In the last few months, there have been interesting developments concerning the use of cookies. Upon investigating 175 websites, the Dutch DPA concluded that half of those websites did not comply with cookie requirements. The Bavarian DPA initiated a similar investigation and the Spanish DPA has issued two fines for not complying with cookie requirements. In addition to these investigations and fines, various DPAs have published guidelines with very different interpretations. Cookie compliance seems to have become a high priority for DPAs. In this blog post, we help navigate through the EU cookie landscape by focusing on how European DPAs are approaching cookie consent and transparency in light of the Planet49 decision.
Tag Archives: cookie
The French Data Protection Authority Gets Ahead of the Game With New Rules on Cookie Consent Before the ePrivacy Regulation Reaches its Final Draft
The French Data Protection Authority has made targeted online advertising a priority topic in its 2019-2020 agenda and has changed its position on cookie consent. Although the ePrivacy Regulation is still being debated by EU legislators and is far from being finalised, the CNIL has withdrawn its 2013 cookie recommendation and announced that it will publish new guidelines (announcements are available in English on the CNIL’s website here and here). These explicitly rule out the use of implied or “soft” consent to place cookies on users’ devices.
Cookie consent – What “good” compliance looks like according to the ICO
On 3 July 2019, the UK data protection authority updated its guidance on the rules that apply to the use of cookies and other similar technologies. The ICO has also changed the cookie control mechanism on its own website to mirror the changes in the new guidance.
The Netherlands: New Rules for Cookies, Data Breaches and Fines
Recently, new rules on cookies came into force in the Netherlands. In addition, the Dutch Second Chamber approved a draft bill to introduce a mandatory data breach notification requirement and to strengthen the Dutch Data Protection Authority’s investigative and fining powers. The new rules apply to all companies acting as a “data controller” within the meaning of the Dutch Data Protection Act. The Dutch First Chamber has announced that it plans to review this draft bill as soon as possible.
French DPA Issues Guidance on Cookie Consent Allowing Flexibility
In a decision of 16 December, the French data protection authority (the “CNIL”) issued new recommendations with regards to the appropriate fashion in which businesses should implement the so-called “cookie consent law”.
Amended UK Cookie Regulation Grace Period Expires; Implied Consent Can Be Valid
For over a year companies have been trying to determine how to achieve compliance with the UK Information Commissioner’s Office’s (ICO) amended Privacy and Electronic Communications Regulations (the “cookies law”), which implemented 2009 amendments to the EU’s Privacy and Electronic Communications Directive of 2002. Last week, the ICO made it clear that reliance on implied consent would be an acceptable form of consent.
New Guidelines Released for Mobile App Privacy Policies
Amid increasing media and regulator scrutiny over location-based services, the Mobile Marketing Association has released a set of draft privacy policy guidelines for mobile applications (“apps”). These guidelines address key data privacy and security issues and provide a helpful “starting point” for companies that develop or deploy mobile apps. With assistance from Hogan Lovells, the Future of Privacy Forum participated in the development of these guidelines.
Article 29 Working Party to OBA Industry on Meeting Cookie Consent Requirement: “Nice try, but…”
The Article 29 Working Party in the EU has thrown cold water on proposals by the OBA industry to avoid the literal application of the so-called Cookie Directive for specific opt-in consent to the placement of tracking cookies, whether personal data is tracked or not. In a letter sent in advance of a September meeting between the parties, the Working Party rejects a range of proposals from the OBA industry.
FTC: Opt-Out Should Mean Opt-Out
The Federal Trade Commission (FTC) yesterday announced a settlement with Chitika, Inc. over its failure to honor consumers’ choice in contravention of representations made in its online privacy policy. The announcement is notable in that it comes in the wake of the FTC’s December 2010 Preliminary Staff Report and is the FTC’s first consent settlement relating to […]