Is consent by scrolling valid?
NO
NO
It’s valid only if the scrolldown action is part of a more complex procedure that allows to conclude that a user has deliberately and unambiguously intended to consent to cookies.
“Simple” scrolldown is not sufficient.
NO
NO
NO
NO
NO
NO
NO
The cookie notice must not disappear if the user hasn’t made a choice via an affirmative action.
NO
NO
The FAQs provide that: “active user action (e.g. clicking on the consent button) is required in the case of consent.”
NO
NO
NO
YES
The FADP and the Federal Data Protection and Information Commissioner (FDPIC) do not mention anything against the validity of consent by scrolling so it is understood that such action would be valid.
NO
Is consent by continuing navigation valid?
NO
Likely no, but not specified
NO
NO
NO
NO
NO
NO
NO
NO
NO
The FAQs provide that “if you “browse” a website without any interaction with the cookie bar , cookies cannot be stored in the user’s browser (except technically). Consent must always be obtained first and only then can cookies be stored.”
NO
NO
NO
YES
NO
Are explicit “accept” AND “reject” buttons required to be on the cookie notice?
YES
The ICO clearly favors an approach that clearly gives users the choice between accepting and rejecting all cookies, alongside handles to customize their choices.
However, it must be noted that the ICO does not explicitly require “reject all” buttons. Therefore, as long as the available choices are all equally conspicuous, an alternative between “accept all” and “customize” seems to be fine, as long as by choosing the latter no consent is implied.
YES
According to the Italian DPA the banner must contain:
an “Accept” command;
an “X” or any equally unambiguous command that users may click on to close the banner and continue navigating without accepting any cookies (“Reject”).
YES
YES
Accept and reject buttons must be equally conspicuous. Alternatively, there must be an equally easy method to refuse all cookies (e.g. by continued navigation) and the user is clearly informed of it.
YES
The AEPD guide (page 20 ) explicitly refers to the requirements of having “accept” and “reject” buttons as follows:
An easily visible button or equivalent mechanism with the words “Accept cookies”, “Accept”, “Consent” or similar text to consent to the use of all cookies
A button or equivalent mechanism, similar to the previous one (if a button to accept is used, a button to reject must be used), with the words “Reject cookies”, “Reject” or similar texts, to reject the use of cookies (except those that are exempt from the obligation to obtain an informed consent).
YES
They must be equally conspicuous.
YES
The Compliance Recomendation states that: The user should be able, with the same number of actions (“clicks”) and from the same level, either to accept the use of trackers (those for which consent required) to either reject it, or all or every category separately.
YES
YES
If an “accept all” button is provided, an equally prominent “reject all” button must be also available.
Not specified
YES
The FAQs state that:‘I agree’ button should not be significantly larger or significantly more colourful than the ‘I reject’ button. If the opt-out button is less visible or identifiable, it could be overlooked by the data subject and the consent given would not be considered free. At the same time, the colours of the buttons should be chosen to respect the generally accepted meaning of these colours.”
“In order to give the data subject a free choice, refusing consent must be as simple as giving it
March 2024 Update: Annual Report 2023. This requirement is re-affirmed as follows:’The setting of the cookie bar must be made so that the granting and refusal of consent is equally easy, which, in a situation where consent is expressed by selecting the appropriate option within the cookie bar, requires both of these options to be displayed simultaneously, i.e. at the same level of the cookie bar.’
YES
The Dutch AP specifies that:”Your website visitors should be able to refuse cookies as easily as they accept them. So put the buttons for reject and accept on the same layer . This means that someone does not have to click through to refuse, if they do not have to click through to accept (all) .”
NO
But it’s mentioned as common practice.
YES
Not specified
Must accept and reject options be equally conspicuous (equal prominence requirement)?
YES
YES
YES
YES
YES
YES
YES
Not specified
YES
Not specified
YES
See above
Not specified
YES
YES
Not specified
YES
Is the prior blocking of cookies necessary where consent is required?
YES
YES
YES
YES
When consent is required, cookies must be blocked until the user has given their consent.
