Cookies and similar tracking technologies (cookies) are tools used to collect data about internet users for various purposes, including remarketing and audience measurement. Read all about Cookie Guidelines here.
Cookies and similar tracking technologies are data collection tools used to gather information about internet users for various purposes, including remarketing and audience measurement. Concerns have grown among internet users as a result of the increased reliance on tracking cookies set by websites on the devices of its visitors or users. Regulators are employing all possible legal measures to address this rising threat. The General Data Protection Regulation (GDPR) and the EU ePrivacy Directive already provide guidance on the requirements of using cookies. Furthermore, EU national data protection authorities and the European Data Protection Board (EDPB) have issued guidelines to clarify how cookie laws are interpreted and are likely to be applied.
Explore more privacy compliance insights and best practices
In May 2020, the European Data Protection Board issued its guidelines on consent, which included rules concerning cookies. These guidelines were critical in establishing the fundamental rules for using cookies and other similar technologies.
The European Data Protection Board is an independent body that works to ensure that data protection standards are applied consistently throughout the European Union (EU). It encourages collaboration among the EU’s data protection authorities (DPA). The EDPB was established by the GDPR and is headquartered in Brussels.
The EDPB replaced the Article 29 Working Party (WP29), an independent European working party that dealt with issues relating to the protection of privacy and personal data until 25 May 2018, when the GDPR went into effect.
The EDPB is composed of representatives from the EU Member States' national DPAs and the European Data Protection Supervisor (EDPS), who verifies that EU institutions and bodies respect people's right to privacy when processing their personal data. Norway, Lichtenstein, and Iceland's supervisory authorities are also members of the EDPB, although they do not have the right to vote or be elected as chair or deputy chairmen.
On 4 May 2020, the EDPB adopted the Guidelines 05/2020 on consent under Regulation 2016/679 (“Consent Guidelines”). These guidelines are commonly known as the "Cookie Guidelines," although it should be noted that the Guidelines are not solely about cookies; rather, they shed light on some of the most important issues surrounding cookies. The EDPB Cookie Guidelines ensure a harmonized approach on the conditionality of consent and the unambiguous indication of wishes.
The two most important clarifications provided by the EDPB Cookie Guidelines are:
The Guidelines state that “in order for consent to be freely given, access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment of a user (so-called cookie walls).” This provision clearly states that cookie walls are prohibited.
Cookie walls do not give individuals a genuine choice because access to a website's content or functionality is contingent on the individual's acceptance of all cookies, and individuals are denied the freedom to reject the placement of cookies on their devices.
Until the Guidelines were released in May 2020, many websites depended on scrolling or swiping through the website to signify consent to the websites’ tracking policies. The EDPB reiterated that this approach is illegal, stating “actions such as scrolling or swiping through a webpage or similar user activity will not under any circumstances satisfy the requirement of a clear and affirmative action.”
The rationale behind this clarification is that scrolling or swiping is not an unambiguous indication of an individual's consent because it could alternatively be an indication of rejection. Because it is not technically possible to distinguish whether users want to accept or reject the placement of cookies by scrolling or swiping the website, it does not meet the GDPR's requirement of unambiguous consent.
No, the EDPB Guidelines are not legally binding in and of themselves. However, it should be noted that the Guidelines reflect the authorities' agreed-upon shared position and understanding. As a result, adhering to the EDPB Guidelines is critical to ensuring compliance with the GDPR and national data protection laws.
Since the EDPB Cookie Guidelines are not legally binding, companies are under no direct need to follow them. However, the Guidelines clarify how national DPAs would interpret and apply the provisions of the GDPR. Because of this, the Guidelines are a vital legal instrument. As a result, companies subject to the GDPR are recommended to follow the EDPB Cookie Guidelines in order to avoid sanctions for GDPR violations.
The GDPR applies to the following companies:
The EDPB Cookie Guidelines have important implications for companies having an EU presence and those engaging with EU citizens and residents.
Some national data protection authorities of the EU member states have issued a set of guidelines in order to regulate the use of cookies by websites and mobile applications in their territories. These guidelines provide non-mandatory rules but are significant pieces of soft law instruments for compliance with the GDPR, and national data protection and cookie laws.
