ICO, CNIL, German and Spanish DPA Revised Cookies Guidelines: Convergence and Divergence.

By Gabriel Voisin, Ruth Boardman, Dr. Simon Assion, Clara Clark Nevola, Joaquin Munoz Rodriguez

05-2021

Over the past year, regulators in France, Germany, Spain and the UK have published new guidance on the use of cookies and similar tracking technologies. 

France: The new documentation of the French regulator (CNIL) published in October 2020 is composed of (i) updated provisions in relation to the CNIL cookie guidelines originally published in July 2019, (ii) a series of recommendations on practical ways to collect consent and (iii) FAQs. 

U.K.: In July 2019, the U.K. regulator (ICO) published its new guidance on the use of cookies and other internet-tracking technologies.

Germany: In March 2019, the German conference of supervisory authorities published guidance on internet tracking. It is accompanied by a Follow-Up from May 2020. Note that there is also additional German state-level guidance, e.g. the handout of the Federal State Data Protection Officer in November 2020 or the FAQ on cookies and tracking in April 2019.

Spain: In November 2019, the Spanish data protection authority (AEPD) published its guidance on the use of cookies and other internet tracking technologies. In July 2020, the AEPD updated the guidance to inter alia, clarify that the option to continue browsing was no longer a valid mechanism for obtaining consent.

The table below outlines the respective differences and similarities between guidance from the above countries

 
 
 Issue   France 
 UK Germany   Spain 

Similarities

Rules applicable to cookies only?

No, the authorities consider that the rules apply to any technology that stores or accesses information on the user’s device (e.g. pixels, SDK in mobile applications, local objects, browser fingerprinting technologies, etc). In the case of the German guidance, the technology must also involve processing of personal data; so long as that is the case, then the rules will apply to any of the types of technology listed above.

Implied consent

All authorities stress that if consent is required, users must give specific, freely given and unambiguous consent before the respective activity commences. The authorities highlight that a user continuing to browse a website does not amount to that user's consent.

Contractual consent

The French, U.K. and Spanish authorities are clear that terms and conditions cannot be used as a method for obtaining consent, as this breaches Article 7(2) of the EU General Data Protection Regulation (need for clearly distinguishable data-processing consents). The German authorities did not comment on this but likely agree.

Global consent

The consent must cover each purpose for which personal data will be processed (i.e., each purpose for which cookies are used). The U.K., French and Spanish authorities accept that organizations can offer a global consent for all cookies for which consent is required in their first consent layers. German authorities do not comment on this. ICO guidance but, based on the ICO’s own practice, purpose-specific consent options are likely to be regarded as best practice. The German authorities require granular consent but do not specify whether this should be part of the first layer or could be moved to a second layer.

Consent for whom?  In order for consent to be informed, the user must be able to identify all parties processing their data. For the French, German, U.K. and Spanish authorities, this means that organizations should name all parties who will rely on users’ consent. The French regulator also recommends that the list of third parties placing cookies should be (i) easily accessible at all times and (ii) updated regularly. 

Differences

Issues

France

UK

Germany

Spain  

Are cookie walls allowed?

The CNIL revised its position on cookie walls after the partial annulation of its July 2019 guidelines by the French highest administrative court (i.e. Conseil d'Etat) in June 2020. 


The revised October 2020 guidelines no longer provide a blanket prohibition of cookies walls. Instead, the CNIL notes that cookie walls are unlikely to meet the threshold for valid consent under the GDPR. However, such cookie walls should be reviewed and analysed on a "case by case" basis.

 

ICO notes that consent that is forced via a cookie wall is “unlikely to be valid.” However, it also notes that GDPR must be balanced against other rights, including freedom of expression and freedom to conduct a business. ICO seems to be “sitting on the fence” on this — at least for the moment.

No, similar to the CNIL.

 No, the AEPD guidance establishes that cookie walls cannot be used if access to services and functionalities is subject to the user´s acceptance of the use of cookies.

Do analytic cookies require consent?

Not always and the position of the CNIL has changed on this topic. 

Indeed, the French regulator previously

(i) required consent for analytic cookies and

(ii) by derogation had provided an opt out regime for certain types of analytic cookies if cumulative conditions were met. 
Under the October 2020 new rules, the CNIL now

(i) requires consent for analytic cookies and

(ii) by derogation accepts that certain types of analytic cookies can be regarded as “strictly necessary” (for which no opt out needs to be provided) if cumulative conditions are met (e.g. lifespan of analytic cookies must not exceed 13 months, etc).  

