Here are some of the most commonly asked questions about cookie consent. We'll try to help clear up any of the confusion you may be having regarding cookie consent laws, notices, consent, and compliantly using cookies.
What laws require cookie consent?
- 1. What laws require cookie consent?
- 1.1. Europe
- 1.1.1. General Data Protection Regulation
- 1.1.2. ePrivacy Directive
- 1.1.3. Implementation
- 1.2. Outside of Europe
- 1.2.1. Children's Online Privacy Protection Act (COPPA)
- 1.2.2. Laws That Don't Require Active Consent
- 2. What are the types of consent?
- 2.1. Clickwrap
- 3. What forms of cookie consent are permissible?
- 4. Can I make consent mandatory?
- 5. What counts as a necessary cookie?
- 6. What about third party cookies?
- 7. How long should cookies last?
- 8. Summary
General Data Protection Regulation
The GDPR is a broad data protection and privacy law that requires explicit, active consent before collect or using personal data.
A cookie counts as personal data if it either contains information about an identifiable individual, or if it can combine with other information to produce data about an identifiable information.
The GDPR applies if the site, the user, or the data processing is in an EU country.
The ePrivacy Directive preceded the GDPR, though both remain in force.
One of the key measures of the directive is that websites must get prior consent before issuing a cookie, though cookies required for basic site functionality are exempt. Unlike the GDPR, the ePrivacy directive extends to cookies that don't contain or produce personal data.
The directive applies to websites based in EU countries.
The GDPR is a regulation. That means that once it came into force, it had immediate legal effect in all European Union countries.
The ePrivacy Directive is a directive rather than a regulation. That means all European Union countries were required to make or amend domestic laws to implement the measures covered in the directive.
The two sets of rules work alongside each other. One important principle is that if the ePrivacy Directive requires consent for a particular cookie, then under the GDPR consent is the only acceptable lawful basis for personal data processing relating to that cookie.
Other lawful bases that could normally be an option under GDPR, such as "legitimate interests," are no longer available.
Note that although the United Kingdom is no longer an EU country, the GDPR will continue to apply there until the end of a transition period scheduled to end on 31 December 2020. After that, the measures of both the GDPR and ePrivacy Directive will continue to apply through domestic UK law unless and until that domestic law changes.
Outside of Europe
Several laws in non-EU countries cover cookie use. (Remember that if you have site users in the EU or process data in the EU, the GDPR also applies even if you are based outside of Europe.)
Children's Online Privacy Protection Act (COPPA)
COPPA applies to US websites aimed at people under 13. It also applies if the operators know that under-13s are using the site.
One key measure is that COPPA bans sites from using persistent identifiers on under-13s without verified parental or guardian consent. These include persistent cookies, which mean cookies that remain on a user's computer after they finish a session on a website, and thus will be accessed when they return to the site.
Laws That Don't Require Active Consent
Two Canadian laws, the Personal Information Protection and Electronic Documents Act (PIPEDA) and Canada's Anti-Spam Legislation, both work on an opt-out basis for cookies.
This means you can infer consent unless the user indicates otherwise. Note that changing browser settings to block cookies counts as a sign of withholding consent.
What are the types of consent?
Over the years, websites have used several methods to obtain consent.
This method simply involves detailing the user of cookies somewhere on the site and including a line that says the user consents to the cookies by continuing to browse the site.
Different sites use browsewrap in different ways including:
- A header that the user can simply scroll past
- A pop-up or overlaid window that the user must actively click to dismiss. However, they may still be able to follow links to other site pages.
The IKEA website uses browsewrap on its front page, to let visitors to the site know that cookies are used:
Appropriately, the Information Commissioner's Office goes full-force on clickwrap. Until the users has clicked a button to confirm cookie settings, part of the page is hidden and all links disabled:
The clickwrap method is the one recommended as the new standard of appropriate consent. It's also required by the GDPR, and will likely be required by future privacy laws.
What forms of cookie consent are permissible?
Consent via cookie notices is mainly an issue for the European laws. That's because:
- COPPA and the the two Canadian laws don't require active consent for cookies
- When CalOPPA requires parental consent, the site operator must verify identity, so an on-screen notice won't be sufficient
Both the original text and later interpretations of the GDPR mean many methods of cookie consent gathering are invalid. That's because all consent under GDPR must be active and unambiguous signals from the data subject (in other words, the website user).
- Site Notices are invalid because there's no way of being certain the user has actually seen the notice before continuing to use the site
- Browsewrap is invalid because the user can continue using the site without actively and specifically giving consent to cookie use
- That leaves clickwrap with some form of active confirmation from the user
Until 2019, many site operators assumed that a simple confirmation button with a pre-ticked box was sufficient to comply with the ePrivacy Directive and the GDPR. However, a court case in Germany changed the rules for the ePrivacy Directive and set a precedent for future GDPR cases.
