Introduction
This checklist is intended to provide guidance to in-house counsel and private practitioners about complying with cookie requirements pursuant to EU Directive 2002/58/EC of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (ePrivacy Directive) and the EU’s General Data Protection Regulation (EU GDPR), and to assist them when advising internal or external clients on these issues. Note that the EU GDPR only applies if the cookie data contains personal data. However, this will commonly be the case given the wide definition of personal data, in particular ‘online identifiers’ (eg, social media account handles or usernames, device fingerprints, pixel tags, media access control addresses, and advertising identifiers). Accordingly, in setting out the relevant requirements, this checklist assumes that the EU GDPR applies.
In this checklist, the term ‘cookies’ is used to mean both cookies (ie, small text files downloaded onto a device) and other similar technologies that access or store information on a user’s device. Examples of similar technologies to which the same requirements apply include HTML5 local storage, local shared objects, fingerprinting techniques, scripts, tracking pixels and plugins.
This checklist is EU-focused and covers:
- general requirements under the EU GDPR (to the extent cookie data contains personal data); and
- cookie-related requirements under the ePrivacy Directive.
The ePrivacy Directive (as transposed into domestic law by an EU member state) and the EU GDPR require organisations to comply with certain requirements when seeking to place cookies on a user’s device through the operation of an online service (eg, a website, app, connected device or other such product). These requirements can be broadly split into the following categories, each of which represents one section in this checklist:
- Obtaining consent using a valid cookie consent mechanism
- Maintaining a cookie policy to inform users about the cookies you use
- Implementing effective back-end cookie controls
This checklist only considers the requirements for placing cookies through an online service that you operate, and does not cover your placement of cookies on any third-party online services. In such cases, you will need to work with the third party to ensure that they comply with the requirements in this checklist, including obtaining consent for the placement of your cookies and informing users about what cookies you set and why. You will also need include information about such cookies in your own privacy policy.
Key definitions such as ‘controller’, ‘processor’, ‘data subject’, ‘personal data’ and ‘processing’, are further explained in How-to guide: Understanding key data protection definitions.
Step 1 – Obtaining consent using a valid cookie consent mechanism
Whenever you seek to place cookies on user devices, your cookie consent mechanism must meet all of the requirements in the table below.
The only exemptions to these requirements are for essential cookies, or those which are placed for the sole purpose of transmitting a communication. If an exemption applies, the EU GDPR will still apply when the cookies involve the processing of personal data; however, you are not necessarily required to rely on consent as the lawful basis for such processing. See the explanatory notes at the end of this checklist for further information on the exemptions.
| No. | Requirement |
|---|---|
| 1.1 | Timing – obtain consent from users prior to the placement of cookies |
| 1.2 | Clear and distinct – use a clear and distinct mechanism to obtain consent from users, such as a pop-up banner, message box or header bar |
| 1.3 | Positive action – require users to consent via a positive and unambiguous action, and do not rely on pre-ticked boxes, continued use or any other default approach |
| 1.4 | Options – include options on the first layer of the consent mechanism for the user to accept all cookies, reject all cookies and manage cookie settings |
| 1.5 | Reject option – ensure users can reject cookies as easily as they can accept cookies, and that a link is not disguised as a reject button |
| 1.6 | Single preference cookie – if a user rejects cookies, explain that you will still place a single cookie on their device to record this choice (if applicable) |
| 1.7 | Settings management – allow users to manage their cookie settings at an appropriately granular level (eg, via a control panel), including with respect to third-party cookies |
| 1.8 | Information – provide links to your cookie policy and privacy policy on the first layer of the consent mechanism and within the settings management layer |
| 1.9 | Continuous option – provide users with an easily accessible and continuous option to withdraw their consent and manage their cookie settings after making an initial cookie decision |
| 1.10 | Design – do not use nudging techniques or dark patterns to influence users to consent to the use of cookies (eg, by emphasising an accept button over a reject button) |
| 1.11 | EU GDPR consent – ensure that your consent mechanism otherwise meets all elements for valid consent under article 9, EU GDPR |
Step 2 – Maintaining a cookie policy to inform users about the cookies you use
Whenever you seek to place cookies on user devices, your cookie policy or cookie notice must meet all of the requirements in the table below.