This approach from the CNIL seems to anticipate a possible analytic cookie exemption suggested in certain drafts of the still being debated ePrivacy Regulation.

 

Yes. There is no exception. Though ICO states that it is “unlikely that priority for any formal action would be given to uses of cookies where there is a low level of intrusiveness and low risk of harm to individuals,” and first-party analytics cookies are given as an example of cookies that are potentially low risk.

No, unless they lead to a transfer of personal data to a third party. Even in that case, likely no consent would be necessary if users can easily opt out from the data transfer to the third party.

 Yes.

Lawful basis for subsequent processing of personal data?

Unlike ICO, the French regulator remains silent on this question

For ICO, in most circumstances, legitimate interest is not the appropriate lawful basis for the processing of personal data relating to cookies. Because consent is required under ePrivacy rules, consent should also be the legal basis under GDPR. Relying on legitimate interests when GDPR-compliant consent is already in place would be unnecessary and would cause confusion to users.

Legitimate interests would never be available for profiling related processing of personal data.

 

Like the CNIL, the German authorities take the view that consent is not always required. They mention contract performance (Article 6(1) (b) GDPR) and the balance-of- interests test (Article 6(1)(f) GDPR) as further possible legal bases.

The Spanish authority does not specify anything with regards to subsequent processing of personal data.

Prominence of options given to users

The French regulator provides three options (to be placed in the first layer of the cookie consent banner). 

1) The first option is for the publisher to include "reject all" and "accept all" buttons alongside a "preferences" option in the first layer.

2) The second option is for the publisher to have an "accept all" and  a "preferences"  buttons and offer the possibility for users to reject cookies by clicking on a sentence such as "continue without accepting [X]" in the top right corner of the first layer of the cookie consent banner for instance. 

3) The third option is for the publisher to have an "accept all" and a "preferences" buttons and offer the possibility for users to reject all cookies by continuing browsing/not interacting with the cookie consent banner. However, in such  cases

(i) the text of the first layer of the cookie consent banner must make this clear and

(ii) the cookie consent banner must “disappears after a short period of time, so as not to hinder the use of the site or the application and so as not to condition the user's browsing comfort on the expression of his consent to the cookies”

 

 

Organizations emphasizing the “agree”/“allow” cookie  options over the “reject”/“block” cookie options influences users toward the “accept” option. This is not a compliant way to collect consent. The same would be true if the “reject”/“block” option were located in a second layer and the “agree”/“allow” cookie   option were available in the first layer.

A simple banner with cookie information and an “OK” button would not be sufficient; the consent must be recognizable
as such. This means that the banner must list specifically all data-processing activities that require consent (and not any other) and that users must be able to decline their consent. The German authorities require granular options (for each data-processing activity) but do not specify whether these options can be part of a multiple-layer concept (where
a simple “accept all” option is complemented with more granular “refuse” options on the  second layer).

 
 Publishers should include in the first layer:

(1) A “Consent”/ “Accept” button .

(2) A tool (or a link to a tool) that enables users to give granular consent to each category of cookies (at least, grouped by purpose) and to reject all cookies.

(3) Unless offered in the tool mentioned above, a “Reject all” button.

The Spanish authority recommends highlighting the buttons and links (using color, font, size, etcetera) and placing them somewhere visible.
 

Cookie lifespan and retention periods

The lifespan of analytic cookies benefitting from the CNIL consent exemption must not exceed 13 months. Information collected through these can be kept for a maximum of 25 months.

As a best practice, the French regulator considers that  consent given to cookies should be valid for 6 months but emphasizes that there is no perfect "one size fits all" answer to this question.  
The CNIL also recommends that any refusal to the placement of cookies must be retained for the same duration as consent. 

 

 

The lifespan of cookies must be proportionate in relation to the intended outcome and limited to what is necessary to achieve the purpose.

The maximum possible technical duration of a cookie (e.g., “31/12/9999”) would not be regarded as proportionate in any circumstances.

 

German authorities do not specify the lifespan of cookies, but take the view that a shorter lifespan (aka “recognition period”) is more likely to meet the requirements of the balance- of-interests test (Article 6(1)(f) GDPR).

The lifespan of cookies must be proportionate in relation to the purposes for which they are intended; the AEPD suggests consent should be renewed after 24 months.