YES
A website owner that runs several SIMILAR websites may inform users about cookies and collect consent for all of them in one go (p.29) for the use of cookies on several websites that belong to you or even third parties connected to you. However this must only apply to Spanish users.
YES
No cookie except for those strictly necessary for the websites’ functioning (e.g. shopping cart cookie) may be set before the user has consented.
YES
Compliance Recommendation C3 states that: In the absence of any selection event (neither acceptance nor rejection), no unnecessary trackers should be used.
YES
YES
YES
YES
“Non-technical cookies can only be activated after consent has been given. If the data subject has not actively consented to the cookies (i.e. if he/she has either selected the “do not consent” option, or if he/she has closed the bar by clicking on the button provided for this purpose, or if he/she has “done nothing” – i.e. if he/she has not reacted to the cookie bar in any way), it is necessary to leave the non-technical cookies deactivated. “
YES
YES
YES
NO
The FADP does not make reference to the prior blocking of cookies or similar trackers.
January 2024 Update: The Guide to Technical and Organisational Data Protection Measures states that “when cookies are collected on a website, those that are not necessary for consulting the site should be deactivated by default.”
YES
Are full cookie walls admitted?
Unlikely
No definitive statement has been made however the ICO guidelines state that cookie walls are “unlikely to be valid”.
NO
Unless the website owner provides an alternative possibility to access the service without accepting consent-requiring cookies (possibly against payment, not specified).
NO
Possibly
In principle, yes, but this remains to be determined on a case-by-case bases – however, users must be clearly informed about the consequences of not accepting cookies.
NO
Cookie walls are only acceptable if the user has an alternative for accessing the service without accepting cookies.
Possibly
Cookie walls are allowed, as long as certain criteria are met:
users must be given a reasonable alternative to the processing of their personal data (e.g., a reasonable monetary fee); any data processed after a user provides consent (as an alternative to payment) must be a necessary part of the non-monetary alternative, or else separate consent must be obtained; if the user chooses to make monetary payment, no personal data should be processed other than as necessary to provide the service requested, unless separate consent is provided.
NO
NO
Likely no
NO
These are not allowed in terms of the Information Package however they are prevalent on Swedish Websites.
NO
The FAQs provide that:
“Recital 32 of the General Regulation implies that if the data subject has to give consent following a request made by electronic means, this request must not interfere with the use of the service.
Paragraph 39 of EDPB Guideline No 05/2020 states that in order for consent to be freely given, access to services and features must not be conditional user’s consent to store information or to access information already stored on the user’s end device (cookie walls) .”
NO
But it seems like cookie-less use of a service could be offered at a cost (see FAQ ).
NO
YES
In the latest DSB’s FAQs (December 2023) , the DSB draws a distinction between “cookie walls” and “pay walls”. The DSB states that the “pay or ok” system is fundamentally acceptable if certain criteria are met.
Not specified
NO
Must cookies be listed one by one?
NO
The ICO states that simply listing numerous cookies could be confusing to the user and best practice would be to give a description of the cookies. According to the PECR , the clarity and comprehensiveness of cookies is key (see Section 6 (2))
Not specified
Seems unlikely.
NO
NO
NO
A per-purpose listing is valid and sufficient.
NO
Not clear
There have been contradictory statements issued. A recent press release states that the purpose of “each single tracker” must be specified (point 3), while the very next point (4) states that information about lifetime, controller and recipients of each tracker or category of trackers of the same purpose must be disclosed.
Not clear
There have been contradictory statements issued. The DPA states expressly that “the GDPR does not require per-cookie consent”, however, it also states that, while on a first level consent must only be collected on a per-purpose basis, on the second level users must be given the option to allow cookies granularly (on a per-cookie basis).
Likely no
The guidance states “Controllers must ensure that consent is obtained for each purpose for which cookies are set. This does not mean that consent needs to be obtained individually for each cookie, but merely for the purpose for which it is being used.”
YES
The user must be informed of each and every type of cookies (except for necessary cookies) prior to giving consent, therefore it stands to reason that the cookies must be individually listed.