The only exemptions to these requirements are for essential cookies, or those which are placed for the sole purpose of transmitting a communication. However, even if an exemption applies, the requirements in the table are still considered best practice and, in any case, the EU GDPR (and its transparency and information requirements) will still apply if the cookies involve the processing of personal data. See the explanatory notes at the end of this checklist for further information on the exemptions.
| No. | Requirement |
|---|---|
| 2.1 | Clear and comprehensive – maintain a cookie policy that sets out clear and comprehensive information about the cookies you use |
| 2.2 | Cookie details – ensure your cookie policy includes information about the classification, purpose, type, duration and owner of each cookie you use |
| 2.3 | Classification – ensure the classification terminology used in your cookie policy aligns with that used in your cookie consent mechanism |
| 2.4 | Settings management – ensure your cookie policy includes information about how and where users can withdraw consent and manage cookie settings (eg, a link to a control panel) |
| 2.5 | Contact – ensure your cookie policy includes information about how to contact your organisation |
| 2.6 | Scope – ensure your cookie policy has a clear scope of application in terms of which online services it applies to |
| 2.7 | User-friendly – present your cookie policy in a user-friendly way that takes your target audience into account |
| 2.8 | Accessibility – make your cookie policy easily accessible to users, both at the time of making cookie decisions and continuously after that |
| 2.9 | EU GDPR transparency – ensure that your cookie policy (or privacy policy) otherwise meets all transparency requirements under the EU GDPR relating to your cookie use |
| 2.10 | Consistency – if separate documents, make sure your cookie policy and privacy policy contain links to the other and are consistent with each other |
Step 3 – Implementing effective back-end cookie controls
Whenever you seek to place cookies on user devices, your back-end cookie controls must meet all of the requirements in the table below.
Some of these requirements will not apply to essential cookies, or those which are placed for the sole purpose of transmitting a communication. For example, where consent is not relied on as the lawful basis to process personal data in connection with the placement of essential cookies, the consent-related controls below would not apply. See the explanatory notes at the end of this checklist for further information on the exemptions.
| No. | Requirement |
|---|---|
| 3.1 | Timing – ensure that cookies are not placed prior to obtaining consent from users and do not place cookies on any landing pages |
| 3.2 | User preferences – only place cookies in accordance with user preferences, and implement changes whenever a user updates their preferences |
| 3.3 | Classification – properly identify and classify all cookies, including the proper classification of essential cookies |
| 3.4 | Policy maintenance – update your cookie policy whenever you add or remove a cookie or otherwise change your use of cookies |
| 3.5 | Duration – ensure that each cookie you use has an appropriate duration, including by updating any default lifespans |
| 3.6 | Consent refresh – refresh consent at appropriate intervals and whenever you change your use of cookies |
| 3.7 | Third-party cookies – have appropriate arrangements in place with the owners of any third-party cookies, including ensuring that users can manage their consent to such cookies |
| 3.8 | Granular – ensure that user consent is appropriately granular and not fungible across multiple online services |
| 3.9 | Minimisation – carry out regular reviews of your cookies and ensure that your use of cookies is necessary and proportional to your purposes |
| 3.10 | Access to services and cookie walls – ensure that users can still access the core components of your online service if they do not consent to non-essential cookies |
| 3.11 | EU GDPR consent management – ensure that you otherwise comply with requirements for recording and managing consent under the EU GDPR |
Explanatory notes
General notes
Legal framework
Relationship between the ePrivacy Directive and the EU GDPR
The EU GDPR applies to all organisations’ marketing practices that involve personal data, while the ePrivacy Directive applies on top of the EU GDPR when organisations are marketing over electronic channels. The EU GDPR did not replace the ePrivacy Directive (although it has amended the definition of ‘consent’ to be used for the purposes of complying with the ePrivacy Directive). Service providers will need to comply with both EU GDPR and the ePrivacy Directive insofar as it relates to their marketing and data processing activities.
