Everybody’s wrong in complying with EU cookie law. Seriously, there’s no one who would comply with it in 100%. In this article you’ll understand why. At the end you’ll also know differences between implied and explicit consent, and when you can use it on your website. Let the journey into EU legislation begin!
Articles in this series:
- What is a Cookie?
- Types of Internet Cookies
- >>>Explicit or Implied Consent?<<<
- When You Don’t Need User Consent?
- Proper Dataflow Infographics
- How to Properly Comply with EU Cookie Law?
Explicit or implied?
If you are managing any website, you need to know that from 2011 EU took action to protect their citizens, and so you need to ask for user’s consent when using cookies on your website. Consent is well defined in EU law and so we’ll try to answer question from the header.
Firstly, we must begin with clear definitions of consent types. Consent is implied if you’re providing your user with information about your cookies with assumption that he agrees. Also there’s no ability to refuse it. You assume that user’s happy with it. That’s the way I’m complying with it on this blog. I assume that you know what cookies are. It’s also widespread solution on other websites.
Implied consent is:
- non-interruptive for user, webpage is fully functional on first load,
- easier to maintain for webpage owner,
- comply with some of EU countries legislations;
Explicit consent is:
- freely given prior to data collection – no cookies can be set or read before user agrees!
- rarely used in real time situations,
- when user have ability to refuse it;
One more thing here. EU is well known because of fighting discrimination (which is a good thing), but sometimes it border to the ridiculous. I’m afraid that limiting access (because of technical reasons) to webpage for user that refused cookies could be seen as discrimination ;) What do you think?
So now when we know the differences, let’s get to the roots, the hard stuff. If reading bureaucratese gives you headache, please skip to the next chapter.
In general, cookies are enabling tracking people individually and so are treated by EU as personal data. As EC 45/2001 states, such data can be processed only if:
- (a) processing is necessary for the performance of a task carried out in the public interest on the basis of the Treaties establishing the European Communities or other legal instruments adopted on the basis thereof or in the legitimate exercise of official authority vested in the Community institution or body or in a third party to whom the data are disclosed, or
- (b) processing is necessary for compliance with a legal obligation to which the controller is subject, or
- (c) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract, or
- (d) the data subject has unambiguously given his or her consent, or
- (e) processing is necessary in order to protect the vital interests of the data subject
So, in our case it would mostly (d) point. We need user’s consent to process cookies. OK, so what is consent and how should we obtain it to be valid? EU data protection working party issued a guidance on obtaining consent for cookies. According to this, consent should be defined with four basic attributes:
- Specific information. To be valid, consent must be specific and based on appropriate information. In other words, blanket consent without specifying the exact purpose of the processing is not acceptable.
- Timing. As a general rule, consent has to be given before the processing starts.
- Active choice. Consent must be unambiguous. Therefore the procedure to seek and to give consent must leave no doubt as to the data subject’s intention. There are in principle no limits as to the form consent can take. However, for consent to be valid it should be an active indication of the user’s wishes. The minimum expression of an indication could be any kind of signal, sufficiently clear to be capable of indicating a data subject’s wishes, and to be understandable by the data controller (it could include a handwritten signature affixed at the bottom of a paper form, or an active behaviour from which consent can be reasonably concluded).
- Freely given. Consent can only be valid if the data subject is able to exercise a real choice, and there is no risk of deception, intimidation, coercion or significant negative consequences if he/she does not consent.
Let’s ask again this question, should you use explicit or implied consent on your website? As you can see above, implied consent doesn’t comply with “Timing” point. Only explicit consent allow user to have real choice before the data processing starts. Implied consent solution can allow user to disable cookies once they’re set, but that’s against EU regulations.
I told you it’s gonna be hard.
So let’s go to the next chapter. We’ll take a look at EU law in practice. How is it implemented in member states? Is implied consent still unthinkable?
Be sure to check next articles in this series, as I’ll describe step-by-step how to 100% comply with EU legislation. If you don’t want to miss it – subscribe to be notified.
How EU countries deal with it?
EU legislation is on the one hand, but member states law is on the other. As EU is only creating frameworks for specific law, implementations of EU regulations vary from country to country. On Cookiepedia there’s extensive list of existing cookie laws across the Europe. For example, you can read there that:
- in Austria there is no clear guidance on compliance at this time,
- Bulgaria requires sites to publish information about cookies and give consumers the right to refuse them,
- in Denmark valid consent cannot be signalled through a browser settings, but implied consent is deemed to be a valid model,
- in Finland valid consent can be signalled through a browser,
- current rules in Germany are that there needs to be an opt-in for cookies collecting personal information, but opt-out is sufficient for all other types of cookies,
- in Ireland the law is in force and there is no official guidance on how to comply,
- in Poland visitor consent may be given through adjusting browser settings, and it also requires that consent should be obtained prior to any setting or reading of cookies. It is therefore likely that websites will need to provide their own controls for users to block or allow cookies,
- in Spain implied consent is allowed, however the guide also states that silence or inaction does not make for valid consent,
To sum up, there’s no one answer if you need to explicitly ask for user’s consent to process cookies on your site. Some of the countries will deem as valid even cookies enabled in browser settings.
If you are a website owner, you probably would like to comply with EU law in every possible country. There’s no other way than choosing safest option, so explicit consent would be your choice.
In next article I’ll cover when you don’t need explicit consent. What are exceptions from the rules and under what circumstances. Probably most interesting for you would be step-by-step guide about complying with EU law, which be available as last in this series.
If you think that you just read something valuable, let me know. Drop me a message in contact or leave a comment!Photo by Charles Clegg / cc by-sa