Following the implementation by EU Member States of the "cookie directive", Directive 2009/136/EC on e-Privacy, the past year has seen various countries issue guidance on interpretation and adopt a more proactive approach to enforcement. The same timetable has been adopted by several Data Protection Authorities (DPAs): firstly, releasing guidelines on the use of cookies detailing the best practices of compliance and, secondly, starting investigations into possible non-compliance a few months later.

We can see this trend in the actions of the Spanish and Dutch DPAs who have both started enforcing the national cookie laws. The French DPA recently announced the beginning of investigations and the Italian DPA released new guidelines due to be enforced on 3 June 2015.

Spanish Data Protection Authority's clarification of the cookies regime through guidelines and first sanctions

The Spanish DPA (the AEPD) has been particularly active on cookie regulation over the last year. The AEPD published a New Guide on the Use of Cookies (Guide) on 29 April 2013, and coinciding with the end of a compliance grace period associated with this guide, the AEPD then moved to issue the first fine in Europe for infringement of local cookie law.

The new Guide explains how companies can comply with the informed consent requirement imposed by Act 34/2002 on Information Society Services and Electronic Commerce (LSSI), and amended by Royal Decree Law 13/2012 in 2012, implementing the EU Directive on e-Privacy in national law. Three main points are highlighted:

  • the collection of implied consent can be valid provided it does not result from silence or inaction by the web user;
  • the information provided to users must be sufficiently visible (in the header or footer and then through the website terms or the Privacy and Cookies policy); and
  • a layered system of information can be set up, with essential information in the first layer and a link to a second layer providing additional information (e.g. the Cookies policy).

Following publication of the Guide, the AEPD started investigating the violation of cookie law by two jewellery companies, Navas Joyeros SL and Luxury Experience SL. The investigation led to a €5,000 fine for the companies as the information about tracking cookies provided on their websites was held to be insufficiently clear and comprehensible. Despite the companies having made several improvements, the AEPD considered that Navas Joyeros and Luxury Experience had violated Article 22.2 of the LSSI, which requires clear and complete information "about the use of cookies and the purpose of the processing of data".

It is worth noting that although neither website collected user consent to cookies, the AEPD was not able to issue a sanction for this infringement since Spanish law did not, at that time, authorise the AEPD to undertake enforcement on this issue.  This was corrected by the Spanish Legislator on 9 May 2014, with the adoption of the General Telecommunications Act 9/2014, which states that placing cookies on a user's terminal without obtaining consent is an infringement that can be enforced by the AEPD. The amendment to the law also provided the AEPD with a wider range of enforcement powers, including issuing warnings for failure to comply with applicable cookie law, maximum fines of € 30,000 for small infringements or up to € 150,000 for serious infringement (including in cases where more than one violation occurs during a three year period).

Investigations on tracking cookies and potential relaxation of the cookie law in the Netherlands

The Netherlands took an unusually narrow view when implementing the Cookie Directive with the result that Dutch cookie law requirements have been the most restrictive in Europe, leading to complaints that the consumer browsing experience was being adversely affected and that the compliance burden on companies was too high. In particular, publishers have been required to collect explicit opt-in consent from the users for all types of cookies (except strictly necessary cookies). On 20 May 2013, the Dutch Minister of Economic Affairs proposed an amendment to the cookie law, Article 11.7(a) of the Telecommunications Act. The Bill is currently before the second Chamber of the Dutch Parliament.

This amendment aims to exempt publishers using some type of cookies from the necessity of collecting user consent. Cookies that are "absolutely necessary to obtain information about the quality and the effectiveness of an information society service ("provided that this has no or little consequences for the privacy of the user") may benefit from this exemption. Analytic, affiliate and possibly testing cookies may fall within this exception. For cookies outside of scope, publishers will still need to collect the consent of the user. The amendment appears to be in favour of an implied consent inferred from the behaviour of users, meaning that a publisher could implement a banner mentioning information about cookies used and informing users that, by continuing using the website without a change in their privacy settings, they would be deemed to accept cookies being placed on their device.

Meanwhile, the Dutch DPA (the CBP) has conducted its first audit on the processing of cookies. On 27 March 2014, the CBP published its report on the activities of YD Display Advertising Benelux BV (YD). YD cooperates with advertisers to serve personalised advertisements to the user. YD was inserting cookies and pixels in user browsers to track their activities in order to see if they were visiting advertisers' websites, determine their interests and adapt the content of the advertisements accordingly. YD's partners were also able to place cookies and track users.

By using tracking cookies, YD violated Article 8 of the Dutch Data Protection Act, which requires the unambiguous consent of the user when processing personal data; and Article 11.7(a) of the Telecommunications Act, which presumes that tracking cookies storing personal data are not allowed unless they are covered by an exception. In particular, YD committed serious breaches by placing cookies before the webpage was loaded and, therefore, before users were informed and could opt-out, by not offering any opt-out option and enabling third parties to place cookies for advertising purposes. The CBP has decided not to impose a fine on YD, but, with this first audit of  cookie law compliance, has sent a clear message to publishers using tracking cookies and the supporters of an implied consent.

Beginning of investigations in France and new guidelines in Italy

On 11 July 2014, the French Data Protection authority (the CNIL) announced it will be launching a 'cookie sweep' in October 2014. This announcement follows various recent developments on cookie law in France. On 5 December 2013, the CNIL released new guidelines on cookies and tracking devices allowing publishers to collect implied consent from the users. In addition, the implementation of Directive 2011/83/EU on Consumer Rights in the French Consumer Code on 17 March 2014, amended the Data Protection Act and granted new online investigatory powers to the CNIL.  Under these new powers, the CNIL will be able "to consult any data that are freely accessible, or rendered accessible, including by imprudence, negligence or by a third party's action, if required, by accessing and by remaining within automatic data protection systems for as long as necessary to conduct its observations" and, therefore, verify the publishers' process for collecting informed consent.

These new investigatory powers will be used for the first time in September 2014, for the European cookie sweep day' and from October 2014, for national investigations. The CNIL will focus on:

  • the types and purposes of the cookies used;
  • the procedure for collecting users' consent if required;
  • the visibility, quality and simplicity of the information provided; and
  • the consequence of refusing and the possibility of withdrawing consent.

The CNIL will be able to issue warnings, injunctions and monetary sanction up to € 150,000 to non-compliant organisations.

On the other side of the Alps, the Italian DPA (the Garante) published on 8 May 2014, its new guidance on the use of cookies. The guidance makes a clear distinction between technical and profiling cookies. For the first type of cookie (browsing, analytics and functional cookies) publishers need only inform users about their installation through a privacy policy and have no obligation to collect user consent. For the latter, publishers must provide a clear and immediate information notice, collect the consent of the user and notify the use of such cookies to the Garante before any installation. As in Spain,  consent can be collected through a two layered notice approach and the collection of implied consent appears to be acceptable. The Garante also limits the responsibility of publishers to their own cookies rather than to third party cookies served through a publisher's website. A grace period is provided for compliance which is set to end on 3 June 2015. Following the end of the grace period, the Garante is likely to commence its investigations and will be able to issue fines up to €120,000.


The grace period around compliance with cookie law is now over. DPAs are beginning to focus on use of cookies and are keen to start enforcing the law. It is now even more important to be actively compliant with cookie regulations in their various guises in each Member State.