The GDPR and the ePD (EU)
The EU privacy laws consist of the General Data Protection Regulation (GDPR) and the Electronic Privacy Directive (ePD), also known as the ePrivacy Directive or simply the “EU cookie law”.
Caution
While we love discussing regulatory interpretation with our customers, LiveRamp does not provide any feedback that should be considered legal counsel. Please work with your legal team or external counsel to determine the compliance interpretation that best suits your business’s needs.
The ePrivacy Directive came into effect in 2002 (amended in 2009) and mandated each EU member state to pass its own corresponding national laws. The ePrivacy Directive aims to harmonize the national protections for the fundamental rights of privacy, confidentiality, and free movement of data in the EU. It applies to the processing of data in connection with publicly available electronic communications services in the EU.
The ePrivacy Directive established that storing or retrieving any information from a user’s device is subject to consent. It has an exception to such consent, where it is “technically necessary to enable the intended communication to take place”. With the 2009 update, the ePD took on the name of The Cookie Law because it explicitly required consent from users to process their web cookies. This is the reason that cookie notifications have been around since before the GDPR and also why strictly necessary cookies are exempted from consent in certain EU Member Countries. Moreover, the ePrivacy Directive defined the need for cookie consent but did not define consent. As a result, ePrivacy rules were not enforced uniformly across the Member States. Part of the GDPR’s goal was to unify those rules. To do this, the GDPR needed to clearly define what consent is and when it’s needed.
The General Data Protection Regulation or the GDPR is a modernization of European law. Historically, data protection in Europe has been governed primarily by country law, enacted pursuant to the European Union (EU) Data Protection Framework. The GDPR is essentially a treaty between the EU Data Protection Authority and each of the EU member countries and is directly binding and applicable to the Member countries. However, it does provide flexibility for certain aspects of the regulation to be adjusted by individual member states.
The GDPR sets a higher expectation for transparency and consumer consent for collecting and using personal data. It intends for the consumer to have enough information about how the data will be collected and how it will be used so that they can make well-informed and appropriate choices about the information they share with the businesses. Selecting these choices or consent by the user is an important concept under the GDPR.
Consent under the GDPR is a freely given, specific, informed, unambiguous, affirmative action, and it should be as easy to withdraw consent as to give it. The Privacy Manager, LiveRamp’s Consent Management Platform (CMP), enables site owners to manage consent in a way that can comply with the GDPR and ePrivacy directive and gives their visitors the ability to change their data sharing preferences at any time. The consent status can be easily communicated to all vendors regardless of their participation in the IAB Transparency and Consent Framework.
In doing the above, the GDPR has become the global standard that all companies handling European data must comply with since May 25, 2018. The key contrasts between the ePD and GDPR are: (1) ePD is focused on communications, (2) ePD covers more than personal data, specifically web cookies and traffic data, and (3) ePD as a directive is not legally binding on the EU Member States as GDPR being a regulation is.
EDPB updated their guidelines on consent with the following relevant topics for our industry:
Consent is not valid based on conditionality in the form of cookie walls:
Cookie walls are the dialog notices which do not let the user access the website until they agree to accept cookie tracking. Cookie Walls don't give genuine choice, as the user has to accept "Accept Button" to access services and functionalities including content.
EDPB gives this example to explain clearly what they mean by genuine choice:
“A website provider puts into place a script that will block content from being visible except for a request to accept cookies and the information about which cookies are being set and for what purposes data will be processed. There is no possibility to access the content without clicking on the “Accept cookies” button. Since the data subject is not presented with a genuine choice, its consent is not freely given. This does not constitute valid consent, as the provision of the service relies on the data subject clicking the “Accept cookies” button. It is not presented with a genuine choice”.
Exceptions to this statement are Paywalls and paid access. Their access depends on paying a fee and not consent of the user.
Scrolling and swiping is not considered valid consent:
Consent has to be through a clear and affirmative action. If a user scrolls or swipes through the webpage, that cannot be considered as their consent.
