How to Avoid GDPR Legal Issues Over Cookie Consent

Recently, we've been seeing more companies being taken to court or investigated by regulators under the EU's cookie consent rules.

The GDPR has been in effect since May 2018, but websites and apps continue to flout the rules around obtaining opt-in consent for cookies.

In this article, we'll look at some high-profile legal action taken against companies who may have violated the GDPR's rules and explain what you can do to avoid being in such a position.

Legal Action Under the GDPR

The GDPR provides two main procedures under which organizations may face legal action, including violating the EU's cookie rules:

• Private action in court (Article 82)
• Administrative fines (Article 83)

Private Action Under the GDPR

First, we'll look at the less common of these two procedures: private action in court. Here's Article 82 as it appears in the text of the GDPR:

This GDPR provision states that:

• Any data subject (individual) who has suffered "material or non-material damage" as a result of a person (or organization) infringing the GDPR may seek "compensation" (damages) from that person.
• A controller or, under certain conditions, a processor may be liable for damages.
• The data subject must be compensated "for the entire damage" caused by the GDPR violation.
• Legal action must take place before a national court in the EU country where the defendant is established. If the defendant isn't established in the EU, the case can take place in the data subject's country of residence.

Private legal action of this kind isn't common in the EU, but there are large class-action lawsuits proceeding under the GDPR.

Administrative Fines Under the GDPR

The GDPR provides data protection authorities (DPAs) with powers to impose "administrative fines" on any person (or organization) who violates the GDPR.

These administrative fines are set at two levels, each available to DPAs depending on which articles of the GDPR the organization has violated:

• Up to 2% of global annual turnover or €10 million
• Up to 4% of global annual turnover or €20 million

If you violate the GDPR's consent rules, you may be liable for the larger of these two types of fines.

Here's the relevant provision of the GDPR, at Article 83 (5):

Article 7, called "Conditions for consent," is included among the provisions that are amenable to this type of fine. Article 6, "Lawfulness of processing" is also relevant to cookie consent, as consent is one of the six legal bases for processing under the GDPR.

Examples of Lawsuits and Fines

Let's take a look at some companies that have experienced legal issues over GDPR cookie consent. We're going to focus on the period between late 2020 and early 2021.

Oracle and Salesforce: $32.5 Billion Lawsuits

Tech companies Oracle and Salesforce are facing class-action lawsuits in the U.K. and the Netherlands. The plaintiffs in these cases are seeking damages of $13 billion and $19.5 billion respectively.

Such an outcome could be devastating, even for large companies like Oracle and Salesforce. These multi-billion dollar amounts sought by the plaintiffs are much higher even than the administrative penalties available to DPAs under the GDPR.

What is being alleged about Oracle and Salesforce?

Oracle and Salesforce use third-party cookies to track users around the internet and collect data about what they do online.

The data collected by these cookies contributes to a process called "real-time bidding" (RTB), in which marketing companies participate in an auction for the chance to present their ads to people based on their preferences and characteristics.

The plaintiffs allege that Oracle and Salesforce are deploying cookies on people's devices without consent.

Are third-party cookies illegal in the EU?

Third-party cookies are not illegal in the EU. But they are controversial, and they must be used with caution.

Cookies are controversial because of how they allow businesses to engage in "profiling," which means building up an overall impression about someone based on many insights into their behavior.

The RTB process has also been found to be unlawful under the GDPR by the U.K.'s Information Commissioner's Office (ICO).

However, the central allegation against Oracle and Salesforce is that they do not obtain GDPR-compliant consent before using these technologies.

Amazon and Google: $163 Million Administrative Fines

Last December, the French DPA issued large administrative fines against tech giants Amazon and Google.

The cases were both about cookie consent and form part of a larger cookie consent crackdown in France.

What did the French DPA say Amazon was doing wrong?

The French DPA gave two main cookie-related reasons for issuing Amazon's $42 million fine.

• When a person visited Amazon's French website, "cookies were automatically placed on his or her computer, without any action required on his or her part"
• Amazon provided information about cookies that was "neither clear nor complete"

What about Google?

Google received a fine of $121 million, split 60/40 between its main company and its Irish subsidiary.

The main reasons for issuing Google's fine were:

• When a user visited Google's French website, they were presented with a cookie banner reading "Privacy reminder from Google" and presenting two options: "Access now" and "Remind me later."
• If the user clicked "Remind me later" or did nothing, Google placed cookies on the user's device.
• If the user clicked "Access now" and attempted to opt out of cookies, Google still placed certain non-essential cookies on the user's device.
• Google failed to provide adequate information about the types of cookies it placed on user's devices.

How to Get GDPR-Compliant Cookie Consent

So, if you're a business wishing to use cookies on its website or app, how can you avoid legal issues like these? Let's take a look at what EU law requires.

Do EU cookie rules apply to non-EU companies?

If you're based in the US another non-EU country, do you even have to worry about complying with EU cookie rules?

Almost certainly, yes, as long as your website uses cookies for target advertising and is accessible in the EU, or other countries where the GDPR applies (the U.K., Norway, Iceland, and Liechtenstein).