Unlike the EU GDPR which is a regulation (a binding legislative act that is applied in its entirely across the EU), the ePrivacy law is a directive, a legislative act that sets out a goal that all EU countries must achieve; however, it is up the individual EU member states to devise their own laws on how to reach these goals. The ePrivacy Directive has been transposed into local law through legislation passed by each EU member state. The ePrivacy Directive, or more correctly, the relevant implementing laws of the EU member states, directly regulate electronic communications, including email marketing.
As implementation of measures under the ePrivacy Directive vary from EU member state to EU member state, this makes analysis of the relevant ePrivacy compliance requirements (at EU level) difficult to standardise. As a result, analysis of any particular EU member state’s ePrivacy law implementing the ePrivacy Directive does not form part this checklist.
EU member states can choose the form and methods for transposing directives into national law. However, they are bound by the terms of the directive as to the result to be achieved and the deadline by which the transposition should take place. Any references in this guide to requirements stated in the ePrivacy Directive are terms of the directive that EU member states have been required to impose as a minimum standard and so are relevant for all EU member states.
Use of cookies
The use of cookies is regulated primarily by the implementing law of EU member states, which sets out rules in relation to privacy and electronic communication. These rules include requirements that organisations provide users or subscribers with clear and comprehensive information about why they wish to access or store information on their device, and to obtain the user’s or subscriber’s consent before doing so.
The use of cookies is also regulated by the EU GDPR to the extent that cookie data contains personal data. This will commonly be the case given the wide definition of personal data, in particular as including ‘online identifiers’.
Exemptions to cookie requirements
The two exemptions to the rules under the ePrivacy Directive (as transposed into domestic law by EU member states) are listed below.
- Cookies that are classified as essential (or ‘strictly necessary’) – essential cookies are those which are strictly necessary to provide an ‘information society service’ (ie, a service delivered over the internet) that has been requested by the user. This exemption does not extend to cookies which are simply helpful, important or reasonably necessary; the cookie must be essential such that the user’s request could not be fulfilled without it. Examples of essential cookies may include load-balancing cookies and cookies that remember the goods in a shopping cart.
- Cookies that are placed for the sole purpose of transmitting a communication – for this exemption to apply, the cookie must be placed for the sole purpose of carrying out the transmission of a communication over an electronic communications network. This exemption does not extend to cookies which assist the transmission; the cookie must be essential such that the transmission of the communication would be impossible without it.
In the case of both exemptions, it is only the ePrivacy Directive requirements (as transposed into domestic law by EU member states) that benefit from the exemptions. You must still comply with the EU GDPR if personal data is being processed. However, an exemption may shift the interplay between the two regimes. For example, if an exemption applies, an organisation may be able to rely on an alternative lawful basis (other than consent) under article 6, EU GDPR.
What else do organisations have to do to ensure that the use of cookies is compliant?
The requirements listed in the tables above are not the only obligations that an organisation needs to meet to ensure that its use of cookies is compliant. Various other provisions of the EU GDPR must be complied with (such as the data protection principles in article 5, the data protection by design and default principles in article 25 and the obligation to carry out a data protection impact assessment for any potentially high-risk processing in article 35), as well as any other applicable laws and industry-specific rules.
Notes on specific requirements
Step 1 – Obtaining consent using a valid cookie consent mechanism
1.1 Timing – obtain consent from users prior to the placement of cookies
Ensure you obtain consent from users before you place cookies on their device. This means that you cannot pre-enable cookies on any landing or home pages of your online service. This rule applies regardless of whether or not the cookies are considered privacy-intrusive. However, supervisory authorities have stated that they are less likely to take enforcement action for the pre-enablement of non-intrusive first-party analytics cookies (ie, cookies which collect statistical information about how online services are used).
1.2 Clear and distinct – use a clear and distinct mechanism to obtain consent from users, such as a pop-up banner, message box or header bar
You must obtain consent from users through a clear and distinct cookie consent mechanism. A number of different methods and tools are commonly used for such consent requests including pop-up banners, message boxes and header bars. You can also rely on settings-led or feature-led consent, whereby, at the time a user changes a setting or enables a feature, you explain that they are consenting to the placement of a cookie on their device by allowing their choice to be remembered.