Data Protection Authorities are independent public authorities with investigation and corrective powers that oversee the implementation of data protection laws. They provide expert advice on data protection issues, investigate complaints about violations of the GDPR and relevant national data protection legislation, and levy penalties and other corrective measures against entities that violate the GDPR and national data protection laws. Each EU Member State has its own DPA. Examples include the Commission Nationale de l'Informatique et des Libertés (CNIL) of France the Agencia Española de Protección de Datos (AEPD) of Spain, and the Garante per la Protezione dei Dati Personali (Garante) of Italy.
Check the full list of the DPAs across the EU here.
National cookie guidelines are non-binding legal instruments that are issued by EU national DPAs. These cookie guidelines set out clarifications on various aspects of cookie usage by websites that are subject to specific DPA jurisdictions. Cookie consent requirements, consent rejection and withdrawal, and the legality of cookie walls are all typical topics addressed in consent rejection and withdrawal, and the legality of cookie walls are all typical topics addressed in national cookie guidelines. Learn more about GDPR compliance and read our blog to get a simplified breakdown of the latest EDPB Cookie Consent Guidelines.
Several national DPAs have issued cookie guidelines, and many more are expected to do so in the next months or years. While there may be some differences among the national cookie guidelines, the core principles defined by the EDPB Cookie Guidelines and the Planet 49 case remain the same. These basic principles are:
National cookie guidelines are not legally binding on their own. However, it must be noted that these cookie guidelines provide strong references for organizations to anticipate how the national DPA may conduct its compliance investigations. Furthermore, the national DPAs have the authority to impose sanctions on organizations and would most likely utilize the cookie guidelines published as a point of reference.
National cookie guidelines issued by the national DPAs in the EU are non-binding instruments. They are, nonetheless, vital legal instruments for organizations since they show how national DPAs would use these cookie guidelines to describe non-compliance with the GDPR and national data protection laws. Thus, compliance with national cookie guidelines is recommended for those who fall under the territorial scope of the relevant DPA. For example, the CNIL Cookie Guidelines are relevant for organizations with an establishment in France. Additionally, because the GDPR applies “extraterritorially,” meaning to organizations established outside, we can conclude that if an organization that is not with an establishment in France offers goods or services or monitors the behavior of French people, then that organization becomes subject to CNIL’s authority.
To summarize what has been stated above, the national cookie guidelines should be complied with by organizations:
Also, if you are an organization with no base in the EU then you must appoint a representative in the EU. A representative will act on your behalf in relation to GDPR compliance matters.
There are no monetary penalties or other repercussions for non-compliance under the national cookie guidelines. Non-compliance with cookie guidelines will result in non-compliance with national data protection laws as well as the GDPR. As a result, monetary fines and other sanctions under the GDPR will be imposed.
For less serious violations, GDPR imposes a fine of up to EUR 10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever is greater. For more serious violations, the monetary fines can be EUR 20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever is greater.
Non-compliance with cookie rules has resulted in massive fines for big corporations. As a result, companies are recommended not to take national cookie guidelines for granted and to commit efforts to understand and comply with them where applicable. Some national DPAs, such as the French DPA, are particularly active in enforcing cookie rules.
For example, in December 2020, the CNIL imposed large GDPR fines on two major technology businesses for breaking cookie rules. These companies "placed advertising cookies on users' computers ... without obtaining prior consent and without providing adequate information." Google received two monetary fines totaling EUR 100 million as a result of the infraction, while Amazon received a monetary fine totaling EUR 35 million. The fines imposed by CNIL do not stop with the penalty listed above. The French DPA recently slapped two large fines on two major multinational technology companies.
According to the CNIL cookie rules, rejecting consent to use cookies should be as simple as giving it. That is, if just one click is needed to place cookies on users' devices, you must enable refusal of consent in the same way - with just one click. The French DPA recently levied substantial fines on Google and Facebook for failing to comply with the aforementioned criteria. Google received a penalty of EUR 150 million, while Facebook received a penalty of EUR 60 million. The CNIL's argument was that these businesses (websites) "offer a button allowing the user to immediately accept cookies. However, they do not provide an equivalent solution (button or other), enabling the Internet user to easily refuse the deposit of these cookies. Several clicks are required to refuse all cookies, against a single one to accept them."
