Following the implementation by EU Member States of the 'cookie directive', Directive 2009/136/EC on e-Privacy, the past year has seen various countries issue guidance on interpretation and adopt a more proactive approach to enforcement. The same timetable has been adopted by several Data Protection Authorities (DPAs): firstly, releasing guidelines on the use of cookies detailing the best practices of compliance and secondly starting investigations into possible non-compliance a few months later.

We can see this trend in the actions of the Spanish and Dutch DPAs who have both started enforcing their national cookie laws. The French DPA has begun investigations, and the Italian DPA released new guidelines due to be enforced from 3 June 2015.

Spanish Data Protection Authority's clarifications of the cookies regime through guidelines and first sanctions

The Spanish DPA (the AEPD) has been particularly active on cookie regulation over the last year. The AEPD published a New Guide on the Use of Cookies (Guide) on 29 April 2013, and coinciding with the end of a compliance grace period associated with this Guide, the AEPD then moved to issue the first fine in Europe for infringement of local cookie law.

The Guide explains how companies can comply with the informed consent requirement imposed by Act 34/2002 on Information Society Services and Electronic Commerce (LSSI), and amended by Royal Decree Law 13/2012 in 2012, implementing the EU Directive on e-Privacy into national law. Three main points are highlighted:

  • the collection of implied consent can be valid provided it does not result from silence or inaction by the web user;
  • the information provided to users must be sufficiently visible (in the header or footer and then through the website terms or the Privacy and Cookies policy); and
  • a layered system of information can be set up, with essential information in the first layer and a link to a second layer providing additional information (e.g. the Cookies policy).

Following publication of the Guide, the AEPD started investigating the violation of the cookie law by two jewellery companies, Navas Joyeros SL and Luxury Experience SL. The investigation led to a €5,000 fine for the companies as the information about tracking cookies provided on their websites was held to be insufficiently clear and comprehensible. Despite the companies having made several improvements, the AEPD considered that Navas Joyeros and Luxury Experience had violated Article 22.2 of the LSSI, which requires clear and complete information "about the use of cookies and the purpose of the processing of data".

It is worth noting that although neither website collected user consent to cookies, the AEPD was not able to issue a sanction for this infringement since Spanish law did not, at that time, authorise the AEPD to undertake enforcement on this issue.  This was corrected by the Spanish Legislator on 9 May 2014, with the adoption of the General Telecommunications Act 9/2014, which states that placing cookies on a user's terminal without obtaining consent is an infringement that can be enforced by the AEPD. The amendment to the law also provided the AEPD with a larger range of enforcement powers, including issuing warnings for failure to comply with applicable cookie law, maximum fines of €30,000 for small infringements or up to €150,000 for serious infringement (including in cases where more than one violation occurs during a three year period).

In September,  the AEPD released  guidance on the content of the second layer of cookie information provided to web users, namely the cookie policy.  This should contain the following information about the cookies used by the website: name, purpose, use, ownership and identification of third parties who access to the collected data.   The language used in the policy should be clearly understandable, the use of Spanish (or other official languages in Spain) is mandatory. The AEPD also recommends the use of a table listing the name of each cookie used by the website. It is sufficient for websites to refer to a group of cookies with the same functionalities, if the detailed information listed above (name, purpose, use and owners) is clearly provided.  The AEPD permits the use of links to third party websites providing the required information  as long as it links successfully to up to date information.

Investigations on tracking cookies and potential relaxation of the cookie law in the Netherlands

The Netherlands took an unusually narrow view when implementing the Cookie Directive with the result that Dutch cookie law requirements have been the most restrictive in Europe, leading to complaints that the consumer browsing experience was being adversely affected and that the compliance burden on companies was too high. In particular, publishers have been required to collect explicit opt-in consent from the users for all types of cookies (except strictly necessary cookies). On 20 May 2013, the Dutch Minister of Economic Affairs proposed an amendment to the cookie law, Article 11.7(a) of the Telecommunications Act. The Bill is currently before the second Chamber of the Dutch Parliament and is expected to come into force by the end of the year.

This amendment aims to exempt publishers using some types of cookies from the necessity of collecting user consent. Cookies that are "absolutely necessary" to obtain information about the quality and the effectiveness of an information society service ("provided that this has no or little consequence for the privacy of the user") may benefit from this exemption. Analytic, affiliate and possibly testing cookies may fall within this definition. For cookies outside of scope, publishers will still need to collect the consent of the user. The amendment appears to be in favour of an implied consent inferred from the behaviour of users, meaning that a publisher could implement a banner mentioning information about cookies used and informing users that, by continuing using the website without a change in their privacy settings, they would be deemed to accept cookies being placed on their device.

Meanwhile, the Dutch DPA (the CBP) has conducted its first audit on the processing of cookies. On 27 March 2014, the CBP published its report on the activities of YD Display Advertising Benelux BV (YD). YD cooperates with advertisers to serve personalised advertisements to the user. YD was inserting cookies and pixels in user browsers to track their activities in order to see if they were visiting advertisers' websites, determine their interests and adapt the content of the advertisements accordingly. YD's partners were also able to place cookies and track users.