The key point is that consent is requested in an obvious, upfront and easily accessible way, and that the request is not bundled within other terms and conditions or hidden in an out-of-the-way part of your online service. At the same time, you should avoid unnecessarily disrupting the user experience with your request. The language you use in your request should be intelligible and easy to follow for your target audience.
Note that it is not sufficient to rely on users to configure their browser settings or operating system settings to manage their cookie preferences.
1.3 Positive action – require users to consent via a positive and unambiguous action, and do not rely on pre-ticked boxes, continued use or any other default approach
Ensure that the user carries out a positive and unambiguous action to provide their consent, such as clicking a button or moving a slider. It is not acceptable to rely on default methods such as pre-ticked boxes, continued use of the online service, or a lack of engagement with the consent mechanism. If a user chooses to exit the consent mechanism or navigate to a settings layer or to your cookie policy, they have not provided consent and cookies should not be set.
Note that consent does not necessarily have to be explicit consent. For example, when providing settings-led or feature-led consent, a user may not click a button that states ‘I consent’, but they will understand that certain cookies will be placed when they choose to take a particular action. The more privacy-intrusive a cookie is, the higher the threshold will be for clear and specific consent.
1.4 Options – include options on the first layer of the consent mechanism for the user to accept all cookies, reject all cookies and manage cookie settings
Include options on the first layer of your cookie consent mechanism to allow the user to accept all cookies, reject all cookies and manage their cookie settings. It is recommended to use language such as ‘accept all cookies’ instead of simply ‘accept’, to ensure users can easily and quickly understand the outcome of taking a particular action.
1.5 Reject option – ensure users can reject cookies as easily as they can accept cookies, and that a link is not disguised as a reject button
Allow users to reject all cookies just as easily as they can accept all cookies. Users should not have to navigate to a settings layer in order to reject cookies, and the consent mechanism should not give the impression that the user has no choice but to accept cookies if they wish to access the online service (see also step 3.10).
Similarly, a link to cookie settings or to another location should not be disguised as a reject button, such that by clicking the reject button, the user is forced to take one or more further actions to actually reject the cookies.
1.6 Single preference cookie – if a user rejects cookies, explain that you will still place a single cookie on their device to record this choice (if applicable)
It is acceptable to place a single cookie on a user’s device to record their preferences and ensure that, for example, if they reject the use of cookies, that no cookies are in fact placed on their device (other than the single preference cookie). However, it is important that you explain this to the user in a clear and obvious way, for example, on the first layer of your cookie consent mechanism or at the moment the user rejects the cookies.
1.7 Settings management – allow users to manage their cookie settings at an appropriately granular level (eg, via a control panel), including with respect to third-party cookies
Provide the user with the ability to control specific cookies or specific types of cookies, such that they have control beyond simply accepting or rejecting all cookies. This is commonly done by providing the user with a control panel from which they can toggle certain types of cookies on or off. The level of granularity of these controls will depend on the number and variety of cookies you use, and the extent to which they are considered privacy-intrusive.
It is important to highlight that user control over cookies must extend to any third-party cookies you use. This can present some logistical challenges as actioning requests relating to third-party cookies can require a level of collaboration with the third party and/or additional technical functionality. If such user preferences cannot be actioned in practice, you should not permit the use of third-party cookies.
1.8 Information – provide links to your cookie policy and privacy policy on the first layer of the consent mechanism and within the settings management layer
Your cookie policy and your privacy policy must be easily accessible to the user to ensure that their consent is properly informed. Therefore, at the time of requesting consent, provide clear links to these policies on the face of your cookie consent mechanism as well as from within the settings management layer (eg, control panel).
1.9 Continuous option – provide users with an easily accessible and continuous option to withdraw their consent and manage their cookie settings after making an initial cookie decision
Ensure that users can withdraw their consent and readjust their preferences at all times, not only when they first access your online service. This can be achieved by including a persistent icon within your online service which navigates users back to the settings management layer of your cookie consent mechanism when they click on it (amongst other similar techniques). Be clear what the icon represents, and make the icon easily accessible (ie, from all parts of your online service).