As a result, it is strongly advised that organizations follow the national cookie guidelines in order to avoid any hefty fines.
National cookie guidelines generally overlap in their requirements. However, there are some distinctions between them. To ensure compliance, check which criteria applies to your company and make sure you understand and commit resources to meet their requirements.
The association of German state data protection authorities - DSK cookie guidelines provide clarity on the use of cookies by German websites and mobile applications.
In Germany, private sector companies are subject to the jurisdiction of state data protection authorities (DPAs) such as Hamburg DPA (Hamburgische Beauftragte für Datenschutz und Informationsfreiheit or HmbBfDI), Berlin DPA (Berliner Beauftragte für Datenschutz und Informationsfreiheit or BlnBDI), and others. The DSK is an association of independent state data protection authorities in Germany. The DSK deals with and comments on the data protection issues in the country. It acts as a coordinating body and makes no decisions that are binding on the organizations.
The German DSK issued its cookie guidelines in April 2019. After the German Federal Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia (TTDSG) went into effect on 1 January 2021, the DSK issued its Guidance for Providers of Telemedia Services, which was primarily concerned with the “cookie provision” of the new German law. The guidelines focus on the TTDSG's consent requirements and exceptions for cookie consent.
Read more about DSK cookie guidelines.
You must do the following to comply with the German DSK cookie consent guidelines:
Find out more on the requirements of the German DSK cookie guidelines
In July 2019, the United Kingdom's Information Commissioner's Office (ICO) announced cookie guidelines pertaining to cookies and other related technology.
ICO stands for the Information Commissioner’s Office of the United Kingdom. This is the UK’s public authority in charge of enforcing the country's data protection laws. It issues guidance to assist firms in complying with privacy laws (UK Data Privacy Act 2018, UK GDPR).
On 3 July 2019, the ICO cookie guidelines were issued to address cookies and similar technologies in detail. The guidelines are critical for online services such as websites and mobile apps. The ICO cookie guidelines help businesses understand how the GDPR and the UK Privacy and Electronic Communications Regulation (PECR) are interpreted and applied.
Click here to learn more about ICO Cookie Guidelines.
ICO Cookie Guidelines require you to inform your users about the use of cookies. A good practice is to show them a cookie banner where they can choose their privacy preferences and read your privacy policy and cookie declaration.
Users must affirmatively accept cookies by clicking on the "ACCEPT" button or something similar. The user should check the boxes for each collection/processing purpose. Pre-ticked boxes are not allowed.
Generally, cookie walls are often not authorized in getting user consent. It is feasible, however, to use cookie walls as a requirement of access to specific website content.
Continued use of the website or browsing does not indicate acceptance of cookies and other tracking technologies.
Click to learn more about the requirements of the ICO Cookie Guidelines.
The French DPA - CNIL has issued guidelines and recommendations concerning cookies. These guidelines and recommendations provide rules and best practices for websites and mobile applications to comply with data protection and cookie laws in France.
CNIL stands for Commission Nationale de l’informatique et des Libertés, the French national data protection authority. The French Data Protection Act of 6 January 1978, established CNIL France as an independent administrative authority responsible for ensuring the protection of personal data in computer files and processing operations, both public and private. They have the authority to enforce France's data protection laws.
On 1 October 2020, CNIL published its revised cookie guidelines, that was initially published On 18 July 2019, and partially annulled by the Highest Administrative Court of France. CNIL also published its final recommendations on the practical modalities for obtaining users’ consent (“Recommendations”) and a set of questions and answers about the recommendations (“FAQs”).
More about CNIL Cookie Guidelines.
Users must be able to refuse consent to the use of cookies as easily as they can accept them. Users' inaction or silence (such as scrolling through and browsing) must be interpreted as a refusal to use cookies. Furthermore, users must have the right to withdraw consent at any time, and withdrawal must be as simple as giving consent.
The CNIL does not completely prohibit cookie walls. Cookie walls are permitted and legal in certain circumstances. Their legality must be determined on a case-by-case basis. When using cookie walls, you must guarantee that you present the user with clear information about the repercussions of accepting or declining consent, as well as information about the impossibility of accessing the content or service without consent.
