Cookie consent – overview on the different requirements of European data protection authorities for the design of a cookie banner
Requirements under the GDPR
The legal basis in Art. 6 para. 1 sentence 1 lit. a) GDPR does not stipulate any details for a consent declaration. According to Art. 4 No. 11 GDPR, consent is any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. The provision does not provide specifications on how to design a cookie banner but the controller is free to define the specific form of consent.
Article 29 Data Protection Working Party (Art.-29-Working Party)
In its Working Paper 259 (WP 259, Guidelines on consent under Regulation 2016/679), the Art.-29-Working Party stipulates that a variety of actions is feasible for lawful consent, including for example swiping a bar on a screen, waiving in front of a smart camera, turning a smartphone around clockwise, or in a figure eight motion. The Art.-29-Working Party emphasizes that virtually any form of consent is possible, provided that it is sufficiently clear to the user that he/she is making a declaration through the corresponding action. It is therefore crucial that the respective action is sufficiently distinguishable from other actions of the user.
Guidelines and opinions by the EU data protection authorities
The regulatory authority in Spain has rather less strict requirements for a cookie banner compared to the other EU authorities. Apart from a cookie banner that includes an explicit “Reject“ and “Accept” button, the Spanish regulator also recognizes lawful consent where the website operator only requires clicking on the website, provided that the user is sufficiently informed about the relevance of this action in the cookie banner.
The Italian authority provides FAQs on cookies on their websites. Although it does not specify the requirements for a cookie banner but rather provides basic information, the information indicate that it is not necessary that the cookie banner contains a “Reject” option at the first level. On the contrary, it appears that the Italian authority allows for the user to agree to the cookie by clicking on the website in full knowledge of the consequences.
The supervisory authority in Liechtenstein only refers to the general conditions of Art. 6, 7 GDPR concerning consent requirements for cookies. It makes clear that consent can take various forms, including implied consent. This could lead to the conclusion that the authority does not impose too strict requirements on a cookie banner. In particular, it is not apparent from the information provided that the authority would, for example, require a specific “Reject” button or that clicking on the website would not be sufficient if respective information was provided. In this respect, it remains to be seen whether the authority will further specify its instructions in the future.
Somewhat stricter conditions provide the guidelines of the Irish regulator. The supervisory authority explicitly stipulates that clicking outside the cookie banner on the website or scrolling does not constitute sufficient user consent but the user must have an actual choice. Here, however, the explanations suggest that it is also sufficient if the cookie banner contains an “Accept” button on the first level as well as a button through which the user can access further information. Nonetheless, although the authority considers the provision of a “Reject” button recommendable, it probably does not consider it a mandatory measure.
It appears that the Danish and Belgium supervisory authorities take the strictest approach among the EU regulators. They interpret the requirements even more narrowly than the regulators in Germany, the UK, France and Greece. According to the Danish guideline, voluntary consent is already lacking if a cookie banner only provides for a single accept option on the first level without differentiating between different cookie purposes, even if it is possible to select or deselect the different purposes on a second level. Similarly, the Belgium authority takes the position that if a website uses more than one type of cookie, the website provider shall obtain separate consent for each type of cookie already in a first layer of information. The second layer has to provide users with the possibility of making a granular choice per cookie.