As European Regulators Take Use of Cookies More Seriously, Here Are the Basics for Compliance

Pillsbury - Internet & Social Media Law Blog
Contact

Pillsbury - Internet & Social Media Law Blog

This week the European Data Protection Board (EDPB), a body that represents European data protection authorities, set up a new cookie banner taskforce. The new taskforce will coordinate the response to over 400 complaints concerning cookie banners filed by a nonprofit organization founded by Max Schrems, None of Your Business (NOYB).

Previously considered by many to be a lower priority issue in terms of regulator enforcement, the use of cookies and other online tracking technologies is becoming more and more of a hot topic for European data protection authorities. Many have issued guidance in recent months, and we are beginning to see increased fines in this area. The French and Spanish data protection authorities have fined many household names for non-compliance with cookie rules recently, for example.

Given the increased focus on this issue, it is time for organizations to take another look at their compliance with European cookie rules which apply to websites directed at the EU and UK, regardless of whether the website publisher is based in a third country (such as the U.S.).

Here are the basic rules for cookie compliance:

  • Cookies and other tracking technologies (such as clear gifs, web beacons, etc.) must not be placed on a user’s device without their prior consent, unless they are strictly necessary to providing the service.
  • Examples of “strictly necessary” cookies include cookies used to remember preferences, such as language or goods placed in an online basket, session cookies used for security, load-balancing cookies, etc. Analytics cookies (whether first party or third party) are not considered “strictly necessary.”
  • Consent must be “opt-in”—no pre-ticked boxes.
  • Consent cannot be inferred from a user’s continued use of a website after having seen a cookie banner.
  • Consent must be granular, e.g., allowing a user to accept analytics cookies, but not advertising cookies.
  • Users must be able to control all cookies dropped on a website, including third-party cookies (e.g., Google Analytics).
  • Users must be able to withdraw consent as easily as they gave it, meaning users must be able to update their cookie preferences.
  • For consent to be “informed” (a key requirement of the GDPR), website owners must publish a list of their cookies and similar technologies, why they are used and how long they will stay on a user’s device. This information is generally contained in a cookie policy.
  • Requiring a user to accept cookies in order to be able to access a website, as opposed to giving them a free choice to accept or refuse cookies, is unlikely to be compliant with EU/UK law.

A key point to remember is that EU/UK laws around prior consent for tracking technologies applies not only to cookies served by websites and mobile apps, but also any technologies that access information stored on a connected device to track user behavior. For example, prior informed consent would be required to monitor driving habits in a connected car, an individual’s use of a connected fridge, or viewing habits from a smart TV, where such monitoring is not “strictly necessary” for providing a service requested by the individual.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Pillsbury - Internet & Social Media Law Blog | Attorney Advertising

Written by:

Pillsbury - Internet & Social Media Law Blog
Contact
more
less

Pillsbury - Internet & Social Media Law Blog on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.