Click to read more on the requirements of CNIL Cookie Guidelines.
In 2022, 81% of French companies are still not compliant with GDPR.
In addition to the CNIL cookie guidelines, the French DPA provided recommendations for following the cookie guidelines. Some of the most salient points from the CNIL recommendations are:
More about CNIL Cookie Recommendations.
The Spanish DPA - AEPD issued its cookie guidelines that set out rules for compliance with cookie laws in Spain.
AEPD is short for Agencia Española de Protección de Datos which translates to “Spanish Agency for Data Protection.” They ensure that Spaniards adhere to European and national data privacy regulations. In Spain, the AEPD is the official supervisory authority for personal data protection issues.
In November 2019, the Spanish DPA published its guidance on the use of cookies and other similar tracking technologies (“Cookie Guidelines”). The DPA published an updated version of the Cookie Guidelines on 28 July 2020. The updated guidelines were published to reflect the changes made to the Consent Guidelines issued by the EDPB.
The Spanish DPA cookie guidelines require you to adhere to the guidelines by doing the following:
Click to read more about AEPD Cookie Guidelines.
According to the Spanish DPA cookie guidelines, information about cookies can be provided in two layers.
The first layer must be identified by a generally used term, such as “cookies,” and must contain the following information:
The second layer must contain more detailed information about cookies (i.e., cookie policy).
Click here for more information about AEPD compliant cookie banners.
The Dutch DPA published its cookie guidelines following its survey of a number of Dutch websites for GDPR compliant cookie consent requirements.
Autoriteit Persoonsgegevens(AP) is the Dutch Data Protection Authority. This independent administrative body has been appointed by law in the Netherlands as the supervisory authority for the processing of personal data. The AP is located in The Hague.
In December 2019, the Dutch Data Protection Authority released cookie consent guidelines to help website owners in the Netherlands deploy cookies in a GDPR-compliant way. This came in the aftermath of the Dutch DPA survey of a total of 175 websites in the Netherlands which concluded that 50% of those audited were found to be non-compliant with GDPR cookie consent requirements.
According to the Autoriteit Persoonsgegevens, you must:
Click here for more information on the Dutch DPA Cookie Guidelines.
The Italian DPA issued updated cookie guidelines in June 2021 which sets out updated rules on cookies and similar technologies.
The Italian Data Protection Authority (Garante per la protezione dei dati personali, or simply Garante) is an independent authority set up to protect fundamental rights and freedoms in connection with the processing of personal data and to ensure respect for individuals' dignity.
On 8 May 2014, the Italian DPA issued a resolution about streamlined procedures for information notices and gaining consent for the use of cookies. Since then, there have been several amendments to the applicable legal framework in Italy, including the entry into effect of the GDPR.
On 10 June 2021, the Garante published its updated guidelines (Cookie Guidelines) concerning cookies and other tracking tools. The Cookie Guidelines aim to ensure that website owners comply with both the GDPR and the ePrivacy Directive.
The Italian DPA Cookie Guidelines set out that:
1. You must obtain consent before setting non-technical cookies (cookies that are not strictly necessary for the website to function).
2. Users visiting your site for the first time must be shown a cookie banner that is clearly distinguishable from other components of the website.
3. Scrolling cannot be relied on as a means of valid consent.
4. Cookie walls are not legal.
5. Analytics cookies can be used without consent only when it is not possible to single out a data subject.
6. You must wait at least six months before displaying your cookie banner again.
Click to read more on Italian DPA Cookie Guidelines.
In Denmark several organizations, including the national Data Protection Authority (Datatilsynet) have issued cookie guidelines. These guidelines provide necessary information for websites and mobile applications to comply with the GDPR and national data protection and cookie laws.
The Datatilsynet is the independent authority that supervises compliance with the rules on the protection of personal data. Datatilsynet provides guidance and advice as well as deals with complaints and makes inspections.
In Denmark, there are two primary laws to consider when it comes to cookies. They are as follows:
The Danish Cookie Law is administered by the Danish Business Authority (Erhvervsstyrelsen), whereas the GDPR and its national implementation are administered by Datatilsynet.
