The latest guidelines of CNIL on cookies and the draft of the ePrivacy Regulation amplified even further the current inconsistency around cookie rules, requiring a new approach to ensure their privacy compliance.
The goal of harmonizing privacy rules across the EU has never been so far from being achieved in the last decade. Despite the recent EDPB guidelines on consent which aligned their position on cookies to the Planet49 decision of the European Court of Justice, there are different rules on modalities to grant/deny consent, cookie walls, and categories of cookies exempted from consent.
The latest CNIL guidelines on cookies and their implications
- The refusal of cookies and trackers must be “as easy” as their acceptance, rather than being subject to complex procedures, e.g., through the use of a “reject all” button and the availability of a visible “cookies” icon enabling users to parameter their choices and withdraw their consent;
- Some cookies are exempt from consent, such as authentication cookies, shopping cart cookies, and some analytics cookies.
The latest version of the ePrivacy regulation
As covered in a previous post, the never-ending negotiations on the ePrivacy regulation are not over. There were opposite views between the Croatian and the Finnish Presidency of the European Commission on the legal basis applicable to cookies.
The latest version of the draft ePrivacy regulation under the German presidency swayed towards a conservative approach, excluding the possibility of relying on legitimate interest for data processing activities stemming from cookies and M2M technologies. Consent remains the sole applicable legal basis of the data processing for cookies, metadata, and M2M communications.
And users shall be reminded of their possibility to revoke their consent at least every 12 months, which sets out a regime lighter than the one imposed by the CNIL that – through the above-mentioned guidelines – required that users renew their choice every 6 months.
How to deal with cookies compliance in the current inconsistency of privacy rules?
In the current tangled puzzle, cookies are still one of the easiest targets for data protection authorities to challenge as part of an audit or a dawn raid, since they are clearly visible on companies’ websites.
Albeit a country-specific approach is against the grain of EU privacy laws, the sole viable solution is to single out a solution that requires the minimum possible local tweaks and review it with local counsels. Otherwise, the technological and compliance costs risk being disproportionate, as most international businesses have the same platform that runs the local versions of the different websites.
At the same time, you don’t want to lose the benefits of some EU countries’ lighter regime. Therefore, the main challenge will be to balance out the pros and cons of a more flexible regime with the extra technical and operational costs.
On a similar issue, you may find interesting the article “Did you update your cookies privacy consent after the EDPB position?“.