European data privacy law distinguishes between session cookies that, for example, allow a website to function properly, and analytics cookies that are unnecessary for the functioning of the website. With respect to analytics cookies, recent guidance from the United Kingdom’s Information Commissioner’s Office1 indicates that consent is required prior to the deployment of analytics cookies by a website. Specifically, the guidance states “[c]onsent is required because analytics cookies are not strictly necessary to provide the service that the user requests. For example, the user can access your online service whether analytics cookies are enabled or not.”
While GDPR only applies to the placement and utilization of certain cookies, the question of whether a particular consent is valid under the ePrivacy Directive or GDPR functionally converges (in this instance) on the requirements set out in Article 7 of GDPR. This means that the data subject must perform a “clear affirmative act” to evidence their consent.2 For example, checking an unchecked box would constitute a clear affirmative act.3 By contrast, it is not permissible to use pre-checked boxes4 or simply inform users that the deployment of the cookies is a condition of utilizing the website.
This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes. You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.
1. See https://ico.org.uk/media/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies-1-0.pdf (published 3 July 2019).
2. GDPR, Recital 32.
3. GDPR, Recital 32.
4. See https://ico.org.uk/media/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies-1-0.pdf (published 3 July 2019) (“There are challenges with using these techniques. If users do not click on any of the options available and go straight through to another part of your site, and you go ahead and set non-essential cookies on their devices, this would not be valid consent. This is because users who fail to engage with the consent box cannot be said to consent to the setting of these cookies.”).