There are three pieces of guidelines relating to cookies that were published by the Danish authorities.
1. On 20 February 2020, the Danish DPA published cookie consent guidelines to help website operators comply with GDPR personal data processing obligations.
2. On 10 December 2019, the Danish Business Authority issued guidance on the usage of cookies.
3. On 12 February 2021, Datatilsynet, the Danish Business Authority, and the Danish Council for Digital Security announced joint guidance on the recommendations for cookie usage.
Click here to find out more about the Danish Cookie Guidelines.
According to Danish DPA cookie consent guidelines, your personal data processing activities are GDPR compliant if and only if the following conditions are met:
Click to read more on the requirements of the Danish Cookie Guidelines.
The Belgian DPA cookie guidelines provide clarity on the use of cookies and other similar technologies.
The Data Protection Authority (in French: L'Autorité de protection des données or APD; in Dutch: Gegevensbeschermingsautoriteit or GBA) is an independent supervisory body responsible for ensuring compliance with the fundamental principles of personal data protection. The Authority was created in December 2017 as the national Data Protection Authority.
In December 2019, the Belgian DPA enforced a regulatory fine of EUR 15,000 on a website that provides legal news in the country. The primary reason for this penalty was the company's unauthorized use of cookies. However, several parties questioned the Belgian DPA's decision because there was no clear framework in place to help firms comply with GDPR cookie rules once the EU's precedent-setting data privacy law went into effect.
In response to this, on 9 April 2020, the DPA prepared and published new Consolidated Cookie Guidance on the Belgian DPA website.
The Belgian DPA’s Cookie Guidance provides clear guidelines you need to follow to ensure you obtain valid cookie consent in accordance with GDPR requirements:
Read more about the Belgian DPA Cookie Guidelines.
The Greek DPA cookie guidelines were published following the audit carried out by the DPA for the use of cookies by the most popular Greek websites.
The Hellenic Data Protection Authority (HDPA) is a Greek independent public authority with its headquarters in Athens. The HDPA is responsible for supervising the implementation of the GDPR, the national data protection act, and other regulations concerning the protection of the individual from the processing of personal data, as well as the exercise of the duties assigned to it each time.
On 25 February 2020, the Greek DPA Cookie Consent Guidelines were published to help businesses in meeting GDPR compliance requirements. The Guidelines were adopted following the completion of an audit carried out by the HDPA for the use of cookies by popular Greek websites, in which the HDPA discovered that the majority of the audited websites were not GDPR compliant.
Click to read more on the Greek DPA Cookie Guidelines.
According to the Greek DPA cookie consent guidelines:
Click to read more on prior consent requirements under the Greek DPA Cookie Guidelines.
The cookie consent guidelines of the Hellenic DPA require you to offer users with information about cookies and why they must provide prior consent via applicable mechanisms such as cookie banners or pop-up windows.
Click to read more on the Greek DPA compliant cookie notices.
As a data controller, to comply with the Greek DPA cookie consent guidelines, you must ensure that:
Click for more information on valid cookie consent under the Greek DPA Cookie Guidelines.
The Irish Data Protection Commission issued a cookie guidance note following the examination of the cookie policies and practices of a number of Irish websites.
The Data Protection Commission (DPC) is the independent national authority in Ireland responsible for upholding individuals' fundamental right to data protection in the EU. The DPC is the Irish supervisory authority for the GDPR and also has functions and powers related to other important regulatory frameworks, including the Irish ePrivacy Regulations (2011) and the EU Directive known as the Law Enforcement Directive.
In April 2020, the Irish Data Protection Commission released a report known as the ‘cookie sweep survey,’ which examined the cookie policies and practices of 38 unnamed firms operating in Ireland.
The Irish DPC used a three-color coding system to assess the data controllers’ compliance levels: Red, Green, and Amber. While green denoted full compliance, amber denoted minor compliance issues and red denoted non-compliance. Only two of the 38 entities examined received the full green rating from the Irish DPC.
Read more about the ‘cookie sweep survey.’
In April 2020, the Irish DPC issued a guidance note concerning cookies and similar technologies. Organizations were given a 6-month grace period (until October 2020) to bring their cookie usage in line with the guidance.
