Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends

Tag Archives: cookies

Posted in International/EU Privacy

Getting Cookie Consent Right

One could be forgiven for thinking that knowing how to comply with a legal obligation that has been in place for nearly a decade would be clear cut. However, widespread practice tells us that this is far from the truth. In November 2009, as part of wider reforms to the European telecommunications regulatory framework, the European Union introduced various amendments to the existing Directive 2002/58/EC (e-Privacy Directive), including to the provisions regulating the use of cookies.

Posted in International/EU Privacy

Spanish DPA on Use of Cookies: Continued Browsing is Consent

On November 8, the Spanish data protection authority published new Guidelines on the Use of Cookies. The Guidelines have been prepared in collaboration with different organisations in the marketing and online advertising industries, and aim to provide some direction on the use of cookies and similar technologies in compliance with information society services laws and regulations.

Posted in Consumer Privacy

IAB Soliciting Comments on Draft Compliance Framework for Programmatic Advertising under the CCPA

On October 22, the Interactive Advertising Bureau, a media and marketing industry trade group, released for public comment the California Consumer Privacy Act Compliance Framework for Publishers and Technology Companies and accompanying technical specifications to implement the Framework. The draft Framework is designed to help Framework participants (including publishers and intermediaries) comply with the California Consumer Privacy Act by: (1) establishing a digital signal that Framework participants can use to communicate consumer requests to opt out of “sales” of personal information associated with digital advertising; and (2) supporting that signal with a standard contract designed to create service provider relationships between publishers and advertising companies after a consumer registers an opt out. The IAB is requesting comments, which can be sent to privacy@iab.com, by November 5, 2019.

Posted in International/EU Privacy

CJEU: Consent on the Internet Means ‘Opt-In’

On 1 October 2019, the Court of Justice of the European Union handed down a crucial decision impacting the way that consent is obtained on the internet. The judgment relates to Case C-673/17. In the Planet49 case, the German Federal Court referred a number of questions to the CJEU regarding the validity of consent to cookies placed by a website operating an online lottery.

Posted in International/EU Privacy

New French Guidelines on Cookies and Trackers

On 19 July the French Data Protection Authority published new guidelines on cookies and trackers. These replace the existing Recommendation No. 2013-378 of 5 December 2013, are intended to be in line with relevant GDPR provisions and have been produced in anticipation of the future ePrivacy Regulation. The guidelines will be supplemented, at a later stage, with sectoral recommendations setting out practical methods for obtaining consent. These sectoral recommendations will be included in a final version of the guidelines on cookies and trackers open for public consultation, which will then be subject to final adoption by the CNIL (expected early 2020).

Posted in International/EU Privacy

Crumbs of Comfort: the Advocate-General’s Opinion on Consent and Cookies in Planet49

It’s no secret that a hot topic, perhaps the hot topic, in the European data protection world at present is the interplay between the GDPR and the e-Privacy Directive, in particular how it affects online advertising involving cookies. The European Data Protection Board recently released an opinion on this topic, and on 21 March the Court of Justice of the European Union released Advocate-General Szpunar’s opinion in the case of Planet49, which discusses the requirements for valid consent, in the context of both cookies under the e-Privacy Directive and more general data processing under the GDPR.

Posted in International/EU Privacy

Cookie Consent Is the New Panic

Judging by the number of calls and the intensity of the discussions about how to comply with the cookie consent requirement in a post-GDPR world, this issue has become a top worry for organisations and data protection officers. Partly due to the visibility of the mechanisms used to collect this consent, and partly due to the potential implications of operating a website without cookies, the dilemma around what solution to deploy has become a serious business decision. Different business stakeholders are often at odds with each other and matters are getting escalated to decision makers who had never been involved in the technically complex and largely misunderstood world of cookies. The tension is rising and yet, no approach has emerged as the preferred one among all involved. So everyone is getting anxious to find a way to do what they have always done and comply with the law. Is this panic justified?