YES
The FAQs provide:list of individual cookies , including their purpose, is certainly advisable in the context of the principles and obligations under the GDPR. The placement of this information should be considered in the light of the number of cookies, so that the information provided is both clear and easily accessible. The information may therefore be directly in the structured cookie bar, e.g. by clicking on ‘more information’, or there may be a link to a document containing information about cookies.”
March 2024 Update:
See Annual Report 2023 . UOOU indicates that users must be given information about all cookies, i.e. is both first party and third party cookies and not just the first party ones. With regards to consent, the UOOU found instances where the: ‘consent did not contain any information about the uploading of third-party cookies after its granting, but only contained information about the controller’s cookies (i.e., first-party cookies). This consent had to be assessed as uninformed and was found to be in breach of Article 6(1) of the [GDPR], as the controller had no other basis for such processing of personal data.’
In addition, the UOOU states: ‘If information on the purpose of processing is not provided individually for each cookie, but sufficient information is provided for several specifically listed cookies at the same time (typically the division of cookies into statistical or analytical cookies) [then this is sufficient]. In this situation, however, the information must be specific enough to be applicable to each cookie and it is always necessary to insist that the controller provide a list of all cookies that are uploaded to the end-user devices.’
YES
January 2024 Update : The Dutch AP specifies:”Give your website visitor information necessary to make an informed choice. This includes stating why you use cookies for each purpose before someone makes a choice. “
Likely no
Likely no
The Austrian DBS Standard indicates that the lack of “granularity of consent principle” in the cookie banner would lead to an invalid consent, then it would stand to reason that cookies would need to be listed so that users have a clearer idea of what they are consenting to.
Not specified
Must purposes be listed in the first layer of the cookie notice?
Not mentioned, but unlikely.
Best practice
YES
YES
YES
YES
Ultimately, it appears that the Authority requires not only to list the purposes, but also to allow the users to give their consent to each of such purposes already in the first layer.
YES
Yes they can, (although this is not an explicit requirement) vide www.dpa.gr
YES
In a recent decision, the DPA explicitly states that:
the following information must be made available to users before giving consent (which may imply that it must be provided in the first layer):
identity of controller(s)
purposes how to accept/reject trackers
consequences of accepting or rejecting trackers
the existence of a right to withdraw consent.
Not specified
Not specified
Since Swedish law does not explicitly state that a banner is required, it therefore does not specify the elements of the first layer either. What is clear is that the user is to be clearly informed beforehand about the collection and processing of cookies.
They can be listed on the first or second layer since the FAQs make reference to the purposes being visible after the ‘more information’ button is engaged with:
‘A list of individual cookies, including their purpose, can certainly be recommended in the context of the principles and obligations arising from the general regulation. The location of this information needs to be considered with regard to the number of cookies, so that the information provided is clear and at the same time easily accessible. The information can therefore be directly in the structured cookie bar, e.g. after clicking “more information” or there can be a link to a document containing information about cookies. ‘
YES
January 2024 Update : the Dutch AP specifies that on the first layer:”It must be clear who processes the personal data and for what purpose(s) . ” It further states that all information must be provided ina clear manner.
YES
YES
The FAQs issued on December 2023 by the DSB indicate that “a precise description of the processing purposes” must be included.
Not specified
Not specified
Must consent be granular on a per-purpose basis?
Per-service but not necessarily per-purpose
It must cover all of the purposes of processing. This can be done through global or specific consent.
ICO states that:
“Long tables or detailed lists of all the cookies operating on the site may be the type of information that your users will want to consider. Some sites might use tens or even hundreds of cookies and therefore it may also be helpful to provide a broader explanation of the way cookies operate and the categories of cookies in use. For example, a description of the types of things you use analytics cookies for on the site will be more likely to satisfy the requirements than simply listing all the cookies you use with basic references to their function.”
YES
It must be granular, but the criteria of granularity are left to the provider of the service for implementation. In terms of grouping criteria the Garante refers to “functionality”, “third-parties” and “cookie category”.
YES
There are two aspects to this requirement:
You must clearly separate cookies requiring consent from those that do not (Don’t collect consent for cookies that do not need it).