1.10 Design – do not use nudging techniques or dark patterns to influence users to consent to the use of cookies (eg, by emphasising an accept button over a reject button)
The European Data Protection Board Cookie Banner Taskforce has stated that the way in which cookie consent mechanisms are designed may lead to non-compliance with the ePrivacy Directive. For example, you are unlikely to be compliant if you use nudging techniques or dark patterns to influence users to take a particular course of action because the consent will not be considered freely given.
A common example of this is to emphasise an accept button over a reject button by using brighter, bolder colours and larger text. Such techniques have the potential to be particularly influential in the cookie context where users are more likely to be making quick decisions and have their attention drawn towards the most ‘obvious’ option.
It is therefore recommended that you use a consistent design across all options in your cookie consent mechanism (ie, accept all cookies, reject all cookies and manage settings). This is also supported by the data protection by design and data protection by default principles in article 25, EU GDPR.
1.11 EU GDPR consent – ensure that your consent mechanism otherwise meets all elements for valid consent under article 9, EU GDPR
While there is some overlap with the other requirements in this step, you must also make sure you meet all the requirements for the EU GDPR standard of valid consent. Please review the Checklist: Obtaining and managing consent under the GDPR for further guidance on EU GDPR consent.
Step 2 – Maintaining a cookie policy to inform users about the cookies you use
2.1 Clear and comprehensive – maintain a cookie policy that sets out clear and comprehensive information about the cookies you use
You must provide users with clear and comprehensive information about the cookies you use (prior to placing cookies on their devices). This information is usually set out in a cookie policy or cookie notice, or may be contained within your general privacy policy (see also, Checklist: What to include in your organisation’s privacy notice). While not a strict requirement, it is recommended for accessibility reasons to separate your cookie policy from your privacy policy as it may need to be updated more frequently than your privacy policy. Additionally, having a standalone cookie policy can assist with ensuring your cookie policy is clear, specific and easy to locate.
2.2 Cookie details – ensure your cookie policy includes information about the classification, purpose, type, duration and owner of each cookie you use
While you must provide users with clear and comprehensive information about the cookies you use, ‘clear and comprehensive’ is not specifically defined. It is generally considered to include information about each cookie’s classification, purpose, type, duration and owner.
A cookie’s classification is the category that it falls into, such as essential cookies, analytical or performance cookies, functionality cookies, and targeting and advertising cookies. Different terminology exists for classifications and the key point is that the user can understand from the classification what the general goal of the cookie is.
A cookie’s purpose is related to the classification, but is bespoke to the specific cookie being set. For example, the purpose of a cookie may be to remember the user’s language preferences or to count the number of visitors to the online service.
A cookie’s type relates to whether the cookie is a session cookie or persistent cookie. A session cookie only lasts until the user closes their browser, while a persistent cookie continues working after the user closes their browser.
The duration of a cookie is its lifespan (ie, how long it will stay on the user’s device before it expires). As noted above, session cookies will expire upon the browser being closed, but persistent cookies will have varying durations depending on the purpose of the cookie. See step 3.5 for further information about cookie duration.
A cookie may also be a first-party cookie or a third-party cookie. A first-party cookie is placed by your organisation, while a third-party cookie is placed by a third party, such as a service provider or a social media platform, and enables it to access or store information about the users of your online service. For any third-party cookies, you must specify the owner or host of the cookie and, ideally, provide a link to where the user can find further information from the third party.
2.3 Classification – ensure the classification terminology used in your cookie policy aligns with that used in your cookie consent mechanism
There is differing classification terminology within the market and certain terminology is not necessarily more or less compliant than others (as long as it accurately captures the overall category of cookie). However, it is good practice for the classification terminology you use in your cookie policy to align with that used in your cookie consent mechanism. This aids in overall clarity and accessibility, and ensures users can make fully informed choices about your use of cookies.
2.4 Settings management – ensure your cookie policy includes information about how and where users can withdraw consent and manage cookie settings (eg, a link to a control panel)
Your cookie policy must tell the user how and where they can withdraw their consent and otherwise control their cookie preferences (eg, by providing a link to the settings management layer of your cookie consent mechanism).
