Companies using cookies on their websites throughout the European Union should take note of the latest guidance published last Monday by the Article 29 Working Party link avaliable here.
Despite various attempts to clarify the area since the infamous “cookie law” was passed in the EU in 2009, the Working Party acknowledged in its latest opinion, that there continues to be a serious lack of harmonisation across the EU regarding the implementation of consent mechanisms, member states choosing a variety of methods and the regulators consequently issuing varying, sometimes conflicting advice to companies using cookies on their websites.
So, in view of such variation and lack of harmonisation, how can a company using cookies implement a consent mechanism that satisfies the requirements for obtaining valid consent in all EU member states? The Working Party recommends that “such consent mechanism should include each of the main elements of specific information, prior consent, indication of wishes expressed by the user’s active behaviour and an ability to choose freely.” Such recommendation can be broken down into four relatively simple and practical requirements, all of which should therefore be included in any consent mechanism operating across the EU:
Specific Information: users should be provided with clear, comprehensive, visible and appropriate notice regarding cookies and their use on the relevant website.
Prior consent: consent should be obtained before cookies are set or read: website operators should ensure that technically no cookies are placed on the user’s device before the user’s consent has been obtained. This does not of course apply to those cookies for which the operator does not require the consent of the user (e.g. those which are strictly necessary for the operation of the website).
Free choice: consent must be given freely, suggesting that the user must be given a real choice. The Article 29 Working Party guidance states that websites should not condition general access to their site on the acceptance of all cookies. “It is recommended to refrain from the use of consent mechanisms that only provide an option for the user to consent, but do not offer any choice regarding all or some cookies…Granularity in the options available to the user is highly recommended”. This, as the guidance document suggests, is in line with obligations under the general data protection directive, referring to “only personal data that is adequate, relevant and not excessive in relation to the purposes for which they are collected.”
As yet, the UK regulator has not issued further guidance regarding cookie use and has not chosen to update its guidance published in May 2012. It will be interesting to see whether and if so, how, the ICO and other regulators in the EU will act in the light of this latest guidance from the Article 29 Working Party.
In any event, companies using cookies on their websites across the EU should act on the guidance without delay in order to avoid falling foul of requirements in any of the individual member states.