According to the DPC, businesses must obtain user consent in line with GDPR requirements. This means the consent must be: freely given, specific, informed, and unambiguous. However, the guidelines provide two crucial exceptions: the communications exemption, and the strictly necessary exemption.
If you allow third parties to add plugins, widgets, pixel trackers, or “like” buttons, you need to know of the kind of data shared with these third parties.
The Irish DPC requires you to obtain prior and valid GDPR cookie consent from users before placing this category of cookies on their devices. While first-party analytics cookies are unlikely to raise privacy issues when strictly limited to statistical purposes on your website, third-party analytics cookies are subject to GDPR compliance enforcement actions.
Suppose you maintain records of your consumers’ consent to installing cookies on their devices. In that case, the Irish DPC guidance note specifies that the period after which their consent should be re-obtained must not exceed six months from when it was first given. Similarly, if a user declines to consent to cookies, you may request their consent again after six months.
Read more on the Irish DPA Cookie Guidance.
The Luxembourg DPA issued its cookies and similar technologies guidelines in October 2021 to help websites and mobile applications comply with the GDPR and national data protection and cookie laws.
The Luxembourg National Data Protection Commission (Commission Nationale pour la Protection des Données, or CNPD) is an independent public institution and acts as the official data protection authority in the Grand Duchy of Luxembourg. It verifies the legality of the processing of personal data and ensures the protection of personal freedoms and fundamental rights in terms of data protection and privacy.
The Luxembourg DPA - CNPD published its guidelines on cookies and similar technologies (Cookies) on 26 October 2021. The guidelines aim to help website and mobile app operators comply with the applicable legal framework in Luxembourg.
The cookie guidelines differentiate between essential cookies and non-essential cookies. The essential cookies are those for which consent is not required. On the other hand, non-essential cookies require prior consent from users.
To comply with Luxembourg DPA cookie guidelines, you must ensure to meet the following requirements:
1. There is no need to obtain consent for essential cookies.
2. Provide information about the use of essential cookies.
3. You must obtain consent to use non-essential cookies.
4. You cannot use dark patterns to obtain consent.
5. Withdrawing consent must be as easy as giving it.
6. You must request consent 12 months after obtaining the first consent.
7. Have a two-layered cookie banner.
Read more on the Luxembourg DPA Cookie Guidelines.
The Finnish Transport and Communications Agency - Traficom published its updated cookie guidelines in May 2021 based on the Finnish DPA - Data Protection Ombudsman ruling.
The Office of the Data Protection Ombudsman is a national supervisory authority in Finland that supervises compliance with data protection legislation. The Data Protection Ombudsman imposes administrative fines under the General Data Protection Regulation and issues statements on significant questions related to the application of the legislation governing the processing of personal data.
More on Finland DPA.
Traficom (the Finnish Transport and Communications Agency) is the authority responsible for monitoring and ensuring the confidentiality of electronic communications. It is also the competent authority on cookie regulation and supervision of the use of cookies.
In April 2020, Traficom published a ruling that declared it possible to give consent to cookies through browser settings. However, a month later, in May 2020, the Finnish DPA, the Data Protection Ombudsman, issued a decision that contradicted the ruling made by Traficom.
In May 2021, Traficom changed its cookie guidelines to reflect the decision of the Ombudsman.
Read more on Finnish DPA Cookie Guidelines.
The cookie guidelines of Traficom set out requirements for website and mobile application operators. The guidelines also cover similar tracking technologies, including session and local storage, tracking pixels, web beacons, tags, and fingerprinting technologies.
1. Non-essential cookies require prior consent.
2. Legitimate interest cannot be a ground for cookie usage.
3. Consent must be freely given, specific, informed, and unambiguous.
4. Rejecting cookies must be as easy for the user as it is to give consent.
5. Withdrawing cookies must be as easy as giving consent.
6. Pre-ticked boxes are not lawful.
7. Consent cannot be bundled into the Terms of the website.
8. Provide information about the cookies.
9. Cookie walls are not allowed.
10. Referring to browser settings for rejecting cookies is not lawful.
11. Consent must be demonstrable.
Click to read more on the requirements of Traficom Cookie Guidelines.