2.5 Contact – ensure your cookie policy includes information about how to contact your organisation
Your cookie policy must provide the user with information about your organisation and how they can contact you.
2.6 Scope – ensure your cookie policy has a clear scope of application in terms of which online services it applies to
Your cookie policy should have a clear scope of application so that the user understands which online services it applies to. For example, if you enable cookies on multiple websites and mobile apps, make it clear whether you have different cookie policies for different online services or whether you have one master cookie policy that covers all such online services (in which case, separate out cookie information for each service accordingly).
2.7 User-friendly – present your cookie policy in a user-friendly way that takes your target audience into account
Your cookie policy should be user-friendly and present information about your cookies in a way that is both comprehensive and concise. For example, you may wish to present the information in a table format and/or take advantage of layering techniques to avoid overwhelming the user with large amounts of detail from the outset. The appropriate format will usually depend on the number and complexity of your cookies.
Your cookie policy should also take into account the types of users who are likely to access your online service. For example, if children are likely to access your service, present the information in a way that children will be able understand (note that there are other compliance considerations, which are not within the scope of this checklist, you will need to meet if your online service targets children).
2.8 Accessibility – make your cookie policy easily accessible to users, both at the time of making cookie decisions and continuously after that
In addition to providing links to your cookie policy and privacy policy from the cookie consent mechanism (as set out in step 1.8), you should ensure that these policies are available on a continuous basis following the user’s initial cookie decision. Make the policies easily accessible, for example, via links in a prominent position in the footer of your website.
2.9 EU GDPR transparency – ensure that your cookie policy (or privacy policy) otherwise meets all transparency requirements under the EU GDPR relating to your cookie use
While there is some overlap with the other requirements in this step, you must also make sure you meet all the requirements for transparency under the EU GDPR in relation to any personal data you process. EU GDPR-required information may be included in your cookie policy or your privacy policy, as long as users can easily locate the information. Please see the Checklist: What to include in your organisation’s privacy notice for further guidance on EU GDPR transparency requirements.
2.10 Consistency – if separate documents, make sure your cookie policy and privacy policy contain links to the other and are consistent with each other
If you maintain separate cookie and privacy policies, ensure that the policies are consistent with one another and that users can easily navigate between them (eg, through the inclusion of links in each policy).
Step 3 – Implementing effective back-end cookie controls
3.1 Timing – ensure that cookies are not placed prior to obtaining consent from users and do not place cookies on any landing pages
Implement measures to ensure that cookies are not placed prior to obtaining consent and that cookies are therefore not placed on any landing pages of your online services. It is not permissible to place cookies and then ask for consent later.
3.2 User preferences – only place cookies in accordance with user preferences, and implement changes whenever a user updates their preferences
Implement measures to ensure that cookies are only placed in accordance with user preferences, including when a user updates those preferences. This means that you must have technical functionality in place to ensure that a user decision automatically results in the enabling or disabling of cookies.
3.3 Classification – properly identify and classify all cookies, including the proper classification of essential cookies
Implement measures to ensure that cookies are properly classified. It is particularly important to ensure that you do not improperly classify cookies as essential (or ‘strictly necessary’) when they should fall into another classification category (eg, functionality or preference cookies). Avoid multi-use cookies – a tracking cookie combined with other essential features will still be considered a tracking cookie. As noted above, essential cookies have a very narrow definition.
You may wish to use certain third-party tools to audit and classify your cookies, but always ensure that the resulting classifications are accurate (along with any other information you are relying on such tools to provide you with).
3.4 Policy maintenance – update your cookie policy whenever you add or remove a cookie, or otherwise change your use of cookies
Implement measures to keep your cookie policy up to date and accurate. This includes ensuring that your list of cookies (and the corresponding information about them) is promptly updated whenever you add, remove or otherwise update your cookie use.
Undertake periodic cookies audits and scans to ensure that the information in your cookie policy accurately reflects the cookies on your online service. This is also a good opportunity to remove redundant cookies and rationalise the use of multiple cookies for the same purpose.
