Privacy Directive 2009 (currently implemented in most EU Member States), available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CONSLEG:2002L0058:20091219:EN:PDF: "Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service."

³ Opinion 15/2011 on Consent - WP 187; Opinion 04/2012 on Cookie Consent Exemption - WP 194; WP 188; and Opinion 2/2010 on Online Behavioral Advertising - WP 171.

⁴ Opinion 2/2010 on Online Behavioral Advertising - WP 171; and Opinion 15/2011 on Consent - WP 187.

⁵ Opinion 15/2011 on Consent - WP 187; and Opinion 2/2010 on Online Behavioral Advertising - WP 171