The Latvian DPA released its cookie guidelines in March 2022 setting out information on the requirements of cookie usage and a model cookie policy.
The Data State Inspectorate (DVI) is the national data protection authority in Latvia. The authority is in charge of enforcing GDPR in Latvia.
In March 2022, right after the results of the cookie audit were released, the Latvian Dast State Inspectorate published its cookie guidelines (“Cookie Guidelines”). The Cookie Guidelines set out information about cookies and their categories, requirements for the lawful use of cookies by website owners, and a model cookie policy for websites to publish.
To comply with the Latvian DVI Cookie Guidelines, you should satisfy the following requirements:
1. Provide clear and comprehensible information to the users
2. Use multi-layered approach
3. Keep the cookie notice until the user makes a decision
4. Consent must conform with GDPR standards
5. Have both “Accept” and “Reject” options
6. Closing the banner cannot be considered consent
7. Do not rely on browser settings for consent
8. Consent must be demonstrable
9. Consent must be withdrawn easily
10. Renew consent regularly
Read more about the Latvian DPA Cookie Guidelines.
National DPA cookie guidelines include a lot of similarities as well as certain differences. In this section, we will discuss these similarities and differences.
The cookie guidelines issued by most national DPAs are quite similar. This is because they mainly rely on the EDPB Consent Guidelines (also called the “Cookie Guidelines”) and the Planet 49 case. The key takeaways from the sources mentioned above are:
1. Cookie walls are not lawful as they do not give individuals a genuine choice over the use of cookies.
2. Scrolling/browsing cannot be relied on as a means of indication of consent as it does not satisfy users' requirement of clear and affirmative action.
1. Pre-ticked checkboxes allowing the use of cookies do not constitute valid consent.
2. When consent is required to place cookies under the ePrivacy Directive, the GDPR standard of consent applies (freely given, specific, informed, and unambiguous).
3. Consent cannot be bundled as it does not meet the “specificity” requirement under the GDPR. Thus, websites must request consent for different cookie usage purposes (granular consent).
4. Information must be given to visitors, including, among other matters, the duration of the cookie lifespan, whether third parties will have access to these technologies, and the categories of third-party recipient cookies.
5. Regardless of whether the cookies constitute personal data, Article 5(3) of the e-Privacy Directive (the cookie consent rule) applies to any information placed or accessed from an individual's device.
The cookie guidelines issued by most national DPAs are formed around the aforementioned rules and principles. There, however, exist some minor differences among them.
Differences relating to national DPA cookie guidelines are mainly about issues that others do not regulate some national DPA cookie guidelines. It must be noted this does not imply that there are major differences in such cases. It is just that certain countries’ cookie guidelines are not as explicit as others and do not set out rules on specific issues relating to cookies. For example, not every national DPA provides rules concerning the UI design of cookie banners (i.e., rules relating to “Accept” and “Reject” buttons).
Other than that, some minor differences exist between cookie guidelines issued by national DPAs. These differences, which will be described below, do not contradict each other severely but vary slightly from each other based on certain nuances. For example, cookie walls are generally forbidden under almost all national DPA cookie guidelines. But some of them allow cookie walls to be used in certain limited circumstances (i.e., when cookie walls are used only to limit access to certain website sections if consent is not provided).
Below are the common differences found in most national DPA cookie guidelines.
Some cookie guidelines set out the lifespan for user cookie choices, whether acceptance or refusal. These lifespan rules may vary from country to country. For example, CNIL, as a best practice, considers that a 6-month period is appropriate for the validity of the choice made by a user. On the other hand, the Spanish DPA (AEPD) suggests that cookie choice should be renewed every 24 months, and Luxembourg DPA (CNPD) requires renewing consent every 12 months. The Italian DPA, Garante, shares the same view as the French CNIL and considers six months is appropriate for consent renewal.
Some national DPA cookie guidelines do not set a specific period for the validity of cookie consent choice but require that cookie choice lifespan be proportionate and limited to the purposes for which they are used (i.e., ICO).
However, some national DPA cookie guidelines are silent regarding cookie choice lifespan.
Cookie walls are generally declared unlawful by the EDPB Consent Guidelines. Most national DPAs follow the standard set by the EDPB. That said, some slight differences relate to rules on cookie walls established under national DPA cookie guidelines.