By using tracking cookies, YD violated Article 8 of the Dutch Data Protection Act, which requires the unambiguous consent of the user when processing personal data; and Article 11.7(a) of the Telecommunication Act, which presumes that tracking cookies storing personal data are not allowed unless they are covered by an exception. In particular, YD committed serious breaches by placing cookies before the webpage was loaded and, therefore, before users were informed and could opt-out, by not offering any opt-out option and enabling third parties to place cookies for advertising purposes. The CBP decided not to impose a fine on YD, but, with this first audit of cookie law compliance, sent a clear message to publishers using tracking cookies and the supporters of an implied consent.

The other Dutch DPA empowered to regulate the storage of cookies (the CMA) has also started enforcing cookie law, focusing initially on government websites.   In July 2014, it sanctioned the Netherlands Public Broadcasting (NPO) for  storing  cookies on its users' devices without informing them and without having collected their consent.  Following the pragmatic approach of the CBP, the CMA did not issue a fine, but obliged the NPO to make changes in order to become compliant. If the NPO does not remedy the lack of conformity to the rules on storing cookies, it will have to  pay a fine of € 25,000 per week of delay up to a maximum of € 125,000.

Beginning of investigations in France and new guidelines in Italy

On 5 December 2013, the CNIL released new guidelines on cookies and tracking devices allowing publishers to collect implied consent from users. In addition, the implementation of Directive 2011/83/EU on Consumer Rights in the French Consumer Code on 17 March 2014, amended the Data Protection Act and granted new online investigatory powers to the CNIL.Under these new powers, the CNIL is be able "to consult any data that are freely accessible, or rendered accessible, including by imprudence, negligence or by a third party's action, if required, by accessing and by remaining within automatic data protection systems for as long as necessary to conduct its observations" and, therefore, verify the publishers' process for collecting informed consent.

These new investigatory powers were used for the first time in September 2014, for the European 'cookie sweep day' and have applied to national investigations since October 2014. The CNIL is focusing on:

  • the types and purposes of the cookies used;
  • the procedure for collecting users' consent if required;
  • the visibility, quality and simplicity of the information provided; and
  • the consequence of refusing and the possibility of withdrawing consent.

The CNIL can issue warnings, injunctions and monetary sanctions of up to € 150,000 to non-complying organisations.

On the other side of the Alps, the Italian DPA (the Garante) published on 8 May 2014, its new guidance on the use of cookies. The guidance makes a clear distinction between technical and profiling cookies. For the first type of cookie (browsing, analytics and functional cookies) publishers need only inform users about their installation through a privacy policy and have no obligation to collect user consent. For the latter, publishers must provide a clear and immediate information notice, collect the consent of the user and notify the use of such cookies to the Garante before any installation. As in Spain, consent can be collected through a two-layered notice approach and the collection of implied consent appears to be acceptable. The Garante also limits the responsibility of publishers to their own cookies rather than to third party cookies served through a publisher's website. A grace period is provided for compliance which is set to end on 3 June 2015. Following the end of the grace period, the Garante is likely to commence its investigations and will be able to issue fines of up to € 120,000.

Cookie regulation outside Europe: focus on the new Brazilian 'Internet Bill of Rights'

By approving the Marco Civil de Internet, law No 12,965/2014, on 23 April 2014, Brazil adopted its first legal framework for the internet. The law focuses mainly on privacy.  Under Article 11, every company – search engines, online retailers and social media websites – providing services to Brazilian users is within the scope of the law, wherever its servers are located. It applies to all companies collecting, storing and processing personal data of consumers located in Brazil.

Similar to the EU regime, the Brazilian law prohibits the collection, storage, sharing and disclosure of user personal data, unless the company has obtained the free, express and informed opt-in consent from the data subject. In practice, users may express their consent by clicking a checkbox before navigating  a website after having been informed about the processing of personal data through a privacy policy. While not specifically a 'cookie law', the law is widely drafted and clearly aims to include cookies in its scope.

Various sanctions may be imposed on breach, including: warnings, injunctions, fines of up to 10% of the business income of the breaching company in Brazil, temporary suspension and prohibition of the exercise of activities related to data processing in Brazil.  Brazilian subsidiaries, branches and offices of a company in breach will be jointly responsible for paying of the fine.

The Marco Civil da Internet entered into force on 23 June 2014, with real consequences for companies providing services to Brazilian users but European companies already used to complying with the EU Data Protection law won't see any radical changes. Even though this new law brings Brazilian law into the digital world, questions remain about the interaction of the law with international privacy laws.


The grace period around compliance with cookie law is now over. DPAs are beginning to focus on use of cookies and are keen to start enforcing the law. It is now even more important to be actively compliant with cookie regulations in their various guises in each Member State.  This is in addition to keeping an eye on international developments (like those in Brazil) where relevant.