This document complements the previous WP29 opinions relevant for cookies and should thus be read together with the WP29 opinions on definition of consent, cookie consent exemption, and online behavioral advertising.3 In particular, it is important to realize that the WP29 has clarified in its previous opinions that cookie consent is not required for all types of cookies (i.e., there are some limited opt-out exceptions), but rather only for what they consider to be privacy-intrusive cookies. Thus, this guidance applies when opt-in consent is required, and analyzes what constitutes valid consent under the EU cookie rules.
Cookie Consent Requirements
The guidance focuses on four main elements that must jointly be complied with for consent to be valid. In particular, cookie consent should be:
Specific and informed: The WP29 reiterates its previous position that websites should provide a clear, comprehensive, and visible cookie notification on their entry page.4 It is recommended to display a prominent link to a designated webpage that includes specific information about a website's cookie practices, including the different types of cookies and their purposes, whether and what third parties access data collected through cookies, cookie expiration date, and other technical information. In addition, the WP29 recommends informing users about the various ways in which they could manage cookies (e.g., how to accept all, some, or no cookies and how to reset chosen settings in the future). The mechanism used to provide notice remains at the discretion of companies provided, that they include the above information.
Given prior to placing cookies: The WP29 confirms its earlier views5 on the timing of obtaining consent and suggests that consent has to be provided prior to setting or reading cookies. Furthermore, the WP29 encourages companies to provide users with a technical solution enabling access to the webpage without installing any cookies upfront, but instead first seeking users' consent.
The result of active behavior: According to the WP29, in order for users' consent to be valid, it must be based on positive action or other active behavior by the user. This active behavior can be triggered by a number of tools such as splash screens, banners, modal dialog boxes, and browser settings, but it should also be sufficient to use "any kind of signal" that is sufficiently clear to indicate users' wishes. Therefore, the WP29 does not prescribe a specific mechanism and leaves website publishers some (limited) freedom and flexibility (e.g., by having users tick a box or click on a button or content). It also accepts that active behavior can be construed as any "traceable user-client request towards the website, such as clicking on a link, image or other content on the entry website" based on which the website operator can be confident that the user has actively requested to engage with the website. Consequently, it does not explicitly preclude the use of implied consent, but companies should be in a position to prove (and document) that a consent request triggers an action by the user, which might prove to be difficult with implied consent.
Freely given and real choice: The guidance emphasizes that consent must be freely given and that users should be given a real choice regarding whether to accept or reject some or all cookies. Generally, the user should be able to continue browsing the website without receiving, or by only receiving, cookies that are necessary to provide the services. Therefore, some level of granularity should be provided to users, and, in particular, they should be given a choice to reject cookies that are not strictly necessary to provide the service (e.g., tracking cookies). The WP29 believes that an all-or-nothing approach would not work and that websites should inform users about the consequences of accepting or rejecting some or all of the cookies (e.g., installation of tracking cookies if cookies accepted, content limitation on the website if cookies rejected) and how users can modify their initial settings.
The WP29 lists five business practices currently used in Europe that, in its opinion, contain "useful components" of a consent mechanism, but that in isolation are unlikely to be sufficient to comply with all elements of the EU cookie consent requirements described above. According to the WP29, a valid cookie consent mechanism should be a mixture of some or all of the elements listed below:
"An immediately visible notice that various types of cookies are being used by the website, providing information in a layered approach, typically providing a link, or series of links, where the user can find out more about types of cookies being used;
an immediately visible notice that by using the website, the user agrees to cookies being set by the websites;
information as to how the users can signify and later withdraw their wishes regarding cookies including information on the action required to express such a preference;
a mechanism by which the user can choose to accept all or some or decline cookies; and
an option for the user to subsequently change a prior preference regarding cookies."
Conclusions and Implications for Companies
This guidance comes at a time where most stakeholders thought that the cookies debate in the EU was reaching a point of maturity and where recognized market trends were emerging. Companies subject to the cookies rules should carefully assess whether some improvement to their current practices is required in light of this guidance. However, while the WP29 guidance is a good indication of the interpretation of EU regulators, it is not legally binding on companies and local authorities. Therefore, it remains to be seen how stakeholders will react to this new guidance and how national regulators will interpret such cookie consent requirements in light of their national laws and existing market practices.