3.5 Duration – ensure that each cookie you use has an appropriate duration, including by updating any default lifespans
You must ensure that you are aware of the duration of each cookie and that it is appropriate. There are no hard-and-fast rules regarding what an appropriate duration is as this will depend on the purpose of the cookie; the duration should be limited to what is necessary and proportional to achieve the purpose. Always consider whether any persistent cookies can achieve their purpose as a session cookie instead, and consider whether any default cookie duration should be adjusted.
3.6 Consent refresh – refresh consent at appropriate intervals and whenever you change your use of cookies
Implement measures to refresh consent at appropriate intervals and whenever you add, remove, or otherwise update your cookie use.
There are no hard-and-fast rules regarding what an appropriate interval is as this will depend on factors such as the nature of your online service and how frequently it is used, how intrusive your cookies are, the expectations of your users, and how disruptive additional consent requests may be. Also consider how likely it is that different individuals may be using the same device; the more likely this is, the more often you should refresh consent.
In any case, you must obtain new consent from users whenever you make changes to the cookies you place.
3.7 Third-party cookies – have appropriate arrangements in place with the owners of any third-party cookies, including ensuring that users can manage their consent to such cookies
Collaborate with the owners or hosts of any third-party cookies to ensure user preferences can be properly actioned, and that sufficient information is provided to users by both parties. Ensure you understand what the third party’s purposes are and whether any cookie data will be shared with other third parties (particularly if personal data will be processed). If third-party cookie owners are located outside the EEA, you may need to consider international data transfer requirements.
3.8 Granular – ensure that user consent is appropriately granular and not fungible across multiple online services
Ensure that you do not rely on the same form of consent for multiple online services unless it is clear and obvious to the user. For example, if a user consents to the use of marketing cookies on a website, you cannot presume that they also consent to the use of marketing cookies on a corresponding mobile app.
3.9 Minimisation – carry out regular reviews of your cookies and ensure that your use of cookies is necessary and proportional to your purposes
Implement measures to regularly review your cookie use and to take actions based on such review, including removing cookies that are no longer needed or that have been superseded. Although you should always endeavour to take such actions in real time, implementing a regular review period will ensure that you carry out a review at a minimum frequency.
3.10 Access to services and cookie walls – ensure that users can still access the core components of your online service if they do not consent to non-essential cookies
Ensure that you do not deny access to the core components of your online service to users who reject or withdraw their consent to certain cookies. Otherwise, you are requesting consent as a precondition to a service and any such consent would not be considered freely given. For this reason, ‘cookie walls’ which allow access on a ‘take it or leave it’ basis are generally considered to be non-compliant.
3.11 EU GDPR consent management – ensure that you otherwise comply with requirements for recording and managing consent under the EU GDPR
While there is some overlap with the other requirements in this step, you must also make sure you meet all the requirements for recording and managing consent under the EU GDPR. Please review the Checklist: Obtaining and managing consent under the GDPR for further guidance.
Additional resources
Article 29 Working Party Opinion – 04/2012 on Cookie Consent Exemption
Article 29 Working Party Opinion – 9/2014 on the application of Directive 2002/58/EC to device Fingerprinting
Note: the Article 29 Working Party has been replaced by the European Data Protection Board.
Related Lexology Pro content
How-to guides:
Understanding key data protection definitions
How to comply with data processing principles under the GDPR
How to ensure compliance with the GDPR
How to establish a valid lawful basis for processing personal data under the GDPR
How to transfer personal data lawfully outside the European Economic Area
How to reduce the risk of a GDPR data breach
How to deal with a GDPR data breach
How to deal with a supervisory authority dawn raid
Checklists:
GDPR compliance self-assessment audit
Assessing whether an organisation is a controller or processor under the GDPR
Lawful processing of personal data under the GDPR
Obtaining and managing consent under the GDPR
Processor due diligence (data protection and cybersecurity)
Making an international transfer of personal data under the GDPR
Data subject access rights under the GDPR
What to include in your organisation’s privacy notice
When and how to appoint a data protection officer
Reliance on information posted:
While we use reasonable endeavours to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.