The GDPR applies to any company based outside of the EU if it:

1. Is established in the EU (has physical some presence in an EU country), or
2. Offers goods or services in the EU (whether paid or for free), or
3. Monitors EU data subjects' behavior

Point 3 is relevant to using cookies. Using cookies, you can track a person's activity across the web and build up a profile of their preferences and characteristics. This use of cookies qualifies as monitoring people's behavior, and it can bring your activities under the ambit of the GDPR.

Do all cookies require consent?

No, EU law doesn't require consent for all types of cookies.

Briefly: You don't need consent for any cookies that are essential for making your site work, or fulfilling a service requested by the user.

Load-balancing cookes, media-playback cookies, or cookies used to remember shopping cart contents are all fine, so long as they are limited in duration and "strictly necessary."

For other cookies, namely those used for advertising and analytics, you'll need to obtain GDPR-valid consent.

For more information, see our article Cookie Consent: GDPR & EU Cookies Directive.

The GDPR's definition of consent

The GDPR provides its definition of "consent" at Article 4:

Let's break this down. A person's indication that they give their consent must fulfill these key characteristics:

1. Freely given
2. Specific
3. Informed
4. Unambiguous
5. Given via a clear, affirmative action

Article 7 provides some further detail, including a sixth characteristic: consent must be "easy to withdraw."

Here's how to implement these principles in your cookie consent request.

Offer users a genuine, free choice

The "freely given" element of consent requires that you do not impose any detriment on the user if they refuse to give consent.

This means so-called "cookie walls" are not allowed under the GDPR. A cookie wall is a pop-up or interface that "requests" consent for cookies and refuses to disappear unless the user provides it.

This isn't "freely given" consent under Recital 42 of the GDPR:

There are two main types of cookie walls, which we'll call "cookie consent walls" and "cookie paywalls."

Here's an example of the first type of cookie wall, a "cookie consent wall," from Dutch website Tweakers (note that Tweakers has now removed this cookie wall):

The choice is stark: to view pages on the website, you must click "Yes, I accept cookies."

Here's an example of the second type of cookie wall, a "cookie paywall," from the Washington Post:

The user has two options here: access the Washington Post for free or for $60 per year and accept tracking cookies, or refuse tracking cookies and pay $90 per year.

Cookie paywalls like this are also not conducive to "freely given" consent. However, the draft ePrivacy Regulation would allow them. So this rule may change when that law comes into effect.

Make consent requests specific

"Specific" consent requires that you don't "bundle" multiple consent requests in one question. For example, you might offer your users a genuine choice over which types of non-essential cookies are enabled on your site.

Here's an example from the BBC:

There are a few things to note about this cookie consent solution:

• "Strictly necessary" cookies are always on.
• Neither "functional" nor "performance" cookies are turned on by default. The user may opt into each of these types of cookies.
• "Functional cookies" can be turned on, while "performance cookies" remain off, and vice-versa. This achieves the "specific" element of GDPR consent.

Provide up-front information about your cookies

GDPR consent must be "informed." You must provide users with information about how you use cookies.

There are two types of notice you need to provide:

• A "just in time" notice via your cookie banner. This provides basic information about your use of cookies before you request the user's consent.
• A Cookies Policy or "cookies" section in your Privacy Policy. This provides comprehensive information about your use of cookies.

When providing notice via your cookie banner, it's important to strike a balance between offering enough information to ensure the user understands what you are asking them to consent to, and not offering so much information that the user feels overwhelmed.

You can provide a brief description of why you use cookies and what types of cookies you use, then ask the user whether or not they consent.

As for your Cookies Policy, this is a much longer notice. We cover it in detail in our article How to Write a Cookies Policy.

Collect consent via a clear, affirmative action

You must request consent via a clear, affirmative action on the user's part. You must also ensure there is no ambiguity regarding your users' consent.

Implementing these principles means not assuming you have a user's consent on the basis that they have failed to take action, such as unticking a pre-ticked box.

You also must not assume you have a user's consent because they continue to browse your site.

Instead, provide your users with a straightforward choice and offer equally-weighted options. Avoid subtle design choices that aim to elicit a particular response, known as "dark patterns."

Here's an example from Sendinblue:

Sendinblue's cookie pop-up isn't bad, but it could be better. Notice how the "Accept All Cookies" button is much more prominent and inviting than the "Reject All" button? While this is unlikely to be a problem for Sendinblue, it does introduce an element of ambiguity into the consent request.

Here's a better example from the European Commission:

There's no ambiguity here: the two choices are totally equally-weighted and the user has a clear choice.

Summary

• The GDPR is enforced by administrative fines and private lawsuits.
• The number of administrative fines and private lawsuits proceeding under the GDPR is increasing.
• Several recent high-profile fines and cases have been brought against companies using tracking cookies without valid GDPR consent.
• To avoid legal issues like these, you must ensure your website or app obeys the EU's rules around cookies.
• Always get consent for cookies that are not necessary to make your site work or to provide a service requested by the user.

• When requesting consent, ensure your request meets the GDPR's requirements. Consent must be:

  • Freely given
  • Specific
  • Informed
  • Unambiguous
  • Given via a clear, affirmative action
  • Easy to withdraw