Articles

Working Party 29 guidance on cookie consent

Working Party 29 guidance on cookie consent

Working Party 29 guidance on cookie consent

14.10.2013

The Article 29 Working Party ("WP29") published a working document on how consent for cookies may be obtained. The WP29's opinions and working documents provide authoritative guidance on EU data protection rules.

Based on the e-Privacy Directive 2002/58/EC, the use of cookies or similar tracking technologies may require a website user's consent. The manner in which consent must be obtained varies per EU Member State. This WP29 [1] document provides guidance on obtaining consent for a website operating across Member States. To access the document, click here
 
1.  Consent 

The WP29 advises that a website should contain a mechanism that satisfies each of the following main elements for valid consent:

consent must be specific and based on appropriate information, including e.g. the purposes of the cookies;
consent must be provided before the cookies are set or read;
a positive response or other active behavior of the user is required; and
on the entry page the user should be provided with a real and meaningful choice to freely accept all, some or no cookies. 
 
2.  Consent mechanism 

According to the WP29, a website should contain:

  • an immediately visible notice informing whether various types of cookies are being used, providing the information in a so-called 'layered approach';
  • an immediately visible notice informing that by using the websites, the user agrees to cookies being placed and read by the websites;
  • information explaining how the user can express and later withdraw cookie consents;
  • a mechanism by which the user can choose to accept all or some or decline cookies; and
  • an option for the user to subsequently change a prior preference regarding cookies. 

3.  Layered approach to information and consent 
 
The WP29 in this working document confirms the notion of layered information approach (information to be provided layer by layer upon request of the user) and various consent options as introduced in previous documents. In this working document, the WP29 confirms that a user should not only be informed about the various categories of cookies, but also be able to choose which categories it allows or declines.

Furthermore, the WP29 advises that access to a website should not be made conditional on acceptance of all cookies. If the user does not accept cookies, the user should not be denied access, but may be offered access to less content of the website. 
 
4.  Tracking cookies 

Specific mention is made of tracking cookies. When tracking cookies are being used to single people out, such as by creating profiles based on behaviour, such data likely are personal data according to the WP29. The WP29 advises that for the processing of such personal data together with reading and setting of tracking cookies, the unambiguous consent of the user is obtained. Whether such consent is validly obtained  will be assessed by the competent national data protection authorities. 
 
5.  Conclusion 

With the guidance provided in this working document, the national authorities will have practical guidelines to verify compliance and enforce the rules regarding consent for cookies.

Footnotes:

1Representatives of the European data protection authorities, the European Data Protection Supervisor and the European Commission

Team

Related news

12.03.2020 EU law
Stibbe sets up corona team

Inside Stibbe - The coronavirus (COVID-19) may have legal consequences for your business. We have set up a team of specialists who can provide insight into the legal implications of the virus.

Read more

10.03.2020 NL law
De AVG staat niet in de weg aan de verwerking van persoonsgegevens door een toezichthouder tijdens een bedrijfsbezoek

Short Reads - Bedrijven die met toezicht worden geconfronteerd, zijn gehouden op verzoek van een toezichthouder in beginsel alle informatie te verstrekken. Met de komst van de Algemene verordening gegevensbescherming (AVG) is in de praktijk de vraag opgekomen of een toezichthouder bevoegd is om persoonsgegevens die onderdeel uitmaken van de gevraagde informatie te verwerken.

Read more

18.03.2020 EU law
Stibbe: COVID-19

Short Reads - In view of the developments concerning the coronavirus, we hereby inform you of our business operations and the measures we take to ensure the continuity of our services to you.

Read more

26.02.2020 BE law
18 March 2020: Erik Valgaeren sheds a light on the legal perspectives of industrial data during a Beltug conference

Speaking slot - In this era of digitisation, data is often called the 'new gold' or 'oil'.  In our aim to gain more insights that will lead us to higher revenue, new market opportunities or new regions, we are analysing data at full throttle. But it needs to be handled with care, using a data architecture that follows your general strategy while ensuring solid security, quality, etc.

Read more

This website uses cookies. Some of these cookies are essential for the technical functioning of our website and you cannot disable these cookies if you want to read our website. We also use functional cookies to ensure the website functions properly and analytical cookies to personalise content and to analyse our traffic. You can either accept or refuse these functional and analytical cookies.

Privacy – en cookieverklaring