Consumer-facing businesses could be forgiven for thinking that knowing how to comply with a legal obligation that has been in place for nearly a decade would be clear cut. Widespread practice across retailers and other online services tells us that this is far from the truth. 

Here we set out our practical recommendations for compliance with the requirement under European data protection laws to provide notice and obtain prior consent to setting any non-essential cookies and similar device tracking technologies along with a brief explanation about why cookie consent continues to be an issue.

What's the issue?

In November 2009, as part of wider reforms to the European telecommunications regulatory framework, the European Union introduced various amendments to the existing Directive 2002/58/EC (e-Privacy Directive), including to the provisions regulating the use of cookies.

Since then the e-Privacy Directive has required obtaining the consent of users in order to store or access information (typically cookies or similar tracking technologies) on their devices. The only exemptions to this requirement are where this is for the sole purpose of transmitting a communication or where it is strictly necessary to provide an internet service explicitly requested by the user.

In May 2011, the UK became the first EU Member State to implement this obligation into national law. Other countries have been following suit ever since. Over the years, regulatory authorities have been providing guidance about how to comply with the cookie consent obligation in practice – leading to a vast divergences in the way that businesses seek to comply (if at all).

Why do businesses need to take note?

In 2018, the General Data Protection Regulation (GDPR) introduced a strengthened concept of consent, which by effect of EU data protection law, is applicable to the consent required under the e-Privacy Directive. The GDPR stresses that consent should amount to an unambiguous indication of wishes expressed by active behaviour. To reiterate this point, the Court of Justice of the European Union (CJEU) set out in its Planet49 decision of October 2019 some key aspects applicable to the cookie consent obligation, namely:

  • Consent must be active, rather than passive.
  • Consent must be unambiguous. According to the CJEU, "only active behavior on the part of the data subject with a view to giving his or her consent may fulfil that requirement."
  • Simply giving users the chance to opt out by un-checking a pre-checked box does not constitute valid consent since "consent given in the form of a preselected tick in a checkbox does not imply active behaviour on the part of the website user."
  • Consent must be specific. This means that "it must relate specifically to the processing of the data in question and cannot be inferred from an indication of the data subject's wishes for other purposes."

In reaching its decision, the CJEU has ultimately removed any room for error about the appropriate standard for consent when placing cookies. This puts real pressure on website operators – and regulators alike – to ensure this standard is upheld from now on.

Practical recommendations for compliance Getting cookie consent right is still a work in progress for most websites. In summary, practical recommendations to ensure compliance include:

  • Only cookies that are strictly necessary for the functionality of the website can be placed before the user's affirmative action.
  • Analytics cookies, advertising cookies, and social media cookies can only be placed after the user has provided their valid consent.
  • All websites using cookies must include a cookie banner and a Cookies Policy.
  • Cookie banners must include a brief but meaningful description of the purposes for placing and using cookies.
  • Cookie banners must provide a choice to accept or reject non-strictly necessary cookies.
  • Websites must include functionality to allow users to easily withdraw their consent.
  • Assuming the user's acceptance and relying on the use of a website as a form of consent must be avoided.
  • The use of pre-ticked consent boxes must also be avoided.
  • The technical functionality employed to collect consent must demonstrate that consent was given.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.