Posted in International/EU Privacy

The True Global Effect of the GDPR

“European data protection rules will become a trademark people recognise and trust worldwide”. That is how, in January 2012, Viviane Reding – then Vice-President of the European Commission and EU Justice Commissioner – ended her announcement of the widest reform of privacy and data protection law ever attempted. Six years later, this ambitious aim is becoming a reality. Organisations from around the world and well beyond Europe are grappling with the new European General Data Protection Regulation (GDPR) and its impact on their data activities. From Australian banks and South American insurers to US universities and Asian telecoms companies, determining the applicability of the GDPR to their operations has become a critical business decision. As many global companies ponder over the right strategy to privacy compliance, a key question has emerged: which organisations, and under which circumstances, are subject to the territorial scope of the GDPR?

Posted in International/EU Privacy

Council e-Privacy Regulation Negotiations Critical for the Future of IoT and AdTech

Following the European Commission and European Parliament’s proposed versions of the EU Regulation on Privacy and Electronic Communications, we are now waiting for the Council of the European Union to agree their position before discussions between the three bodies can begin. A discussion paper from the Bulgarian Presidency of the Council dated 11 January 2018 shows that the Council is still considering multiple options in relation to several critical issues.

Posted in International/EU Privacy

Chinese Appellate Court Provides Guidance for Lawful Use of Cookies

On 6 May 2015, the Intermediate People’s Court of Nanjing City, Jiangsu Province, issued a civil judgment ruling that the search engine giant Baidu’s use of cookies to personalize advertisements directed at consumers on partner third party websites does not infringe consumer rights of privacy. The court based its decision on findings that the information collected by the Baidu cookies did not amount to “personal information” under Chinese law, the complainant did not suffer cognizable injury by receiving targeted ads on other sites, and Baidu afforded consumers mechanisms to opt-out.

Although not binding on other courts, this judgment has significant implications. It provides insight into how other courts in China are likely to handle similar challenges to the use of cookies in the future, and its detailed analysis of Baidu’s cookie policy sheds light on what policies and practices companies in China would be prudent to adopt in order to best balance industry and consumer interests in compliance with the law.

Posted in International/EU Privacy

Data Protection Compliance in Spain (2015)

Spain is well known for having one of the most restrictive data protection regimes in the European Union. It also counts with some of the highest penalties (fines are up to € 600,000 per infringement), and a data protection authority – the Spanish Data Protection Agency – with a reputation for being one of the fiercest of the EU. Moreover, the penalties envisaged are not only on paper; they are applied on a regular basis by the AEPD. For instance, in the past few years, it has imposed fines of € 450,000, € 900,000 and € 1,400,000.

Posted in Consumer Privacy

French CNIL Enforces Cookie Consent

On June 30, 2015, the French data protection authority, the CNIL, announced that it gave notice to 20 websites to comply with the consent requirements applicable to cookies. After patiently waiting for almost a year to give websites the opportunity to comply with the cookie notice and consent rules explained in its official guidance from December 2013, the CNIL launched a series of audits (27 online audits, 24 on-site audits and 2 hearings) in October 2014.

Posted in Consumer Privacy, International/EU Privacy

Sweep Reveals Scale of Cookie Consent Non-Compliance

The results of an international investigation into the cookie consent practices of 478 websites frequently visited by European citizens have now been published. The outcome is perhaps unsurprising: cookies are used en masse by websites operating in Europe, their expiry dates are often excessive, and crucially, not enough is being done to provide notice and obtain valid consent for the use of cookies and other device identifying technologies. The specific websites that were investigated are not identified (as yet), however those selected were amongst the 250 most frequently visited by individuals within each member state taking part in the investigation (as ranked by Alexa.com). Sites in the media, e-commerce and public sectors were targeted in particular because they are perceived by the EU data protection regulators to present the greatest data protection and privacy risks to EU citizens.

Posted in International/EU Privacy

Cookie Consent—What’s Changed?