For example, CNIL cookie guidelines do not ban cookie walls entirely. It allows the use of cookie walls if their lawfulness is assessed on a case-by-case basis. Other than that, ICO states that using cookie walls as a condition of access to specific website content is possible. Specific website content means you should not make “general website access” conditional on users accepting non-essential cookies. Still, you can only limit a specific range of the website if the user does not consent.
One of the main differences found in the national DPA cookie guidelines is whether analytics cookies require prior consent or not. As a general rule, analytics cookies are subject to the requirement of prior consent. However, some national cookie guidelines exempt analytics cookies within certain strict limitations. For example, CNIL provides that certain analytics solutions could be exempt from the consent requirement. The consent exemption for analytics cookies applies subject to the following conditions:
In addition, the Italian DPA - Garante Cookie Guidelines set out that analytics cookies can be considered technical cookies (and thus, be exempt from consent requirements) under strict conditions. For analytics cookies to be treated as technical cookies, it is essential to prevent direct identification of the data subject or, in other words, keep your users anonymous.
Some cookie guidelines require websites to follow some rules regarding to cookie banner designs. These requirements are mainly about options given to users to accept or reject cookies and the prominence of these options.
While most national cookie guidelines are quite strict in this matter, several national cookie guidelines are silent concerning the same matter.
As an example, CNIL sets out that the “Accept all” and the “Reject all” buttons must be equally prominent (at the same level, with the same appearance). It constitutes a clear and simple way to allow the users to express their choices.
ICO considers that a consent mechanism that emphasizes the “agree” button over the “reject” button represents a non-compliant approach, as the online service is influencing users towards the “accept” option.
Greek DPA provides that your cookie banner design must not influence the user’s cookie consent choice (i.e., by having a design that emphasizes the “Accept” button over the “Reject” one. The Hellenic DPA recommends that the design of your cookie banner should have the same font size and color emphasis for all buttons and be easy to read. Read about Data Protection Laws and the principle of Privacy by Design.
The Danish DPA suggests that you must provide equal opportunity to accept and reject the use of cookies and not mislead users with button sizes or colors. The Dutch DPA also suggests that the “Reject” and “Accept” options (either as buttons or links) should be of the same prominence.
On the contrary, some national DPA cookie guidelines do not provide any rules relating to cookie options. For example, the national cookie guidelines issued by the Belgian and Finnish DPA provide no explicit requirement.
This section shows how you can comply with the cookie guidelines issued by EU national DPA cookie guidelines with Secure Privacy.
Secure Privacy is a company offering cookie consent management software (e.g. for GDPR). Secure Privacy provides a complete solution for your website and cookie consent needs. It offers a simple, easy-to-use interface that allows you to manage and automate your cookie compliance.
Secure Privacy software have the following features:
1. Customizable cookie consent banner
Cookie consent banners can be easily added to your website. It is easy to use and can be added to your website in minutes.
2. Cookie and privacy policy generator
To comply with the GDPR, CCPA, and other data privacy laws, you can quickly create a privacy/cookie policy. The platform's privacy/cookie policy can be changed without the requirement for a developer.
3. Automated website cookie scanning
Secure Privacy website cookie scanner software will scan all cookies and other tracking elements on your website, assisting you in meeting GDPR, CCPA, and LGPD standards.
4. Consent preference center
The consent preference center enables website visitors to opt-in or opt-out of cookies at any time. Visitors can remove their consent just as easy as they grant cookie consent.
5. Automated cookie consent recording
Secure Privacy automatically logs all cookie acceptance and declines for its customers.
6. Multi-language support
Secure Privacy supports more than 70+ languages.
With Secure Privacy’s GDPR cookie banner, you can obtain valid cookie consent from users. Our solution helps you to ensure that:
Our free GDPR e-book provides a simplified step-by-step breakdown of the two laws to help you understand what you need to become compliant with the GDPR.
If you would like to receive additional information on the EDPB’s or national DPAs’ cookies guidelines or to have our data protection expert carry out a quick 'check-up' of your website, cookie consent banner, or your cookie policy, book a call today.
Schedule a call to learn more
