Guidelines for the Implementation of GDPR-Compliant Cookie Notices

This comment investigates how legal requirements for consent are implicated in the deployment of internet browser cookies, with a focus on the European Union’s (EU) General Data Protection Regulation (GDPR). Non-EU companies should also take note, not only because the GDPR protects EU citizen data regardless of whether or not the processing takes place in the EU (art 3(1), but because the GDPR’s rules for consent and other data privacy issues will likely form the basis of new legislation outside the EU.

CONSENT LAWS

Consent is an integral part of the EU’s approach to data privacy. The concept was codified in the GDPR to mean “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”(art 4(11)).

The application of GDPR consent requirements to online cookie notices has been nebulous since the law came into force. A 2019 study found that the overwhelming majority of cookie notices in the EU are not GDPR-compliant. As enforcement ramps up, companies risk steep fines for non-compliance: one recent example is the imposition of a fine of “1% of annual turnover” for a company that failed to satisfy the Belgian Data Protection Authority’s cookie rules.

Guidance on the interpretation of cookie consent rules was provided by the Court of Justice of the European Union (CJEU) in the Planet49 case, which involved the collection of personal information, through cookies, by an online lottery provider. The CJEU answered several questions (covered in Section III) while calling for the establishment of a “uniform interpretation” of EU law among member states (this was so advocated due to the issues created by divergent transposition and implementation of pre-GDPR Directives across the EU).

The European Data Protection Board (EDPB) recently incorporated the Planet49 ruling into a comprehensive consent compliance guideline. The key requirements for valid consent, as they relate to cookie notices, are the subject of the next section.

PRACTICAL RECOMMENDATIONS

In light of the GDPR, the Planet49 decision, and the recent guideline, the following consent acquisition practices should be adopted for data controllers employing cookie notices. Consent should be:

a) Freely given

A user’s access to services and functionalities must not be made conditional on the user’s consent to information storage or access on their terminal equipment (at para 39). In other words, “cookie walls” are an invalid form of consent. While it is acceptable to restrict certain functionalities if the user does not consent, “general access” to the site must not be made conditional on cookie acceptance.

b) Specific

Data controllers should provide information about each cookie type (e.g., “marketing” or “statistics”) and allow subjects to choose which cookies to accept. Apart from essential cookies, without which provision of “general access” to the site is impossible, subjects should be allowed to reject other categories of cookies without being refused this degree of access to the site (arts 5(1)(b), 6(1)(a).

c) Informed

The data subject should be given, at a minimum, the following information: the controller’s identity; the purposes of each of the processing operations for which consent is being sought; the type of data that will be collected; and the existence of the right to withdraw consent (arts 5, 7(2)). This information should be provided in plain and clear language to facilitate comprehension by laypeople (at para 67). It is insufficient to embed a consent request within a paragraph of the website’s terms of service (i.e., the consent request must be clearly distinguishable from other matters) (at para 71).

d) Unambiguous

“Opt-out” mechanisms are insufficient for showing consent, as are the mere acts of scrolling or swiping on a webpage (at paras 79, 81). Unambiguous consent to cookie use can only be shown through the provision of an unticked box that the user must actively select (art 4(11)).

e) Revocable

Consent must be as easy to withdraw as it is to give. Data controllers could include a withdrawal option, either on a separate webpage or embedded within the site’s privacy policy. This function could also display the user’s current status (e.g., “allow only essential cookies” or “block all cookies”) (art 7(3).

f) Demonstrable

The burden of proof is on the data controller to show that valid consent was obtained. It is recommended that data controllers store and log all consents in the form of information on the browsing session in which consent was obtained along with a copy of the information presented to the data subject at the time of consent (art 7(1)).

g) Obtained prior to data processing

The words “has given” in Article 6(1)(a) of the GDPR imply that prior consent is a prerequisite to the lawful processing of personal data. Therefore, all non-essential cookies should be blocked until the user consents to their deployment.

Written by Daniel Joseph, Osgoode JD Candidate, enrolled in Professors D’Agostino and Vaver 2020/2021 IP & Technology Law Intensive Program at Osgoode Hall Law School. As part of the course requirements, students were asked to write a blog on a topic of their choice.