The new guidelines published by various DPAs provide clarity and examples of the EDPB guidelines. It is part of a growing trend among the EU member states towards stricter enforcement of the GDPR, especially due to the increasing regulatory discrepancies by businesses. Regulators have imposed huge GDPR fines on major tech companies like Google, Amazon, and Twitter for cookie violations in recent times.
This is where guidelines issued by the national regulators come to play an important role in helping businesses comply with not just the broader GDPR rules, but also the state-level data protection laws.
You can read detailed summaries of the cookie guidelines released by respective Data Protection Authorities (DPA) here:
This blog will look into the guidelines of Ireland, Greece, and Finland.
Irish DPA Cookie Guidelines
Key takeaways from the DPC’s new cookie consent guidelines include:
- Non-necessary cookies and similar technologies (local storage objects or “flash” cookies, SDKs, pixel trackers, social buttons, device fingerprinting technologies, etc) should not be set on the landing page of the website or app.
- However, unlike first-party analytics cookies, third-party cookies are considered a greater privacy risk for users and therefore are likely to be a priority for any formal enforcement.
- Consent cannot be “bundled” for multiple purposes i.e. the cookie banner or pop-up should outline specific purposes for which the cookies are used.
- The use of pre-checked boxes, sliders, or other tools set to ‘ON’ by default to signal a user’s consent is not allowed
- The user must be able to withdraw consent as easily as they gave it and you must not ‘bundle’ consent for cookies with consent for other purposes, or with terms and conditions for a contract for other services you provide.
- Implied consent is unacceptable i.e. users’ continued use of your website – either through clicking, scrolling does not qualify as consent to set cookies
- Users should be able to change their cookie preferences at any time, via a cookie button (or a “radio button”) available on each web page, so they can change their consent at any time
Greek DPA Cookie Guidelines
The Hellenic Data Protection Authority (HDPA) published cookie guidelines. The guideline seeks to help businesses to adapt to the requirements of GDPR and the ePrivacy Directive.
The cookie consent guidelines state that:
- Continued browning or scrolling through a website and pre-ticked boxes cannot be considered as affirmative consent given by users.
- Prior user consent is necessary before placing cookies or tracker, including advertising and web analytics cookies.
- Cookie walls are not valid consent as users should not be subject to accepting cookies to access the service or functionalities of the website.
- Only strictly necessary cookies that are essential for the functioning of a website or the delivery of service as requested by the user are exempt from the prior consent
The cookie consent guidelines refer to the followings actions as unlawful:
- Using cookie walls that deny users access to the website without active consent using ‘Accept All’, ‘I Agree’ buttons.
- User’s inaction regarding the cookie banner i.e scrolling or closing the cookie pop-up as an indication of consent.
- Emphasizing the size or color of the ‘Accept’ button over the ‘Reject’ button. For instance, large or bold ‘Accept’ buttons that nudge the user to choose it.
- Denying users the option to change cookie preferences easily or that cookie setting can only be changed through web browser settings.
Finnish DPA Cookie Guidelines
In 2020, the Finnish Data Protection Authority ruled that asking users to manage cookies via browser privacy settings does not constitute sufficiently active and explicit consent under the GDPR.
- Consent cannot be given by silence i.e. through pre-ticked boxes or inactivity regarding the consent banner/pop-up.
- Cookie notices have to be clear and concise and should not be disruptive to the use of the service or the website.
- Data subjects have to be offered a genuine choice concerning accepting or declining cookies.
- The option to reject cookies must be as easy for the user as it is to give consent to cookies.
Interestingly the DPA’s decision differs from the Finnish Transport and Communications Agency’s (Traficom)which is the governing body for consent as provided in the ePrivacy Directive, under Finnish law. The DPA is a supervisory body that checks compliance with the data protection law in general).
How to Comply with Cookie Consent Guidelines?
As the data protection agencies in Europe move in one direction to define and clarify the rules set by the GDPR and EDPB, businesses should move in the right direction — compliance.
- Deploy cookie consent banners with clear information, including a cookie audit table that states the category of cookies and their purpose.
- Give users a granular option to enable/disable the use of specific categories of cookies.
- Ensure that the color and layout of the ‘Accept’ and ‘Reject’ buttons are displayed at the same level.
- Display dynamic cookie banner to users in different geolocations so that users can access cookie banners in the language they understand.
- Record user consent for proof of consent and to demonstrate compliance, in case it’s necessary.
- Place a ‘revisit’ consent widget on the website so users can withdraw/modify their cookie preferences at any time, as noted by the Irish DPC.
- Remember the cookie settings and preferences of a user, so that banners are not displayed each visit.
You can do all this and much more with CookieYes — a cookie consent solution that will help you achieve GDPR compliance. If your website has visitors from the US, you can also enable CCPA compliance.
You can add highly customizable cookie banners, audit the cookies used on your website with automated scanning, automatically block third-party cookies, manage cookie settings, and record user consent all in a single dashboard.
CookieYes supports auto-translation of cookie banners in multiple languages including English, French, Spanish, Irish Portuguese, Swedish German, Finnish, Danish, Turkish, etc.
With CookieYes, you don’t have to look further for GDPR compliance.