Last updated on 21 May 2021 by Robert Bateman (Privacy and Data Protection Research Writer at TermsFeed)
Recently, we've been seeing more companies being taken to court or investigated by regulators under the EU's cookie consent rules.
The GDPR has been in effect since May 2018, but websites and apps continue to flout the rules around obtaining opt-in consent for cookies.
In this article, we'll look at some high-profile legal action taken against companies who may have violated the GDPR's rules and explain what you can do to avoid being in such a position.
The GDPR provides two main procedures under which organizations may face legal action, including violating the EU's cookie rules:
First, we'll look at the less common of these two procedures: private action in court. Here's Article 82 as it appears in the text of the GDPR:
This GDPR provision states that:
Private legal action of this kind isn't common in the EU, but there are large class-action lawsuits proceeding under the GDPR.
The GDPR provides data protection authorities (DPAs) with powers to impose "administrative fines" on any person (or organization) who violates the GDPR.
These administrative fines are set at two levels, each available to DPAs depending on which articles of the GDPR the organization has violated:
If you violate the GDPR's consent rules, you may be liable for the larger of these two types of fines.
Here's the relevant provision of the GDPR, at Article 83 (5):
Article 7, called "Conditions for consent," is included among the provisions that are amenable to this type of fine. Article 6, "Lawfulness of processing" is also relevant to cookie consent, as consent is one of the six legal bases for processing under the GDPR.
Let's take a look at some companies that have experienced legal issues over GDPR cookie consent. We're going to focus on the period between late 2020 and early 2021.
Tech companies Oracle and Salesforce are facing class-action lawsuits in the U.K. and the Netherlands. The plaintiffs in these cases are seeking damages of $13 billion and $19.5 billion respectively.
Such an outcome could be devastating, even for large companies like Oracle and Salesforce. These multi-billion dollar amounts sought by the plaintiffs are much higher even than the administrative penalties available to DPAs under the GDPR.
Oracle and Salesforce use third-party cookies to track users around the internet and collect data about what they do online.
The data collected by these cookies contributes to a process called "real-time bidding" (RTB), in which marketing companies participate in an auction for the chance to present their ads to people based on their preferences and characteristics.
The plaintiffs allege that Oracle and Salesforce are deploying cookies on people's devices without consent.
Third-party cookies are not illegal in the EU. But they are controversial, and they must be used with caution.
Cookies are controversial because of how they allow businesses to engage in "profiling," which means building up an overall impression about someone based on many insights into their behavior.
The RTB process has also been found to be unlawful under the GDPR by the U.K.'s Information Commissioner's Office (ICO).
However, the central allegation against Oracle and Salesforce is that they do not obtain GDPR-compliant consent before using these technologies.
The cases were both about cookie consent and form part of a larger cookie consent crackdown in France.
The French DPA gave two main cookie-related reasons for issuing Amazon's $42 million fine.
Google received a fine of $121 million, split 60/40 between its main company and its Irish subsidiary.
The main reasons for issuing Google's fine were:
If you're based in the US another non-EU country, do you even have to worry about complying with EU cookie rules?
The GDPR applies to any company based outside of the EU if it:
No, EU law doesn't require consent for all types of cookies.
Briefly: You don't need consent for any cookies that are essential for making your site work, or fulfilling a service requested by the user.
Load-balancing cookes, media-playback cookies, or cookies used to remember shopping cart contents are all fine, so long as they are limited in duration and "strictly necessary."
For other cookies, namely those used for advertising and analytics, you'll need to obtain GDPR-valid consent.
For more information, see our article Cookie Consent: GDPR & EU Cookies Directive.
The GDPR provides its definition of "consent" at Article 4:
Let's break this down. A person's indication that they give their consent must fulfill these key characteristics:
Article 7 provides some further detail, including a sixth characteristic: consent must be "easy to withdraw."
Here's how to implement these principles in your cookie consent request.
The "freely given" element of consent requires that you do not impose any detriment on the user if they refuse to give consent.
This means so-called "cookie walls" are not allowed under the GDPR. A cookie wall is a pop-up or interface that "requests" consent for cookies and refuses to disappear unless the user provides it.
This isn't "freely given" consent under Recital 42 of the GDPR:
There are two main types of cookie walls, which we'll call "cookie consent walls" and "cookie paywalls."
Here's an example of the first type of cookie wall, a "cookie consent wall," from Dutch website Tweakers (note that Tweakers has now removed this cookie wall):
The choice is stark: to view pages on the website, you must click "Yes, I accept cookies."
Here's an example of the second type of cookie wall, a "cookie paywall," from the Washington Post:
The user has two options here: access the Washington Post for free or for $60 per year and accept tracking cookies, or refuse tracking cookies and pay $90 per year.
Cookie paywalls like this are also not conducive to "freely given" consent. However, the draft ePrivacy Regulation would allow them. So this rule may change when that law comes into effect.
"Specific" consent requires that you don't "bundle" multiple consent requests in one question. For example, you might offer your users a genuine choice over which types of non-essential cookies are enabled on your site.
Here's an example from the BBC:
There are a few things to note about this cookie consent solution:
There are two types of notice you need to provide:
When providing notice via your cookie banner, it's important to strike a balance between offering enough information to ensure the user understands what you are asking them to consent to, and not offering so much information that the user feels overwhelmed.
As for your Cookies Policy, this is a much longer notice. We cover it in detail in our article How to Write a Cookies Policy.
You must request consent via a clear, affirmative action on the user's part. You must also ensure there is no ambiguity regarding your users' consent.
Implementing these principles means not assuming you have a user's consent on the basis that they have failed to take action, such as unticking a pre-ticked box.
You also must not assume you have a user's consent because they continue to browse your site.
Instead, provide your users with a straightforward choice and offer equally-weighted options. Avoid subtle design choices that aim to elicit a particular response, known as "dark patterns."
Here's an example from Sendinblue:
Sendinblue's cookie pop-up isn't bad, but it could be better. Notice how the "Accept All Cookies" button is much more prominent and inviting than the "Reject All" button? While this is unlikely to be a problem for Sendinblue, it does introduce an element of ambiguity into the consent request.
Here's a better example from the European Commission:
There's no ambiguity here: the two choices are totally equally-weighted and the user has a clear choice.
When requesting consent, ensure your request meets the GDPR's requirements. Consent must be: