Until such time as the ePrivacy Regulation is adopted, however, the guidelines issued by national supervisory authorities, which provide for varied requirements across the EU, generally dictate how organisations should collect consent for the use of cookies, and how the information, policies, and mechanisms relating to the same are presented to users. Moreover, increasingly active and heavy-handed enforcement of such requirements was a major regulatory trend in 2021, which we have already seen continue into 2022. With this in mind, this article seeks to provide a comparative overview of new 2021 guidelines on cookie requirements established by the Danish, Czech, Finnish, German, Italian and Luxembourg supervisory authorities.

Denmark

The Danish data protection authority ('Datatilsynet') published, on 12 February 2021, a quick guide⁴ for the use of cookies, together with the Danish Council for Digital Security and the Danish Business Authority.

Consent and cookie banner configuration

With respect to cookie consent, the guide notes that there should be a possibility to withdraw consent and it should be as easy to withdraw consent as it is to give it. Hence, the guide highlights that the method to refuse cookies should be easily accessible to the user, who should also be provided with clear, precise, and easily understandable instructions on how to refuse. The guide also states that in some cases, it may be appropriate to refer to guides and tools developed by others.

In respect of cookie banners, the guide highlights that the cookie banner must include information on who sets the cookies and for what purposes, and it must be written in an easily understandable way. The guide also notes that it is not necessary to have an option to consent or not consent for each cookie, instead specifying that consenting to the broad categories of purposes are sufficient.

Additionally, the guide specifies that:

• users must not be nudged into consent, for example through the size, colour, and location of buttons;
• controllers should not make it more difficult to say no by only giving the option to choose between 'Yes' and 'More information' in the first dialogue box;
• it should be obvious that it is possible to opt-out of cookies altogether; and
• when providing information about cookies, controller should generally provide information about the categories of purposes for which cookies are set, for example, the use of functions, statistics and marketing as separate categories, and consent should be obtained separately for each category of purpose, such as via separate tick boxes.

Cookie policy and information requirements

In particular, the guide highlights that if subsequent processing of personal data for a specific purpose is based on another legal basis than consent, then this should be made clear in the information provided, for example in the cookie policy or in the privacy notice. In addition, the guide notes that it should be clear to the user what information is being transmitted to the parties, for example, information about which website they have visited or their IP address. Furthermore, the guide emphasises that the controller must ensure that the information it provides is always available on its website.

Czech Republic

The Office for Personal Data Protection ('UOOU') published, on 22 December 2021, frequently asked questions⁵ ('FAQs') on obtaining consent for the use of cookies through the cookie banner, following its previous announcement of the commencement of the new opt-in regime for cookies from 1 January 2022⁶.

Consent and cookie banner configuration

In respect of cookie consent, the FAQs clarify that users must be able to give free, informed, and unambiguous consent, meaning that consent by pre-ticked boxes through browser settings does not suffice; instead the active activity of the user is required, for example by clicking on the consent button. Additionally, the FAQs highlight that the user must be able to simply refuse consent without any harm, for example, unavailability of the website content. In addition, the FAQs emphasise that giving consent should not be confusing or burdensome for the user, i.e. while the user can consent or object to each individual cookie or individual purpose or controller, the user should also have the simple possibility to refuse all cookies at once. Hence, the FAQ note that if consent is given, for example via a cookie banner, it is not acceptable that withdrawal of consent can only be done by telephone for example; instead there should be an easily accessible button or link on the website to withdraw consent. Furthermore, the FAQs state that the user must clearly express their consent and closing the cookie banner without expressing whether or not to consent, and remaining on the website, cannot be considered consent.

In addition, the FAQs note that the design and colour of the buttons should be chosen in such a way that the user is free to decide whether or not to give consent. for example, the 'I agree' button should not be significantly larger or significantly more colourful than the 'I reject' button, since if the rejection button is less visible or identifiable, the data subject could overlook it and the consent given would not be considered free. Furthermore, the FAQs emphasise that in order to give the data subject a free choice, refusing consent should be as simple as granting it and, therefore, the rejection button should be at the same level as the consent button.

Cookie policy and information requirements

With respect to cookie information, the FAQs note that when requesting consent, the user must be provided with sufficient information on what data will be processed, who will process it, for what purpose, for how long, and whether the data will be passed on to other subjects or to third countries. Furthermore, the FAQs note that the information provided should be clear and comprehensible to the average user. However, the FAQs highlight that the structure of the information will vary according to the number of cookies stored, for example it will look different in the case of storing one cookie, where the data will not be transferred to other entities, and differently when storing dozens of cookies, where the data will be processed by a number of other entities. Moreover, the FAQs outline that in the case of more extensive information, it is better to provide it in a structured way for greater clarity.

In addition, the FAQs recommend the provision of a list of all cookies, as well as their purpose and the location of this information should be considered in the light of the number of cookies, so that the information provided is clear and easily accessible. Hence, the FAQs note that the information can be directly in the structured cookie banner, for example by clicking on 'more information', or there can be a link to a document containing information about cookies.

