On 14 October, the Article 29 Working Party of EU data protection commissioners (“WP29”) published a Working Document providing guidance on obtaining consent for cookies, some eighteen months after the effective date of the so-called “cookie consent law” which required EU websites to obtain consent from Internet users before before placing cookies on their devices. The document analyses, to some extent, the practices more commonly used by website operators to obtain the required consent, and attempts to answer the question as to what measures would “be legally compliant for a website operating across all EU Member States“.
On 25 November 2009, the European Union passed the “Telecoms Package” which included several revisions of the 2002 ePrivacy Directive (Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector).
One of the main features of the Telecoms Package that caught the attention of businesses was the so-called “cookie consent law” which required, under section 5(3) of the revised ePrivacy Directive, that “use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information“.
This new requirement left a number of website operators wondering about the exact scope and nature of their obligations to provide notice to and gather consent from web users before using cookies.
To answer this question, the Working Document applies in the cookie context the four main characteristics of effective consent as set forth in the WP29’s 2011 Opinion on consent:
- Specific and appropriate information must be given to data subjects. Applying this principle to cookie consent, WP29 recommends that information regarding cookies should be made readily accessible at the time when consent is sought, which generally implies at the page when users first visit the website. Also, WP29 recommends that the website clearly present the categories of cookies that it uses, including third-party cookies, as well as technical information about cookies. Ideally, all such information should be combined on a single page.
- Consent should be obtained before the processing is initiated. This principle states that the processing of the data subjects’ data should not start before the website has obtained effective user consent, which implies, in the context of the installation of cookies, that “consent should be sought before cookies are set or read.”
- Consent must be unambiguous and, for that purpose, must result from a positive action which clearly expresses the position of the data subject. The issue of unambiguous consent has always been one of the most discussed questions under EU data protection law, especially with regards to cookies. WP29 takes the position, as it has frequently in the past, that websites should not place cookies unless they have absolutely no doubt that the data subject consents to the setting or reading of cookies. In this respect, W29 did not dismiss the possibility that consent might be inferred from browser settings, referring to its 2010 Opinion on behavioural advertising in which it clearly stipulated that inferred consent would only be possible in “very limited circumstances“. Accordingly, WP29 recommends that consent to cookies be materialised by a “positive action or other active behaviour” on this very issue (a mere link to information on cookies is deemed insufficient) and that information should remain visible to the data subject until he or she has clearly expressed his or her position.
- Consent must be given freely, implying that the data subject must be given an effective choice. For WP29, this requirement ideally would be manifested by website operators offering a granular list of cookies they potentially install, from which their users could pick and choose. In any event, the Working Document insists that while it may be legitimate for websites to limit access to certain functionalities to those users who consent to cookies, they “should not make conditional ‘general access’ to the site on acceptance of all cookies“. Finally, the document underlines the need to ensure that consent needs to be obtained before placing cookies necessary to the performance of a defined purpose, and that tracking cookies should be amongst those for which users should be grated the highest level of freedom of choice.
The WP29 Working Document comes after some of the European data protection authorities (such as the Information Commissioner’s Office for the United Kingdom or the CNIL for France) had issued more or less complete guidelines on the same topic.