Consent must be granular. However, it’s not clear how granular. The DPAs have simply mentioned that “it must be possible to select single processing activities singularly”.
However, so far there has been no practical implementation of a cookie-by-cookie selection, or any literature or case-law on the matter. As an extreme level of granularity may actually confuse and reduce transparency for users, it seems likely that per-purpose grouping would be sufficient in this case.
YES
Consent to cross-website/app trackers should be renewed on every single affected website/app.
YES
The AEPD guide (page 22) refers degree of granularity when displaying the cookie selection and states that:
“Cookies should be grouped at least by purpose , so that the user can accept cookies for one or more purposes and not for one or more others (for example, the user could choose to accept analytical cookies and not behavioral advertising cookies).”
“Within each purpose , and at the choice of the website publisher, cookies could also be grouped according to the third party responsible for them (for example, the user could choose to accept analytical cookies from a certain third party and not those from another).”
“In relation to third-party cookies, it is sufficient to identify them by their name or by the brand with which they are identified to the public, without including the full corporate name.”
“The maximum degree of granularity (cookie to cookie selection, even within the same purpose) should be avoided , as too much information makes decision making difficult.”
YES
Users must have the option of accepting cookies purpose-by-purpose (actually, the guide says “categories of purposes”). A cookie-by-cookie approach is explicitly declared as not required.
YES
The Compliance Recommendations also provide that:
B2. It is legitimate to provide the information through several levels, as long as it is ensured that the user’s consent is requested after the user has been specifically informed, at least for the tracker classes used.
B3. Through the notification message (whether it is a pop-up window or otherwise) specific information about the purpose of each tracker must be provided to the user, and not general information on the use of trackers.
YES
On the first level a per-purpose approach is sufficient and reasonable. On the second level, a cookie-per-cookie approach is mentioned ad viable. But it’s neither expressly recommended, nor purported as mandatory.
YES
YES
Since the Swedish Electronic Communications Act states that the provider of a publicly available electronic communication service must, prior to obtaining consent, inform the person to whom the data relates to the type of traffic data that is processed, and the Information Package states that the information provided to the user must describe each of the purposes for cookie collection, e.g. statistics, marketing, technical, etc. and the user’s consent must be specific for each purpose, and the user must consent to each specific use, then this implies that granular consent is required.
It should be
The FAQs provide as follows:”Giving consent should not be confusing or annoying for the user, i.e. while the user can agree or disagree with each individual cookie individual purpose or controller , he/she should also have the simple possibility to refuse all at once.”
Not specified (but implied)
“You must properly inform your website visitors , including about how you use cookies and for what purposes. You need separate permission for each purpose.”
Not specified (but implied)
YES
The latest decision (March 2023) issued by the Austrian Data Protection Authority (“DSB”) highlight that the lack of the “granularity of consent principle” in the cookie banner would lead to an invalid consent. The DSB further added that “blanket consents” in a “pay or okay” system could lead “to a serious encroachment on the fundamental right to data protection.”The above would imply that consent must be granular.
Not specified
YES
Is a GDPR-aligned proof of consent required?
YES
YES
YES
YES
As per no. 29 of CNIL’s. 2020 guidelines , proof of consent is required is accordance with the GDPR requirements. The consent collecting entity must also be able to handover proof of consent to other the third-parties that have relied on that consent in order to process the user’s data.
Not specified (but implied)
YES
YES
YES
YES
YES
Proof of consent is addressed in the FAQs in the context of giving consent via browser settings which is deemed as not being effective since: “the data controller must be able to prove that the user has given consent to the processing (for each individual purpose).”
No futher detailed requirements are stated.
YES
YES
YES
NO
Likely yes
Not explicitly stated.
Should withdrawing consent be as simple as giving it?
YES
According to the ICO “It must also be as easy to withdraw consent as it was to give it. This means the process of withdrawing consent should be an easily accessible one-step process. If possible, individuals should be able to withdraw their consent using the same method as when they gave it.”
YES
Ideally through a link in the website’s footer.
The Garante also suggests to provide an icon always visible during navigation that summarises the user’s choices.
