Update Your GDPR Cookie Consent Checklist With New EU Guidance

Website cookies and tracking technologies are a primary focus of global data privacy laws such as Europe’s General Data Protection Regulation (“GDPR”), and nuances among certain countries in the application and enforcement of cookie-related matters can cause companies headaches. The Court of Justice of the European Union (“CJEU”) has recently ruled on cases involving cookies, and companies everywhere need to ensure they’re up-to-date with cookie collection management in order to avoid the costly penalties that can be imposed for noncompliance. In this post, we outline best practices for cookie compliance for GDPR.

 

Planet49 Ruling

In late 2019, the CJEU ruled that all tracking technologies require consent before being deployed. This is known as the “Planet49 Ruling”, as it involved a German gaming company that used a pre-checked consent banner for a lottery promotion it was offering, meaning that it was collecting data from cookies prior to website visitors providing consent.  The CJEU established that this was a violation of GDPR, and that all tracking technologies require consent before being deployed. Practically, this means that website visitors must be provided with information about the type and lifespan of cookies running on websites, as well as the opportunity to provide consent for cookie collection. If you’re using a cookie wall or similar technology, this means you’re not in compliance with GDPR and could be risking thousands of dollars in penalties.

 

Nuances by Country

The Planet49 ruling involved a German country, and many countries within the EU have slightly different interpretations of how companies can get their websites compliant from a cookie collection perspective. Thankfully, many EU regulators have released what they consider to be compliant cookie collection practices, listed below:

 

Country Regulatory Body Compliant Characteristics
United Kingdom Information Commissioner’s Office
- A cookie consent banner that shows, at a minimum, “accept” and “reject” options equally
- A list of cookies and tracking technologies that clearly and specifically names the third-parties and also explains the purpose of the collected data by the third-party cookies
Ireland Data Protection Commission - Companies cannot rely on “legitimate interest” for consent; it must be explicitly obtained prior to cookie collection
- Consent may not be collected more than once in a 6-month period.

- A cookie used for more than one purpose requires a record of consent for each purpose
France Commission Nationale de l’Informatique et des Libertes - Companies cannot assume that scrolling a page implies consent
- If a consumer does not interact with a cookie consent banner, this does not imply consent
Germany Datenschutzkonferenz - Access to a privacy policy cannot be blocked by a cookie banner.

- Pre-ticked boxes for capturing consent are not compliant.

- Google Analytics specifically are “invasive” and require consent

 

How Clym Helps

Clym is constantly monitoring new global guides and best practices, and will continue to keep you updated on the latest news. Regarding cookie consent management, we can help you to:

 

Our cost-effective, scalable, audit-ready solution can be easily incorporated into your tech stack today, please contact us or schedule a demo with one of our team members to learn more!