Germany

The German Data Protection Conference ('DSK') announced, on 20 December 2021, that it had published a guidance on the Federal Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia⁷ ('TTDSG'), which entered into force on 1 December 2021.

Consent and cookie banner configuration

With respect to cookie banners, the guidance states that if consent banners only contain an 'OK' button, clicking the button does not constitute an unambiguous declaration. Even the terms 'agree', 'I consent' or 'accept' may not be sufficient in individual cases if it is not clear from the accompanying information what the user is specifically consenting to. In addition, the guidance notes that designs which require users to first open a detailed view integrated in the consent banner in order to see which default settings are set in case they click the 'accept' button also stands in the way of effective consent.

Furthermore, the guidance notes that it is possible to design cookie banners with multiple layers, i.e. to provide more detailed information only on a second layer of the banner, which users can access via a button or link. However, the guide clarifies that if the first layer contains a button with which user can give consent for various purposes, then concrete information on all individual purposes must also be contained on the first layer.

Specifically, the guidance outlines, among other things, the following requirements for the use of cookie banners:

• when a website or app is opened for the first time, the cookie consent banner must appear as a separate HTML element;
• the cookie banner must include information on all processing purposes, which are sufficiently explained by naming the actors involved and their function and can be activated via a selection menu;
• while the cookie banner is displayed, no further scripts of a website or an app that potentially access the end devices of the users or process their personal data are loaded;
• access to the privacy policy must not be obstructed by the cookie banner; and
• the option to refuse consent must be equivalent to giving consent, hence, if the first layer of the cookie banner has an 'accept' button, then it must also contain an equivalent 'reject' button as providing just a 'Settings', 'Further information', or 'Details' button is not compliant.

Cookie policy and information requirements

In addition to the information outlined above, the guidance notes that for consent to be informed, any storage and reading activities must be transparent and comprehensible, meaning that users must be informed, among other things, about who is accessing the respective terminal equipment, in what form and for what purpose, what the functional duration of the cookies is, and whether third parties can gain access to them.

Moreover, the guidance notes that telemedia providers who update their data protection information with a view to Section 25 of the TTDSG must also ensure that the processes are clearly differentiated, hence if processes take place within the scope of the telemedia offer that fall under both the TTDSG and the GDPR, the two legal bases must be informed separately.

Finland

The Finnish Transport and Communications Agency ('TRAFICOM') published, on 13 September 2021, revised cookie guidelines⁸.

Consent and cookie banner configuration

In particular, the guidelines note that cookie consent must meet the requirements of consent under the GDPR in order to be valid. In addition, the guidelines highlight that giving consent to the use of non-necessary cookies should not be easier than refusing them, for example if the consent mechanism provides at the top level an 'accept or allow all' option to give permission to use all non-essential cookies, then this should be accompanied by a 'continue with non-essentials' or 'refuse non-essentials' option, so that giving and refusing consent is equally easy. Furthermore, the guidelines note that in addition to these choices, the user should also be given options to make more specific choices about the different types of cookies. Moreover, the guidelines state that the consent mechanism should also ensure that it is able to control all non-essential cookies used by the service, including those set by third parties.

Cookie policy and information requirements

In addition, the guidelines outline that at least the following information should be specified:

• the cookies and similar technologies that are used and their type, such as necessary, functional, personalisation, advertising, social media, and analytics, among others;
• the purpose of each cookie, for example, what information is collected by the cookie and for what purpose;
• the validity period of each cookie; and
• information on whether the data stored through cookies is shared with third parties, who these parties are, and what information is transferred.

In addition, the guidelines note that further information on the up-to-date privacy practices of third parties can also be provided by including a link to a description of the third party's privacy practices in the provider's cookie mechanism or on the website.

Notably, the guidelines state that when personal data is concerned, Article 13 of the GDPR on the content of information is also applicable.

Italy

The Italian data protection authority ('Garante') released, on 10 July 2021, guidelines on cookies⁹ which aim to protect user's personal data when browsing online and which entered into force on 9 January 2022.

Consent and cookie banner configuration

The guidelines note that users must always be able to modify their choices in relation to cookies (both negatively and positively) at any moment and through simple, immediate, and intuitive means using a dedicated area that will be accessible via a link that should be placed in the footer of the website. On this, the link will have to mention the functionality it offers with a mention such as 're-assess your cookie choices' or similar. Moreover, the Guidelines recall that, both when the banner is re-proposed to the user and when the latter changes their cookie preferences, the preferences expressed by the user in subsequent accesses will have to overwrite the previous ones.

The guidelines recommend that a cookie banner contains the following:

• a command, such as an 'X' button at the top right-hand corner of the banner area, to allow the user to close the banner without giving consent to the use of cookies or other profiling techniques;
• a warning that by clicking on the 'X' button, the defaults settings are left unchanged, i.e. the user may continue browsing the website without cookies;
• a minimal information notice that the website uses technical cookies and, if appropriate, profiling cookies and other tracking tools, subject to the user's consent;
• a link to the extended privacy policy;
• a command to easily accept all cookies or similar tracking technologies; and
• a link to a dedicated area of the website where the user will be able to select analytically the functionalities, the third parties, and the cookies, including the possibility of changing, by means of two further commands, the choices previously made.

