Luxembourg: CNPD publishes guidelines on cookies
The National Commission for Data Protection ('CNPD') published, on 26 October 2021, guidelines on cookies and other trackers. In particular, the CNPD outlined that the guidelines aim to help operators of websites or applications to comply with the currently applicable rules, as they emerge from existing legislation and case law. Furthermore, the guidelines draw the distinction between essential cookies for which there is no obligation of consent and non-essential cookies for which there is an obligation of consent, providing specific examples to accompany such analysis. In addition, the guidelines provide many examples of good practice and also introduce the notion of dark patterns in the context of collecting user consent.
Notably, with respect to essential cookies, the CNPD clarifies that cookies with the following purposes do not require user consent:
- recording user choices regarding cookies;
- user authentication, provided that the cookie is only used for this purpose;
- saving shopping cart;
- saving responses to contact forms;
- streaming content;
- service customisation, e.g. to save display or language settings;
- security, again provided that the cookie is used exclusively for this purposes; and
- analyticals, subject to the below clarifications.
Further to the above, the guidelines differentiate between analytical cookies for audience measurement purposes and analytical cookies which are necessary for the provision of a service. Specifically, the CNPD outlined that, although audience measurement cookies do not pose significant risks to privacy when placed directly by the visited site (and not by a third party) for statistical purposes, it is nevertheless necessary that the site operator obtains the user consent before placing this type of cookie. However, the CNPD added that, where the website operator is able to demonstrate that the use of analytical cookies is necessary for the provision of a service (for example to evaluate server capabilities), such cookies may be exempted from the consent requirement, provided that such cookies:
are not passed on to third parties nor cross-referenced with other data;
do not allow global monitoring of the navigation of a person using different applications or browsing on several websites; and
are collected exclusively by and for the website operator and are used to produce anonymous statistics only.