Several EU data protection supervisory authorities (“SAs”) have recently issued guidance on cookies. On January 11, 2024, the Spanish SA published guidance on cookies used for audience measurement (often referred to as analytics cookies) (available in Spanish only). On December 20, 2023, the Austrian SA published FAQs on cookies and data protection (available in German only). On October 23, 2023, the Belgian SA published a cookie checklist (available in Dutch and French).
The new guidance builds on existing guidance but addresses some new topics which we discuss below.
The Austrian SA’s FAQ states that:
- Advertising cookies used to display personalized ads require consent even if displaying such ads is necessary for the site’s financial viability.
- The “pay or ok” model (also known as a “cookie wall”) – where users are given a choice between a free version of the website that includes tracking cookies and a paid version that does not – may be permissible if certain conditions are met such as:
- the company implementing the model is not dominant in the market;
- the price for the paid-for version is reasonable and fair; and
- the user is offered granular consent options.
The Spanish SA’s Guidance on Analytics Cookies states that:
- The only analytics cookies and similar technologies that are strictly necessary for the “proper administration of a website” (and therefore do not require consent) are those that perform the following measurements:
- page-level audience measurements;
- the list of pages from which a link has been followed to request the current page, either internal or external to the website, by page and aggregated daily;
- determination of users’ device type, browser, and screen size, by page and aggregated daily;
- page load time statistics, per page and aggregated per hour;
- statistics on time spent per page, bounce rate, scroll depth, per page and aggregated daily;
- statistics on user actions (clicks, selections), per page and aggregated daily; and
- statistics on the geographic area of origin of the requests, per page and aggregated on a daily basis.
- Publishers of websites and mobile applications that use analytics cookies or similar technologies that are exempt from consent must:
- inform users about the use of these cookies or similar technologies;
- limit the lifetime of these cookies or similar technologies to a period of time that allows for meaningful comparisons of audiences over time, such as a thirteen-month period, and this period must not automatically renew with each time a user visits the website;
- retain information collected through these cookies or similar technologies for no longer than twenty-five months; and
- periodically review the useful life and retention periods to limit them to what is strictly necessary.
- A vendor providing a comparative audience measurement service to multiple publishers must give “objective assurances” to the publisher that: (i) data are collected, processed, and stored separately for each publisher; and (ii) the cookies or similar technologies used are completely independent of each other and of any other cookie or similar technology.
The Belgian SA’s Cookies Checklist states that:
- Publishers of websites and mobile applications should avoid using the same cookie for multiple purposes.
The EDPB approach
At the EU level, the European Data Protection Board (“EDPB”) has been active in considering cookie issues. In 2023, it published its latest guidance on cookies and similar technologies (see our blog post), the findings of its cookie banner taskforce (see our blog post), and its thoughts on the European Commission’s so-called “cookie pledge” to simplify cookie banners (see here).
In addition, the EDPB discussed the “pay or ok” consent model at its December plenary meeting and intends to issue guidance on this topic.
* * *
(This blog post was written with the contributions of Alberto Vogel.)