By Eliav Boaron and Dan Or-Hof.
Here are three tips you must consider while preparing for cookie compliance:
- Avoid placing cookies in EU users’ electronic devices before receiving GDPR-like consent (opt-in).
- Appoint a cookie champion that will handle the updates of the cookie list, address users’ requests and ensure that all EU users have an option to opt-out in a clear, accessible and proper way.
These three tips are based on recent guidelines of EU regulators about cookies and other tracking technologies, as further described below.
However, let’s begin with a short introduction. To do so, we need to go back to 2002. More specifically, the 2002 e-Privacy Directive (ePD), which is an important EU legal instrument for privacy in the digital age.
Among others, the ePD covers confidentiality of communications and the rules about tracking and monitoring.
The ePD, as amended in 2009 (known as the ‘Cookie Directive’), has caused many websites to create cookie banners on their homepages and offer cookie notices.
Like the GDPR, that repealed Directive 95/46/EC, the EU is continuously working on a new e-Privacy regulation (ePR) which will harmonize rules for privacy in communications across the EU and serve as a modern substitute to the ePD.
The final version of ePR has yet to be published. However, the Council of the European Union (the Council), as well as specific EU member states regulators, have recently shed some light on this matter.
On 18 September 2019, the Council released proposed amendments to the existing draft ePR. The amendments have pointed out that (the text between square brackets are our explanatory notes) –
“the responsibility for obtaining consent for the storage of a cookie or a similar identifier lies on the entity that makes use of processing and storage capabilities of terminal equipment [such as a laptop or cellphone], or collects information from end-users’ terminal equipment, such as an information society service provider [a website owner] or ad network provider. Such entities may request another party to obtain consent on their behalf”.
The German Data Protection Authority (“DSK”)
On April 5, 2019, the DSK published its Guideline for Telemedia Providers (in German). The DSK Guidance includes a specific requirement to obtain GDPR-like consent from users when web analytics tools are used to track the behavior of such users on the Internet.
As such, the collection of potential user data trough cookies must be blocked during the display of a cookie wall. A sole “Okay” button is not sufficient, and each user must have the option manage the user’s cookie preferences, including to reject cookies.