To navigate your digital commerce business through the latest data protection regulations and guidelines, it’s important to understand the distinction between privacy and tracking requirements on the one hand and cookie and consent management on the other.
The former is primarily concerned with what data is collected, how it is transmitted and where it is stored, which are all integral parts of the GDPR. This is at the center of the latest controversies surrounding the legality of Google Analytics in Europe. Inadequate protection of personal data by US-owned services has not yet been resolved with a new legal framework.
Updated on: 02-2023
Cookie and consent management revolves around how you obtain consent, typically how your consent banner works. Obtaining consent is important for almost all types of cookies and how you do it is crucial for both ensuring compliance and a good UX – regardless what analytics solution you use.
Many European DPAs have recently issued new or updated cookie guidelines to adapt and guarantee the e-Privacy Directive (ePD). Although these guidelines are not legally binding, they help clarify what could be considered non-compliant in individual cases by the DPAs.
The purpose of this resource list is to summarize some of the most relevant cookie guidelines found in key European countries in terms of standards that either are stricter or that differ from some other DPAs. This will help give you a jump start in improving your banner’s compliance across markets and tailoring your banner to certain countries.
General EU-wide cookie consent guidelines
The e-Privacy Directive supplements the GDPR and is also known as the “cookie law”, because its requirements were what led to initial more widespread use of cookie banners. The European Data Protection Board (EDPB) issued harmonized guidelines on cookies and consent in 2020 in alignment with and to clarify both the GDPR and ePD. You can refer to these for any other country that hasn’t issued individual guidelines or as a general benchmark.
Here are some general recommendations we have put together based on an analysis of the EDPB and national guidelines:
- It must be just as easy to say yes as to say no
- Consent must be given clearly, unambiguously, freely and actively
- Consent rules must be applied to the fullest extent
- The language used must be clear to the user
- Disclose who stores and retrieves cookies, the purpose of processing, the term of validity and whether they are shared with third parties
- Link to your privacy and cookie policies
- It must be easy for the user to withdraw their consent. Referring to a process in a policy is probably not considered easily accessible and understandable for the user
- Dark patterns can lead to a higher penalty because of deliberately misleading the user
- Designing your cookie banner as a cookie wall is not permitted by a number of DPAs
- Conditional consent is not permitted
- Pre-filled checkboxes do not constitute actively giving consent
- Clicking “I understand" does not constitute giving consent
- Do not set tracking cookies prior to obtaining explicit consent
- Do not deny access to your website if consent is not given
The national DPA cookie guidelines are generally in agreement on many of the points in our recommendations above. But some are silent on certain aspects of how cookie banners should be presented while others have set out specific guidelines for exactly how your cookie banner must be implemented which we will summarize below.
Selection of cookie banner guidelines by country
Austria: It must be just as easy to accept as to decline, meaning that you cannot have accept in a first layer and decline only in a second or third layer. Austrian cookie guidelines
Germany: Clear options to accept and to decline must be visible and all activities requiring consent must be displayed granularly. German cookie guidelines
UK: “Reject/block” cannot be placed in a second layer if “agree/consent” is in the first layer of your banner. UK cookie guidelines
Italy: An “X” must be placed in the upper-right corner of your consent banner to close the banner. This must only load technical cookies and block all others until consent is given. Italian cookie guidelines
Spain: “By continuing browsing, you consent” is permitted in Spain but you cannot have both that and an “accept all” button, only one or the other. Spanish cookie guidelines
Denmark: Equal opportunity must be provided to accept or reject cookies, which means you must not mislead users with button colors or sizes. Danish cookie guidelines
Netherlands: Reject and accept (either buttons or links) must be displayed in an equally prominent manner. Dutch cookie guidelines
France: Put “reject all”, “accept all” and “preferences” all in first layer. Or only “accept all” and “preferences” with either a “continue without accepting” x button or the possibility to just continue browsing and the cookie banner disappears by itself after a short time. French cookie guidelines
Norway: Cookies can be accepted or rejected via a browser setting but information about cookies and purposes of processing must still be clearly visible, and this practice may soon be prohibited to harmonize with EU law. Norwegian cookie guidelines
Please note that these selected guidelines are generally not identical to other countries but are not necessarily only applicable to one country.
It’s still not completely clear how European companies should handle American cloud solutions. As we mentioned in this blogpost on privacy shield, this issue will most likely be cleared up in the spring of 2023. Until then, you need to focus on TIA (Transfer Impact Assessment) and on having control over your data by having a personal data controller.
Putting it all together
Ensuring your cookie banner simultaneously meets as many of these guidelines as possible will help you comply with all the highest standards. You could also take the opportunity to utilize certain exemptions in markets such as Spain and Norway that are generally not allowed in the others.
Our blog post shows you examples of compliant cookie banners to help you along the way.
If you would like help putting all of this together to master compliance and UX in your cookie and consent management, contact a Columbus digital commerce expert for hands-on assistance and strategic advice.
Want to know more about Google Analytics 4?
Let our Growth Team tell you more about GA4 in this webinar Ondemand 🧩