YES
YES
Users must be clearly informed about how they can withdraw consent before granting it. A link/icon or any other static element allowing users to withdraw consent at a later stage should always be clearly visible and accessible on the website/app.
YES
The AEPD states (page 19) that it is “advisable that the information on how to manage cookies (including how to revoke consent and delete cookies) is accessible and permanently available at all times through the website, application or online service in question.” This requirement also applies to the cookie policy through a Cookie Management System.
YES
YES
Compliance Recommendation C5 states that: The user must be able to withdraw their consent in the same manner and with the same ease with which he declared it.
YES
YES
YES
YES
The FAQs provide that:
“Consent to the processing of personal data may be withdrawn at any time by the data subject, and withdrawal of consent must be as easy as giving it. If consent is given via a cookie bar, it cannot be accepted that withdrawal of consent can only be done e.g. by telephone. Ideally, therefore, the website should have an easily accessible button or link to withdraw consent.”
March 2024 Update: See Annual Report 2023. The UOOU states that: The possibility to withdraw consent, is an integral part of the conditions for granting consent, and as Article 7(3) GDPR states, “Withdrawing consent shall be as easy as giving it.” An example of best practice in this context is the possibility to call up [the preferences] via a link in the footer of the website.
YES
The Dutch AP specifies that “Your website visitors should be able to withdraw their consent just as easily. “
YES
YES
The FAQs issued by the DSB in December 2023 indicate that “Possibility of revocation: The cookie banner must clearly and precisely describe where and how consent can be revoked. Revocation must be as simple as giving consent”.
Not specified
YES
Is the use of a consent banner recommended?
YES
YES
YES
Most common practice for collecting consent for cookies that require it. Cookies that do not require consent must not be listed on the banner.
Not specifically
A banner is not explicitly mentioned as “required”. However, a static, clearly visible icon or link to the to full cookie information is “recommended”.
YES
It’s mentioned as one of the ways to collect consent.
Not specifically
It’s mentioned as a standard solution, but not explicitly recommended.
YES
Not specified
The guidance simply states that your cookie notice “may not disappear as long as the user hasn’t made an active choice.”
Not specifically
But mentioned as the most common solution.
Not specifically
A banner is not explicitly mentioned, but Swedish law does indicate that the user is to be informed before the placing of cookies on their device.
YES if non-technical cookies are used
As per the latest FAQs issued by the Czech Data Protection Authority (March 2023), the UOOU reccomends the use of a “cookie bar”.
If however only technical cookies are used, then a cookie bar is not required: “but it is still necessary to comply with the information obligation towards data subjects (by placing a link with a document containing the prescribed information in a visible place on the website).”
YES
Best practice
Best practice
The FAQs issued by the DSB on December 2023 indicate that if no “technically unnecessary” cookies are used on the website, no consent and therefore no cookie banner is necessary. This implies that when technically necessary cookies are used, then a cookie banner is required to obtain the users consent or otherwise to such cookies.
NO
January 2024 Update: The Guide to Technical and Organisational Data Protection Measures (ToM) makes reference to “means of pre-settings” being used so that by default, the data controller ensures that “only the amount of data strictly necessary for the purpose of processing is collected and used.”
Are strictly necessary cookies exempt from the consent requirement?
YES
Cookies and trackers strictly necessary:
to carry out or facilitate the transmission of a communication over an electronic communications network
to deliver a service explicitly requested by the user
do not require the user’s consent.
Example of consent-exempted cookies:
shopping cart cookies
session cookies that are essential to comply with data protection security requirements (eg online banking services);
load-balancing cookies
YES
Cookies and trackers strictly necessary:
to carry out or facilitate the transmission of a communication over an electronic communications network
to deliver a service explicitly requested by the user
do not require the user’s consent.
YES
Cookies and trackers strictly necessary:
to carry out or facilitate the transmission of a communication over an electronic communications network
to deliver a service explicitly requested by the user
do not require the user’s consent.
YES
Cookies and trackers strictly necessary:
– to carry out or facilitate the transmission of a communication over an electronic communications network
– to deliver a service explicitly requested by the user
do not require the user’s consent.
