Numerous EU information security supervisory authorities (” SAs”) have actually just recently provided assistance on cookies. On January 11, 2024, the Spanish SA released assistance on cookies utilized for audience measurement (typically described as analytics cookies) (readily available in Spanish just). On December 20, 2023, the Austrian SA released Frequently Asked Questions on cookies and information security (readily available in German just). On October 23, 2023, the Belgian SA released a cookie list (readily available in Dutch and French).
The brand-new assistance constructs on existing assistance however attends to some brand-new subjects which we talk about listed below.
The Austrian SA’s frequently asked question states that:
- Cookies that keep details about a user’s authorization status (that is to state, a cookie showing whether the user has actually consented or not to the placement of cookies) do not need authorization unless a distinct online identifier is appointed to the user for this function. This does not appear to line up with previous assistance from other regulators. The Belgian list, gone over listed below, listed below points out that cookies utilized to keep the user’s option concerning cookies are exempt from authorization. Likewise, the French SA thinks about that cookies saving the user’s option about using cookies do not need authorization (see point 49 of the French SA’s standards on cookies, readily available in French). Neither the Belgian list nor the French standards particularly discuss whether these cookies are connected to a distinct online identifier.
- Marketing cookies utilized to show customized advertisements need authorization even if showing such advertisements is needed for the website’s monetary practicality.
- The “pay or ok” design (likewise referred to as a “cookie wall”)– where users are provided an option in between a totally free variation of the site that consists of tracking cookies and a paid variation that does not– might be acceptable if specific conditions are fulfilled such as:
- the business carrying out the design is not dominant in the market;
- the rate for the paid-for variation is affordable and reasonable; and
- the user is used granular authorization choices.
The Spanish SA’s Assistance on Analytics Cookies specifies that:
- The only analytics cookies and comparable innovations that are strictly needed for the “correct administration of a site” (and for that reason do not need authorization) are those that carry out the following measurements:
- page-level audience measurements;
- the list of pages from which a link has actually been followed to ask for the existing page, either internal or external to the site, by page and aggregated day-to-day;
- decision of users’ gadget type, web browser, and screen size, by page and aggregated day-to-day;
- page load time data, per page and aggregated per hour;
- data on time invested per page, bounce rate, scroll depth, per page and aggregated day-to-day;
- data on user actions (clicks, choices), per page and aggregated daily; and
- data on the geographical location of origin of the demands, per page and aggregated daily.
- Publishers of sites and mobile applications that utilize analytics cookies or comparable innovations that are exempt from authorization should:
- notify users about using these cookies or comparable innovations;
- restrict the life time of these cookies or comparable innovations to a time period that enables significant contrasts of audiences gradually, such as a thirteen-month duration, and this duration should not immediately restore with each time a user checks out the site;
- keep details gathered through these cookies or comparable innovations for no longer than twenty-five months; and
- occasionally examine the helpful life and retention durations to restrict them to what is strictly needed.
- A supplier offering a relative audience measurement service to several publishers should offer “unbiased guarantees” to the publisher that: (i) information are gathered, processed, and saved independently for each publisher; and (ii) the cookies or comparable innovations utilized are totally independent of each other and of any other cookie or comparable innovation.
The Belgian SA’s Cookies List specifies that:
- Publishers of sites and mobile applications need to prevent utilizing the very same cookie for several functions.
- Publishers of sites and mobile applications need to record that their authorization system (such as a banner) has actually been customized gradually by keeping previous variations of the cookie policy and offering a date and variation number in the cookie policy.
The EDPB method
At the EU level, the European Data Defense Board (” EDPB”) has actually been active in thinking about cookie concerns. In 2023, it released its newest assistance on cookies and comparable innovations (see our post), the findings of its cookie banner taskforce (see our post), and its ideas on the European Commission’s so-called “cookie promise” to streamline cookie banners (see here).
In addition, the EDPB went over the “pay or ok” authorization design at its December plenary conference and plans to provide assistance on this subject.
* * *
The Covington Personal Privacy & & Cybersecurity group frequently encourages customers on the laws governing using cookies and comparable innovations, especially in the adtech context, and continues to keep a close eye on the assistance provided by European supervisory authorities. If you have any concerns, do not hesitate to connect to any member of the group.
( This post was composed with the contributions of Alberto Vogel.)