Almost five years ago, EU legislators shocked the Internet world by changing the legal requirement for the use of cookies and similar device identification techniques from “notice and opt-out” to “notice and consent.” At first, there was a sense of disbelief about whether this sudden legal twist was for real. As the dust settled, it became clear that what had been common practice until then—sticking a generic paragraph about the use of cookies in the privacy policy and referring users to the browser’s menu for further control—was no longer enough to comply with the new requirement.

Posted in International/EU Privacy

Italian DPA Publishes Decision on Cookies

On 3 June, Italy’s data protection authority, the Garante, published a general decision on user notice and consent requirements when an organization uses cookies as part of its online services. The decision outlines specific categories of cookies based on their intended uses and the roles played by the entities placing those cookies, and highlights different levels of notice and consent requirements for each. The decision also offers guidelines for providing users with adequate notice through a two-layer privacy notice and outlines the consequences of failing to comply with Italy’s rules on cookies.

Posted in Consumer Privacy, International/EU Privacy

Article 29 Working Party Issues Guidance on Cookie Consent

On 14 October, the Article 29 Working Party of EU data protection commissioners published a Working Document providing guidance on obtaining consent for cookies, some eighteen months after the effective date of the so-called “cookie consent law” which required EU websites to obtain consent from Internet users before before placing cookies on their devices. The document analyses, to some extent, the practices more commonly used by website operators to obtain the required consent, and attempts to answer the question as to what measures would “be legally compliant for a website operating across all EU Member States.”

Posted in Consumer Privacy, International/EU Privacy

Spanish Data Protection Agency Releases Guidance on Cookies Regulation

On April 26th, the Spanish Data Protection Agency (“SDPA”) issued its long-awaited guidance on the Spanish cookies regulation, which requires companies seeking to place cookies on users’ devices to obtain those users’ prior opt-in consent after providing them with clear and complete information about the use of cookies and the purposes for which data collected via cookies will be processed. The guidance, which the SDPA drafted in collaboration with industry, takes a business-oriented approach and provides companies with several alternatives for complying with the regulation’s notice and consent requirements.

Posted in News & Events

Privacy Law in 2012: Where We Are and Where We Are Going

On August 3, at the ABA Annual Meeting, the ABA Section of Administrative Law and Regulatory Practice held a panel moderated by Hogan Lovells privacy leader Chris Wolf entitled “Privacy Law in 2012: Where We Are and Where We Are Going.” The article below, reprinted with permission from ABA Now, describes thoughts of the panelists on the future of privacy in the US and in Europe.

Posted in International/EU Privacy

Article 29 Working Party Publishes Opinion on Cookie Consent Exemptions

On 7 June 2012, the Article 29 Data Protection Working Party issued an opinion on cookie consent exemptions. The Directive 2009/136/EC, amending Directive 2002/58/EC, introduced an opt-in regime which requires providers to request that users grant their express consent to the use of cookies, as opposed to the regime under which users are given the opportunity to opt-out. This opinion clarified when opt in consent is needed, and when it is not.

Posted in International/EU Privacy

Amended UK Cookie Regulation Grace Period Expires; Implied Consent Can Be Valid

For over a year companies have been trying to determine how to achieve compliance with the UK Information Commissioner’s Office’s (ICO) amended Privacy and Electronic Communications Regulations (the “cookies law”), which implemented 2009 amendments to the EU’s Privacy and Electronic Communications Directive of 2002. Last week, the ICO made it clear that reliance on implied consent would be an acceptable form of consent.

Posted in Consumer Privacy, International/EU Privacy

Article 29 Working Party Rebuffs European OBA Industry… Again

In an opinion adopted on December 8, the EU Article 29 Working Party again rebuffed the Online Behavioral Advertising industry’s self-regulatory proposal, continuing to hold firm that European law requires affirmative, opt-in consent prior to the placement of any cookie for tracking purposes. The Working Party broke down the OBA industry proposal, and then–in a rebuttal of the industry’s contention that the opinion will result in the proliferation of dreaded browser pop-up windows–offered up a number of methods of obtaining consent not involving pop-ups.