According to CNIL’s updated guidelines (Sept. 2020) some examples of strictly necessary cookies are:
trackers to remember user choices re trackers (e.g. consent cookie),
trackers used to identify users when logging in (e.g to avoid bots logging in),
shopping cart trackers or user-preference trackers (language, currency etc.)
load balancing trackers
trackers allowing for a differentiated treatment of paying and non-paying users (“payment walls”)
YES
Cookies and trackers strictly necessary:
to carry out or facilitate the transmission of a communication over an electronic communications network
to deliver a service explicitly requested by the user
do not require the user’s consent.
Example of consent-exempted cookies:
technical cookies;
preference and customisation cookies.
YES
Cookies and trackers strictly necessary:
to carry out or facilitate the transmission of a communication over an electronic communications network
to deliver a service explicitly requested by the user
do not require the user’s consent.
YES
The Compliance Recommendations further provide under A2 that:
Trackers exempt from the obligation to obtain consent are those which are considered technically necessary to connect to the website or to provide the internet service requested by the user himself.
Indicative categories of trackers (cookies and related technologies) that fall under the above exception are those which are necessary:
to identify and/or maintain content entered by the subscriber or user during a connection (session) to a website throughout of the specific link, such as “shopping cart”;
to connect the subscriber or user to services they require authentication;
for the safety of the user;
for carrying out the load balancing technique in one link to an internet site
to preserve the user’s choices regarding its presentation website, e.g. language selection, save search history
YES
Cookies and trackers strictly necessary:
to carry out or facilitate the transmission of a communication over an electronic communications network
to deliver a service explicitly requested by the user
do not require the user’s consent.
Example of consent-exempted cookies:
cookies used for a limited period of time (usually a session) to “remember” user input (e.g. shopping cart cookies) authentication and login cookies (session cookies) security load balancing preferences (e.g. language, search results display) Nevertheless, the users must be informed about such cookies.
YES
Cookies and trackers strictly necessary:
to carry out or facilitate the transmission of a communication over an electronic communications network
to deliver a service explicitly requested by the user
do not require the user’s consent.
Example of consent-exempted cookies:
Cookies whose sole purpose is for carrying out the transmission of a communication over a network authentication and login cookies (session cookies) load balancing shopping cart language or country preferences
YES
Strictly necessary cookies may be placed without users’ consent.
It is only technical cookies that can be placed without the users’ consent
The FAQs provide:without consent for purposes necessary for the actual operation of the website.also apply to other forms of data storage on the technical devices of site visitors (technologies similar to cookies such as local storage objects, locally shared objects, etc.), including digital browser fingerprints (so-called fingerprinting).”
The FAQ also makes reference to the Czech Electronic Communications Act (“ECA”) on this point (please note that the ECA was not reviewed prior to answering these questions):requires the prior verifiable consent of website users . The only exception is so-called technical cookies . The consent obtained therefore allows the use of non-technical cookies, but does not address the processing of personal data that occurs via cookies. The consent only allows the administrator to store cookies on the end user’s device. The processing of personal data by means of cookies is subject to the legal basis of the General Regulation.” (GDPR)
March 2024 Update: Annual Report 2023 . The above is reaffirmed by the UOOU which states that ‘operators of internet platforms [are] to obtain explicit consent from visitors to use cookies for the processing of personal data on the basis of the so-called opt-in principle. The only exceptions are so-called technical cookies
YES
Cookies and trackers strictly necessary:
to carry out or facilitate the transmission of a communication over an electronic communications network
to deliver a service explicitly requested by the user
do not require the user’s consent.
YES
Cookies and trackers strictly necessary:
to carry out or facilitate the transmission of a communication over an electronic communications network
to deliver a service explicitly requested by the user
do not require the user’s consent.
YES
Only those technically strictly necessary for providing the service requested by the user, like session management, entries in an online form via several subpages of a website, information about the consent status (unless a unique online identifier is assigned for this).
