European Data Protection Regulators Issue Further Guidance on How to Obtain Cookie Consent

by Wilson Sonsini Goodrich & Rosati
Contact

Introduction

In early October 2013, the body of European data protection regulators (Article 29 Working Party or WP29) issued a working document providing further guidance on obtaining consent in compliance with the EU cookie requirements (the guidance),1 as set forth in the 2009 amended e-Privacy Directive.2 This new guidance focuses on how to obtain valid consent for the installation and use of cookies by websites that operate "across all EU Member States." It is aimed at clarifying the existing situation and ensuring a harmonized approach for companies operating at a pan-EU level.

This document complements the previous WP29 opinions relevant for cookies and should thus be read together with the WP29 opinions on definition of consent, cookie consent exemption, and online behavioral advertising.3 In particular, it is important to realize that the WP29 has clarified in its previous opinions that cookie consent is not required for all types of cookies (i.e., there are some limited opt-out exceptions), but rather only for what they consider to be privacy-intrusive cookies. Thus, this guidance applies when opt-in consent is required, and analyzes what constitutes valid consent under the EU cookie rules.

Cookie Consent Requirements

The guidance focuses on four main elements that must jointly be complied with for consent to be valid. In particular, cookie consent should be:

  1. Specific and informed: The WP29 reiterates its previous position that websites should provide a clear, comprehensive, and visible cookie notification on their entry page.4 It is recommended to display a prominent link to a designated webpage that includes specific information about a website's cookie practices, including the different types of cookies and their purposes, whether and what third parties access data collected through cookies, cookie expiration date, and other technical information. In addition, the WP29 recommends informing users about the various ways in which they could manage cookies (e.g., how to accept all, some, or no cookies and how to reset chosen settings in the future). The mechanism used to provide notice remains at the discretion of companies provided, that they include the above information.
  2. Given prior to placing cookies: The WP29 confirms its earlier views5 on the timing of obtaining consent and suggests that consent has to be provided prior to setting or reading cookies. Furthermore, the WP29 encourages companies to provide users with a technical solution enabling access to the webpage without installing any cookies upfront, but instead first seeking users' consent.
  3. The result of active behavior: According to the WP29, in order for users' consent to be valid, it must be based on positive action or other active behavior by the user. This active behavior can be triggered by a number of tools such as splash screens, banners, modal dialog boxes, and browser settings, but it should also be sufficient to use "any kind of signal" that is sufficiently clear to indicate users' wishes. Therefore, the WP29 does not prescribe a specific mechanism and leaves website publishers some (limited) freedom and flexibility (e.g., by having users tick a box or click on a button or content). It also accepts that active behavior can be construed as any "traceable user-client request towards the website, such as clicking on a link, image or other content on the entry website" based on which the website operator can be confident that the user has actively requested to engage with the website. Consequently, it does not explicitly preclude the use of implied consent, but companies should be in a position to prove (and document) that a consent request triggers an action by the user, which might prove to be difficult with implied consent.
  4. Freely given and real choice: The guidance emphasizes that consent must be freely given and that users should be given a real choice regarding whether to accept or reject some or all cookies. Generally, the user should be able to continue browsing the website without receiving, or by only receiving, cookies that are necessary to provide the services. Therefore, some level of granularity should be provided to users, and, in particular, they should be given a choice to reject cookies that are not strictly necessary to provide the service (e.g., tracking cookies). The WP29 believes that an all-or-nothing approach would not work and that websites should inform users about the consequences of accepting or rejecting some or all of the cookies (e.g., installation of tracking cookies if cookies accepted, content limitation on the website if cookies rejected) and how users can modify their initial settings.

Concrete Examples

The WP29 lists five business practices currently used in Europe that, in its opinion, contain "useful components" of a consent mechanism, but that in isolation are unlikely to be sufficient to comply with all elements of the EU cookie consent requirements described above. According to the WP29, a valid cookie consent mechanism should be a mixture of some or all of the elements listed below:

  • "An immediately visible notice that various types of cookies are being used by the website, providing information in a layered approach, typically providing a link, or series of links, where the user can find out more about types of cookies being used;
  • an immediately visible notice that by using the website, the user agrees to cookies being set by the websites;
  • information as to how the users can signify and later withdraw their wishes regarding cookies including information on the action required to express such a preference;
  • a mechanism by which the user can choose to accept all or some or decline cookies; and
  • an option for the user to subsequently change a prior preference regarding cookies."

Conclusions and Implications for Companies

The WP29 guidance expands on the existing WP29 opinions on this topic and specifies what constitutes a valid consent for the installation and use of cookies in the EU. In essence, the new guidance restates many of the established positions of WP29 with regard to cookies, but also in some cases tries to regulate or limit existing market practices. In particular, the WP29 somewhat goes against EU market trends when it indirectly suggests improvements or limitations to the widely used implied consent approach (i.e., affirming consent when the user continues using the website after proper notice of cookies has been provided). It does not, however, fully preclude companies from relying on implied consent provided that certain conditions are met. In the end, whether consent meets the requirements described in the guidance is a factual question that should be analyzed on a case-by-case basis.

This guidance comes at a time where most stakeholders thought that the cookies debate in the EU was reaching a point of maturity and where recognized market trends were emerging. Companies subject to the cookies rules should carefully assess whether some improvement to their current practices is required in light of this guidance. However, while the WP29 guidance is a good indication of the interpretation of EU regulators, it is not legally binding on companies and local authorities. Therefore, it remains to be seen how stakeholders will react to this new guidance and how national regulators will interpret such cookie consent requirements in light of their national laws and existing market practices.

1 Working Document providing guidance on obtaining consent for cookies - WP 208.

2 See Article 5(3) of the consolidated version of the amended e-Privacy Directive 2009 (currently implemented in most EU Member States), available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CONSLEG:2002L0058:20091219:EN:PDF: "Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service."

3 Opinion 15/2011 on Consent - WP 187; Opinion 04/2012 on Cookie Consent Exemption - WP 194; WP 188; and Opinion 2/2010 on Online Behavioral Advertising - WP 171.

4 Opinion 2/2010 on Online Behavioral Advertising - WP 171; and Opinion 15/2011 on Consent - WP 187.

5 Opinion 15/2011 on Consent - WP 187; and Opinion 2/2010 on Online Behavioral Advertising - WP 171

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Wilson Sonsini Goodrich & Rosati | Attorney Advertising

Written by:

Wilson Sonsini Goodrich & Rosati
Contact
more
less

Wilson Sonsini Goodrich & Rosati on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.