The German court ruled that a pre-ticked checkbox is invalid because there is too much risk that a user simply clicked through (intentionally or accidentally) without reading the cookie notice.
To be certain of complying with European rules, sites should use unchecked checkboxes by default for cookie notices. This requires the user to actively tick the relevant boxes (or change sliders or toggles) and then click a button to confirm their intentions, which gives an adequate level of certainty about their consent.
The Washington Post uses this approach:
Can I make consent mandatory?
Some sites make it mandatory to accept cookies (and sometimes other data processing) before accessing a website, a strategy sometimes called a "cookie wall." Critics said this violated the GDPR's requirement that data subjects have a free choice about consent.
The European Data Protection Board issues guidance on the application of the GDPR. In 2020 it updated its guidelines to say that consent collected in this way "does not constitute valid consent, as the provision of the service relies on the data subject clicking the 'Accept cookies' button. It is not presenting a genuine choice.
This means issuing and using cookies using a "cookie wall" would breach GDPR because, with the consent invalid, the site would not have a legal basis for the processing.
What counts as a necessary cookie?
This is a relevant issue for the ePrivacy Directive and in turn the domestic laws that implement the directive.
The rules say sites must get consent for any cookie unless it is strictly necessary. This means the cookie is essential to provide the required functionality of the site. This could be for the general operation of the site or for a particular task a user wants to perform.
One example of a necessary cookies is an online retailer's user putting an item into a virtual shopping basket. A cookie is needed to keep the item in the basket for the rest of the browsing session or until the user returns in the future.
Other examples could include:
- Single-session authentication cookies for sites that require a log-in
- Security cookies such as those designed to detect multiple failed login attempts
- Cookies used to balance demand across servers
- Cookies necessary to provide streaming audio or video (but not those which track a user's viewing habits)
It's key to remember that the "necessary" threshold is about providing the service or function that the user has chosen to access. It's not about what's "necessary" for the site operator's interests.
In particular, a site operator may consider analytics cookies to be necessary to running an effective business and boosting sales. However, they don't directly relate to the function or service that the user has requested. This means they aren't "strictly necessary" and you will need to get user consent.
What about third party cookies?
The general principle is that the website and the third party are both responsible for getting the necessary consent.
In practice, the third party normally has less control over how a request for consent is presented on a site. This means a third party may insist on a legally binding agreement with the website that says the site must comply with all relevant laws on cookie consent.
How long should cookies last?
This will depend on the purpose of the cookie and the grounds on which consent was or was not gathered. As a general rule, a cookie that's classed as "strictly necessary" and thus doesn't require consent under the ePrivacy directive should be a session cookie. This means it expires when the user leaves the site.
Persistent cookies, which last until a set date, are less clear cut. Generally, their duration should be proportionate and limited to their required purpose, striking a balance between making sure consent is still valid and avoiding unnecessary inconvenience for the user.
Let's recap some of the key answers to common cookie consent questions:
- The most prominent laws on cookies are in Europe: The GDPR (which has force across the European Union) and the ePrivacy Directive (which is implemented by domestic laws in EU countries)
- The GDPR may still apply to sites based outside Europe
- The measures of both these laws continue to have legal effect in the United Kingdom despite it leaving the EU
- The US COPPA law requires verified parental consent for cookies issued to users aged under 13. CalOPPA says sites which serve California residents don't need consent for cookies but must inform users of their existence.
- Canadian federal laws let sites infer consent to cookies unless a user opts out
Methods of gathering consent include:
- Site notice saying using the site implies consent
- Browsewrap: A statement that cookies are used and a user is implied to consent to this simply by being on the website
- Clickwrap: A user must actively and actually consent to cookies being used
- The GDPR specifically requires a clickwrap method, with a later ruling confirming this cannot involve pre-ticked checkboxes or toggles set to give consent by default
- A "cookie wall" that makes consenting to cookies a mandatory condition of using a site is not acceptable as it does not constitute a freely made choice to consent
- The ePrivacy directive exempts strictly necessary cookies from the consent requirement. This means they are necessary to provide the service or function requested by the user, not that they are necessary for the website operator's interests. In particular, analytics cookies are not classed as strictly necessary and thus do require consent.
- With third-party cookies, notification and consent gathering are the responsibility of both the website operator and the third party. The two may need both practical and legal arrangements to cover these responsibilities.
- In many cases, particularly for cookies classed as "necessary" and thus exempt from consent, session cookies are the best option. Where persistent cookies are used, they should have a reasonable and proportionate expiry date.