YES
January 2024 Update: The Guide to Technical and Organisational Data Protection Measures states that “The data controller must take steps as soon as the data are collected to ensure that, by default, in particular by means of pre-settings, only the amount of data strictly necessary for the purpose of processing is collected and used. For example, when cookies are collected on a website, those that are not necessary for consulting the site should be deactivated by default; Users who accept the use of additional cookies must also actively consent to their use.”
This above implies that only strictly necessary cookies can be placed without consent.
YES
Can GDPR legal bases other than consent (e.g. legitimate interest) apply?
NO
According to the ICO, except for cookies falling under the “strictly necessary” exemption, consent seems to be the only viable solution. For more information, see: the official ICO’s statement
NO
The Garante explicitly states that other legal bases pursuant to art. 6 GDPR are not applicable.
YES
A legitimate interest is an acceptable legal basis for processing activities that are strictly necessary to operate the website/app and provide the service. Examples: shopping-cart cookies.
NO
Except for strictly necessary cookies, consent is mentioned as legal basis for other cookies. No mention about other legal bases.
NO
Except for strictly necessary cookies, consent is mentioned as legal basis for other cookies. No mention about other legal bases.
YES
In any case, consent is usually the safest option.
NO
Except for strictly necessary cookies, consent is mentioned as legal basis for other cookies. No mention about other legal bases.
NO
Except for strictly necessary cookies, all other may only be placed based on consent.
NO
Except for strictly necessary cookies, consent is mentioned as legal basis for other cookies. No mention about other legal bases.
NO
Except for strictly necessary cookies, consent is mentioned as legal basis for other cookies.
Technically
YES
the FAQs provide that:Processing through cookies is not necessarily based on the legal basis of consent.
The FAQs further provide that:”A website operator using cookies must therefore establish a legal basis for the subsequent processing of data, which in the case of cookies may be the data subject’s consent, a legitimate interest or processing necessary for the performance of a contract. An example of a legitimate interest is the processing of personal data for the purposes of first-party analytics (via cookies on the website in question).”
Please note , that this seems to specifically apply to the subsequent processing of personal data via cookies and not for placing cookies and therefore they distinguish ePrivacy from GDPR related requirements.
March 2024 Update: See Annual Report 2023 . It would seem that only ‘technical cookies which are necessary for the proper function of web applications’ can be placed without consent.
NO
Except for strictly necessary cookies, consent is mentioned as only legal basis for other cookies: “The only possible basis for the use of tracking cookies is the unambiguous consent of the website visitor (Article 6.1(a) of the GTC).”(FAQ )
NO
Not expressly mentioned, but it’s safe to say that NO.
NO
Except for strictly necessary cookies, consent is mentioned as legal basis for other cookies. No mention about other legal bases.
YES
January 2024 Update: The Guide to Technical and Organisational Data Protection Measures states that “Users who accept the use of additional cookies must also actively consent to their use.”
Best practice suggested by FDPIC is to use consent for any cookies that are not strictly necessary as per ToM.
Do third parties have to be listed and identified?
YES
ICO guidelines state “if you use any third party cookies, you must clearly and specifically name who the third parties are and explain what they will do with the information”.
YES
YES
Depends on the legal basis for processing. If the basis is consent, then the third-parties should be mentioned in order for the consent to be considered “informed”. In other cases, it is still the best and most common practice to identify the third-parties.
YES
You need to mention all the third parties that place cookies subject to consent. Also, you have to provide a link to their respective privacy notices and company data.
YES
Third-parties must be identified by their commonly known brand, however, identifying the specific legal entity is not required.
YES
YES
This appears to be required whether or not the third-parties are joint data controllers or processors . The use of third-party trackers, such as the Google Analytics service for statistical purposes analysis (web analytics), can only be done with the consent of its user website.
Not specified
The Authority’s FAQ does not include naming third parties in their list of minimum requirements for cookie policies.
Not completely clear
The guidance states that you’re required to provide links to each third party’s privacy policy while simultaneously stating that you must “provide the information required under the GDPR” – which does not necessarily include listing all third-parties. However, it seems likely.
YES
The Swedish Post and Telecom Authority provides that if the information is shared with any other party (third party), then such information must be informed to the user prior to consent being given.
Not specified
YES
Not individually, category-wise is sufficient.
