Cookies – The Need For Regulation

Written by: Chase Langhorne, Esq.

While we await the completion of the ePrivacy Regulation, countries are taking matters into their own hands by both publishing guidance and issuing fines related to cookie consent mechanisms on websites. The existing ePrivacy Directive was published in 2009. Upon the passage of GDPR in 2018, an updated ePrivacy Regulation was expected, but to date there has been no sign of it. The need for the ePrivacy Regulation centers on GDPR’s definition of consent, which is a data subject’s freely given, specific, informed and unambiguous indication of their consent to the processing of their personal data. The ePrivacy Regulation would provide much needed direction regarding how to obtain valid consent for setting non-essential cookies.

The data protection authorities for the United Kingdom (“ICO”) and France (“CNIL”) took it upon themselves to issue guidance explaining that website users must be offered the opportunity to opt-in of the setting of non-essential cookies. As a practical matter this means having a pop-up cookie notice on the first page a user visits (not only the home page) that allows the user to choose which non-essential cookies are allowed. Gone are the days of cookie banners that allow for implicit consent by the user’s continued browsing of a website. This presents an operational hurdle that will not only require website administrators to provide notice of the specific cookies being used, but also provide a mechanism that will reflect the user’s wishes by allowing, or not allowing, certain cookies.

In mid-October the Spanish data protection authority fined a Spanish airline €30,000 for not providing a user the opportunity to choose which cookies are allowed in a “granular” way. The airline’s website had a cookie banner that provided for implied consent if the user were to continue browsing, which the Spanish DPA found was insufficient to obtain valid consent. The fine centers around the airline’s failure to implement a management system that would allow users to choose what cookies are accepted upon visiting the website. This is the first fine issued concerning valid, granular consent for accepting non-essential cookies.

Without the ePrivacy Regulation, countries are left to provide piecemeal guidance, which for now, leaves companies in the dark. Companies must make the decision whether to dedicate the resources to implement a system that might only be required by certain EU member states.