Understanding Cookie Consent Requirements

Recently, online privacy has become a hot topic, due to the strict regulations regarding the use of cookies on websites and enforcement actions from Supervisory Authorities. Let’s break down the essentials of cookie consent requirements, why they matter, and what they mean for your organisation.

When considering data privacy laws and privacy regulations, cookies are frequently associated with both. This often leads to the mistaken belief that the Cookie Law (ePrivacy Directive) has been replaced by the General Data Protection Regulation (GDPR) when, in reality, it has not. Rather, the ePrivacy Directive and GDPR are meant to function in tandem, complementing each other.

What are those not-very-tasty cookies?

Cookies are often little text files stored on devices with storage capacity. These devices can be a computer or a mobile device. They serve various purposes, from remembering the preferences to speeding up the loading of web pages. Cookies can contain personal information, like IP address or username. However, they may also include non-personal details such as language preferences.

For example, you can use cookies to record the contents of an online shopping cart or the data you enter into an online application form. Authentication cookies are also crucial to identify users when they login to banking services and other online services.

Cookie consent is required!

E-Privacy Directive mandates that websites obtain consent before using cookies or similar technologies. This consent should be clear, affirmative act, freely given, specific, informed, and unambiguous.

It is important to note that, cookies that serve advertising purposes and analytic cookies are not strictly necessary. For those optional cookies, users should give consent.

Obligations of the Organisations

  1. Transparent Information: Websites must provide easily accessible, clear, and comprehensive information about the cookies used and the purpose of collecting personal data.
  2. User-Friendly Interface: Organizations must design a clear and accessible platform for users to easily manage cookie preferences, promoting transparency and empowering users in controlling online privacy.
  3. Easy Withdrawal: Users should be able to withdraw consent as easily as they gave it. Do not bundle consent for cookies with other consents or terms and conditions.
  4. Consent mechanism: Organisations must obtain explicit consent from users before placing non-essential cookies and give users the option to accept or reject cookies, including specific cookie categories.
  5. Data Protection Impact Assessment: Certain data processing activities, like systematic monitoring or profiling on a large scale, require a mandatory data protection impact assessment.
  6. Regular Control: Organizations should enable users to specifically choose to accept or reject types of cookies (e.g., functional, analytical, marketing), ensuring a personalized privacy experience aligned with the principle of specific consent for various cookie purposes.

Are there any exemptions?

Yes, there are two exemptions from the general rule:

  1. Communications Cookies are used solely to transmit information over a network, for example, to identify the communication endpoints.
  2.  Strictly Necessary Cookies are essential to provide a functioning website explicitly requested by the user.

Failure to comply with cookie consent requirements may cost a fortune!

It’s important to note that complying with these cookie consent regulations is crucial for any organization that operates a website. In fact, some notable companies have faced significant fines for breaching these regulations. So it’s always best to ensure that you are following the rules and obtaining proper consent before using cookies or similar technologies on your website.

Here are some recent sanctions that the French National Commission on Informatics and Liberty (CNIL) imposed:

  • Yahoo Ltd. suffered a fine of 10 million euros for “failing to respect the choice of Internet users who refused cookies on its main website, Yahoo.com, and for not allowing users of its e-mail (“Yahoo! Mail”) client to withdraw their consent to cookies freely”.
  • TikTok was fined 5 million euros for making it more difficult to reject the cookies by multiple clicking than the one-click- “accept all” option.
  • Microsoft Ireland was fined 60 million euros, for not providing an easy option to reject cookies and usage of cookies for advertising purposes without user consent.

The link to the e-Privacy Directive can be found here.

You can contact us for more information and guidance on how to best tackle the cookie topic.

By |2024-02-16T10:16:46+01:00February 16th, 2024|Uncategorized|0 Comments