In addition, the guidelines state that the choices presented to the user must be unticked by default, and the banner should be designed in a way so as to avoid influencing the decisions of the user. Consequently, the guidelines note that the buttons in the banner should be of the same size, emphasis, and colour, which should be equally easy to see and use. Moreover, the guidelines state that the relevant information can be placed on the home page or in the general information of the website, without the need for a cookie banner in case only technical cookies are used.

Cookie policy and information requirements

In particular, the guidelines recommend website operators to adopt a multi-layer cookie policy, where the cookie banner represents the first layer, and the extended cookie policy is included in the second layer. In addition, the guidelines note that the cookie policy does not necessarily have to be multi-layered, instead a multi-channel approach may also be adopted. A multi-channel cookie policy would utilise, for instance, video channels, informative pop-ups, vocal interactions, virtual assistants, phone calls, and chat boxes.

The guidelines also specify that the extended cookie policy must include the following:

• information on the means through which data subjects can exercise their rights under the GDPR;
• information on the potential recipients of the data subjects' personal data;
• information on the retention periods for information collected through cookies; and
• information on the criteria through which cookies are categorised semantically. As an alternative, the guidelines specify that controllers will also be able to include this information in the privacy policy.

Luxembourg

The National Commission for Data Protection ('CNPD') published, on 26 October 2021, guidelines on cookies and other trackers¹⁰.

Consent and cookie banner configuration

In particular, the guidelines stipulate that cookies that do not fall under the definition for essential cookies that require GDPR-compliant consent, including cookies used for tracking, profiling, targeting, and geolocation purposes, as well as 'social plugins' (for example links to social networks), where such plugins are linked to the use of cookies.

Further to the above, the guidelines provide some practical examples of when the criteria for unambiguous consent is or is not met. For example, checking a box or activating a button by sliding will be acceptable in this regard. On the other hand, situations that will not be sufficient include continued browsing of a website or use of an app, not unchecking a pre-checked box, not exercising a choice after consent is requested, or the fact that the user's terminal equipment is configured to accept cookies. In addition, the guidelines note that for consent to be specific, the user must be able to give or withhold consent separately for different purposes.

For consent to be informed, the guidelines recommend that the information under Articles 12 and 13 of the GDPR is provided at two levels. Hence, there should be a first level of information, which is generally provided via a cookie banner or in a 'pop-up' window and which is generally where the user's choice whether to consent is collected. The CNPD specifies that users should understand from the first level of information that cookies are being used by the website/app, the identity of the person/organisation responsible for the cookies, how to accept/refuse cookies, the possibility to withdraw consent, and the consequences of refusal. The guidelines also note that the first level of information should contain a link to the second level of information.

Cookie policy and information requirements

The guidelines specify that a second level of information, which is a cookie policy, or a section on cookies within a general privacy policy, should provide further explanations about cookies and describe the following:

• technical information on the cookies used and a detailed description of their purposes;
• a precise and exhaustive list of those responsible for the cookies;
• categories of data collected;
• the recipients who have access to cookies or to the data collected through them;
• operating time of the cookies used and the retention period of the data collected;
• any data transfers made of the data collected; and
• the existence of automated decision making based on the data collected.

The guidelines also note that even when no personal data is processed, it is still good practice to explain to the user what a cookie is and its usage purposes.

Notably, the guidelines provide that information required by Article 13 of the GDPR not specifically related to the use of cookies may be contained in the more general privacy policy, which should be referred to in the cookie policy.

Alexandra From Privacy Analyst
[email protected]

1. See: https://www.dataguidance.com/legal-research/directive-privacy-and-electronic
2. See: https://www.dataguidance.com/advisories/eprivacy-regulation
3. Available at: https://edpb.europa.eu/system/files/2021-03/edpb_statement_032021_eprivacy_regulation_en_0.pdf
4. See: https://www.datatilsynet.dk/Media/E/7/Quickguide.pdf (only available in Danish)
5. See: https://www.uoou.cz/casto-kladene-otazky-ohledne-souhlasu-s-cookies-udeleneho-prostrednictvim-tzv-cookie-listy/ds-6912/archiv=1&p1=2619 (only available in Czech)
6. See: https://www.uoou.cz/cookies-od-zacatku-roku-2022-pouze-se-souhlasem/d-53646 (only available in Czech)
7. See: http://www.gesetze-im-internet.de/ttdsg/index.html (only available in German)
8. See: https://www.dataguidance.com/news/finland-traficom-publishes-revised-cookie-guidelines (only available in Finnish)
9. Available at: https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9677876#english
10. See: https://cnpd.public.lu/content/dam/cnpd/fr/dossiers-thematiques/cookies/CNPD-LD-Cookies.pdf (only available in French)