Scrolling or swiping through the webpage is difficult to distinguish from other activity by a user. It will be difficult to determine whether unambiguous consent has been obtained or not. Moreso, in such a case, it will be difficult to provide a way for the user to withdraw consent in a manner that is as easy as granting it.
The AEPD (Agencia Española Protección Datos) updated its guide on the use of cookies (July 2020 with implementation before October 2020) to align with the EDPB:
Scrolling/browsing is not considered valid explicit consent any longer.
“Cookie walls” do not offer an alternative to consent, and should not be used.
Consent should be through affirmative action. However, the use of an "accept" button is considered to be evident to the user for affirmative action.
There’s discretion on the mode in which users can accept, configure, and reject the use of cookies. This can be achieved either through a "reject cookies" button or by providing a link for the same.
CNIL (Commission nationale de l'informatique et des libertés), the French Data Protection Authority released their near-final draft of consent guidelines for cookies and other trackers released in July 2019. The purpose of these new guidelines was to bring the CNIL’s stance on tracking, which hadn’t been updated since 2013, in line with the GDPR. However, the French Administrative Supreme Court Conseil d'Etat) struck down CNIL’s stance on cookie walls (more below).
CNIL revised its guidelines accordingly and released the updated guidelines along with the practical recommendations on cookies and other tracking devices final version of its recommendation and updated guidelines in September 2020. The enforcement is expected for March 2021.
The following are the key takeaways from the guidelines and recommendations
CNIL recommends the presence of a “reject all” option alongside the “accept all” option but also considers a “decide later” option as acceptable. The mechanism for refusal, such as "Accept all" and "Refuse all" or “authorize” or ”prohibit” buttons, should be on the same layer with the same degree of simplicity and not be subjected to complex procedures for rejecting online trackers.
Anything other than affirmative action by a user (e.g. scrolling, browsing on a website) does not mean consent to tracking. CNIL adopts a stricter standard, deeming browsing and scrolling as a refusal for consent.
The CNIL recommends asking users for their consent independently for each purpose but allows for consent to be given globally as long as all purposes have been presented to users.
The choice expressed by users such as consent or refusal should be recorded so as not to be requested again for a certain period of time. (i.e. if a user denies consent, the CMP should not be shown again the next time the user visits the same site).
Previously, CNIL’s draft guidelines had imposed a blanket ban on cookie walls. However, the >Conseil d'Etat ruled that CNIL did not have the authority to enforce a blanket prohibition on "cookie walls" through its Guidance. Guidance is a soft law instrument and cannot be binding. Currently, CNIL notes that making consent a condition of access to a service is prone to infringing the principle of free consent, and favours a case-by-case assessment of such models.
Relevant input by the EU DPAs:
Italy
Italian DPA (Garante) issued cookie guidance in 2014 (here in Italian, and summary in English here). However, it will be updated in the light of EDPB guidance on consent.
Particularly the section of the guidelines which consider valid consent by clicking on the short-form privacy information notice, or by continuing the navigation on the site or scrolling the webpage, provided that such modality of acceptance is expressly indicated in the privacy information notice.
Germany
The German Court referred to the Court of Justice of the European Union, and the ECJ published its long-awaited judgment in the Planet49 case, ruling that implied conduct such as silence, inaction, or pre-checked boxes cannot be considered consent.
The DSK is the joint coordination body of the German data protection authorities. The German Data Protection Conference ('DSK') has issued the following guidance:
Guidance from the Supervisory Authorities for Providers of Telemedia (accessible here in German) ('the Guidance')
Guidelines on the Use of Google Analytics in the non-public sector (accessible here in German) ('the Guidelines on Google Analytics')
The Netherlands
The Dutch AP had the now adopted EDPB position on Cookie walls. In the Netherlands, Cookie walls that prevent users who do not consent from accessing the website or the app are unlawful.
Tracking cookies, which allow companies to track individuals, require users’ prior consent.
Dutch Data Protection Authority (AP) has adopted the following guidelines: AP Standard explanation about cookie walls, 2019.
In addition, The Authority for Consumers and Markets ('ACM') also imposes an obligation on websites that track user behavior via cookies: Information on legal requirements for types of cookies.