On Nov. 22, 2019, the representatives of the EU member states rejected the Finnish Presidency’s proposed text for the ePrivacy Regulation, making the future of ePrivacy Regulation uncertain. The ePrivacy Regulation, which if adopted would be binding across all EU member states, will govern direct electronic marketing messages, cookies, and similar tracking technologies. The ePrivacy Regulation also seeks to increase website users’ protection against online tracking. Currently, the ePrivacy Directive, issued in 2002 and amended in 2009, permits the EU member states discretion on how they implement the substance of the ePrivacy Directive. While the ePrivacy Regulation was intended to go into effect in all EU member states at the same time as the General Data Protection Regulation (GDPR) on May 25, 2018, with privacy advocates, adtech, and telecom organizations actively involved, a resolution has not yet been reached, leaving website owners confused about the notice and choices they are required to provide website and mobile app visitors about the cookies and other tracking technology used.

Despite the lack of progress on the ePrivacy Regulation, in 2019 there were many developments on the EU cookie front.

  • In March 2019, the European Data Protection Board issued an opinion detailing the ePrivacy Directive’s interplay with the GDPR, noting that the ePrivacy Directive contains “special rules” with respect to the processing of personal data in the electronic communication sector, which in accordance with the principle lex specialis derogat legi generali, take precedence over the (more general) provisions of the GDPR. The opinion also noted that cookie consent is only valid if it adheres to the GDPR requirement that consent be “freely given, specific and informed” and evidenced by an affirmative action.
  • In March 2019, the Association of German Data Protection Authorities (Datenschutzkonferenz, or DSK) issued a guidance paper wherein they  present their view on cookies and a guide to conducting a legitimate interest analysis.
  • On July 3, 2019, the UK data protection authorities (ICO) published new guidance on the use of cookies and other internet tracking technologies, and also issued a “myth-busting” blog post on cookie use. The UK’s guidance explains how the Privacy and Electronic Communications Regulations (PECR) apply to the use of cookies in light of the GDPR.
  • On July 4, 2019, the French data protection authorities (CNIL), also published new guidance on the use of cookies.
  • On Sept. 6, 2019, the Spanish data protection authority, the AEPD, issued a decision fining a Spanish airline €30,000 for forcing website visitors to accept the use of non-essential cookies on their device to continue browsing the website. The fine was later reduced to €18,000 after the airline admitted responsibility. The AEPD found the airline had breached Article 22.2 of Spain’s Law on Information Society Services (LSSI).
  • On Oct. 1, 2019, the CJEU issued its judgment in the Planet 49 matter, stating that website operators wishing to store cookies on a user’s device must obtain active, freely given, specific, informed, and unambiguous consent, as required under the GDPR. The CJEU specifically ruled that opt-out consent, by way of a pre-ticked checkbox, is insufficient to obtain consent for storage of cookies.
  • On Nov. 8, 2019, the Spanish data protection authorities published new Guidelines on the Use of Cookies.

While variations in the guidance issued by the UK, France, Germany, and Spain, and the EU’s failure to enact the ePrivacy Regulation presents challenges for organizations doing business in the EU, fortunately, some common themes have emerged for website owners.

  1. The guidance issued by Germany, France, Spain, and the UK applies to any organization based outside the EEA that uses cookies to monitor the behavior of individuals and offers goods or services to individuals in the UK, Germany, Spain, or France.
  2. Although the Spanish Guidelines indicate a website visitor can consent to the use of cookies by continuing to browse a website after adequate notice is given,  the UK, France, and Germany agree that if consent is relied on as the lawful basis for processing, it should be in line with the GDPR’s definition of consent, meaning the consent must be freely given, specific, and informed, and evidenced by an affirmative action (no pre-checked boxes). However, both France and Germany recognize that in relation to non-essential cookies, legitimate interest could be the lawful basis for processing in some situations.
  3. A cookie banner that references the setting of cookies with an “OK” button is not adequate consent. The cookie banner must contain an overview of all processing operations requiring consent, which can be done by identifying the cookies and other tracking technologies, their functions, duration, and the third parties that have access to the cookies, and then collecting the website visitor’s choices via a selection menu.

In 2020, we will likely see increased regulatory scrutiny of cookies. Thus, website owners should consider documenting all cookies and other tracking technology used on their websites and mobile apps, and reviewing their cookie consent mechanism and the information provided in their cookie notice to ensure they are in line with recent guidance. Unfortunately, since the cookie guidance issued by the EU member states differs on certain issues, website owners will need to decide whether to apply the strictest standard across all of the EU member states, or to have different cookie standards based on each member state’s guidance.

If you have specific questions or need further guidance, please do not hesitate to contact the author of this alert or other members of GT’s Data, Privacy & Cybersecurity team.