YES
As long as cookies involve the processing of personal data, YES.
Not specified
YES
In terms of article 19(2)(c) FADP .
Is it specified how long the consent to a cookie should last?
NO
However, it must be justifiable for the stated purpose of the cookie. You must also inform users of the duration of the cookies you use.
YES
Users may be prompted to provide consent again only if:
consent conditions have changed (e.g. new third-party services have been added or old ones have been taken out); or
the website owner has no technical means to keep track of previous consent (e.g. the user has deleted the consent cookie placed on his device); or
at least 6 months have passed since the last consent.
YES
YES
Users’ choices (both accept and reject) must be stored for a reasonable period of time (i.e. 6 months ) in order to avoid setting users under pressure by prompting them to give consent again and again.
The same goes for the refusal of consent: the controller can prompt users to consent again only after 6 months.
Analytics cookies cannot last more than 13 months. Information collected by cookies can be stored for a maximum of 25 months.
Specified good practice
Via reference to the WP29, the recommendation is to re-ask for consent no later than 24 months after it has been collected.
NO
The guidelines suggest that technically consent “doesn’t expire”. However, do note that these guidelines are meant for any consent-based processing – they’re not specifically tailored for cookies or trackers.
YES
Compliance Recommendation B4 states that: For each tracker or category of trackers for the same purpose, the duration of operation, the identity of the controller, the recipients or the categories of r
Furthermore, C8 states that: Regardless of acceptance or rejection of the trackers, the reappearance of the pop-up window to prompt the user again, shall occur after some time. That is, the duration of “observance” of the user’s choice is the same whether the user rejects or accepts the trackers.
NO
Currently what’s stated is that cookies may not be stored for longer than necessary to achieve the stated purpose.
YES
The Authority states that as best practice, consent should never be valid for more than 6 months – after 6 months users must be asked for consent again.
YES
This is very specific depending on the type of cookie. See Chapter 9 Section 19 of the Electronic Communications Act.
YES
The FAQs are very explicit about this:
“In general, 12 months may be considered a reasonable period for which consent to the use of cookies has been given. If the user has refused consent, consent should not be required again for at least 6 months from the last time the cookie bar was viewed. This period may be shorter if:
one or more of the processing circumstances have changed significantly,
the operator is unable to keep track of the previous consent/dis-consent (e.g. the user has deleted cookies stored on his/her device).”
NO
However, as a general rule, cookies that have a lifetime of more than 6 months are considered to be excessive in terms of data retention, which in turn suggests that consent should also be limited to 6 months.
YES
12 months is the suggested duration. This notably also applies to the “reject” – choice. Users may only be prompted to express their choice again before the 12 months if:
there has been a major change in the way personal data is processed
the user accesses the service through a different device
the user has deleted the cookie-preferences cookie
Not specified
Not specified
The FADP under Articles 12(e) and 25(d) makes reference to the retention period of personal data however it does not specify the duration.
The authority does not express itself on the duration of consent either.
No duration explicitly stated
The EDPB states “In principle, it can be sufficient to ask for a data subject’s consent once. However, controllers do need to obtain a new and specific consent if purposes for data processing change after consent was obtained or if an additional purpose is envisaged.”
Are pre-ticked boxes allowed?
NO
NO
NO
Not for cookies requiring consent.
NO
Also toggle buttons (if used) must always be de-activated by default.
NO
NO
NO
NO
NO
NO
The Information Package is very clear on what consent should not look like, and pre-ticked boxes are not tantamount to consent.
NO
The FAQs provide that:
“Pre-checked boxes cannot be considered as consent in accordance with the General Regulation, which follows from recital 32. The Court of Justice of the EU came to the same conclusion in its decision in Planet49 GmbH (C 673/17).”
NO
NO
NO
The FAQs issued by the DSB on December 2023 indicate that “Privacy by default: The data subject must proactively decide on consent. Presets or pre-ticked boxes in the cookie banner are not permitted”.
YES
The FADP and FDPIC do not mention anything against pre-ticked boxes being allowed so it is understood that pre-ticked boxes would be allowed.
NO
