When it comes to online cookies and tracking consent, as of 2019 within the EEA there are two prevailing legal regimes to work to. First is the GDPR which applies to each country harmoniously, and is often subject to further definitions within each country where they have implemented a local set of laws. For example, the UK implemented the Data Protection Act 2018, which amongst its many pages stated that the age of digital consent for a child in the UK is 13 (the lower end of the GDPR’s allowed range of 13-16).

Alongside these Data Protection laws, we also have laws relating specifically to electronic communications. These stem from the EU’s ePrivacy Directive (ePD) (“Privacy and Electronic Communications Directive 2002”) which instructed each EU country to implement its own ePrivacy law. The UK implemented this as PECR in 2003 (“The Privacy and Electronic Communications (EC Directive) Regulations 2003”). These laws provide the granularity of such things as email marketing and cookie consent.

All this means that at a high level you have the GDPR and ePD to comply with, but then also consider each of the EEA countries and their own individual requirements. Some countries have tighter definitions than others, especially around consent, and you’ll see this reflected on paper and through signaling from the enforcement actions/fines their regulators push out.

The Extent of Compliance

It is up to your organisation to determine the extent of which laws you comply with. Some may choose to only comply with the rules of one specific country, others may choose to modify their website to comply with the rules of each country depending on where the user may reside. And the more privacy focused may choose the most restrictive set of rules and comply with those for every EEA user. The risk/reward decision is yours to make, and there are huge downside/upside considerations.

Overview of the Legal Requirements

N.B. I’ll often talk about “cookie consent” but really I’m referring to consent for any cookie, tracker or tag that comes with the website or app.

The principle behind cookie consent rules is that people should be able to use your service without being tracked, unless it is essential to do so or they give their consent for it. This means that there are exemptions from needing consent if (extract from the ICO):

• the cookie is for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
• the cookie is strictly necessary to provide an ‘information society service’ (eg a service over the internet) requested by the subscriber or user. Note that it must be essential to fulfil their request – cookies that are helpful or convenient but not essential, or that are only essential for your own purposes, will still require consent.

Consent Exemptions

This means you are unlikely to need consent for:

• cookies used to remember the goods a user wishes to buy when they add goods to their online basket or proceed to the checkout on an internet shopping website;
• session cookies providing security that is essential to comply with data protection security requirements for an online service the user has requested – eg online banking services; or
• load-balancing cookies that ensure the content of your page loads quickly and effectively by distributing the workload across several computers.

However, it is still good practice to provide users with information about these cookies, even if you do not need consent.

Common examples of these essential/necessary cookies are those provided by Amazon’s AWS and Cloudflare’s systems which provide a mixture of hosting, transmission and security services. For instance, to prevent a denial of service attack these services might use cookies to track who is a real user and allow them through to the website. It could be argued that these aren’t absolutely essential to deliver the website, so it’s up to the website operator to provide a sensible justification for its need (e.g. security or availability). You can’t please everyone, but you can do your best and explain your reasoning.

Any cookies or tracking that isn’t essential are going to require consent. And that means you need consent BEFORE you serve them to the user. This marries up with the GDPR’s requirement for “Privacy by Default”, such that you can browse to a website and when the page loads you can trust that your data isn’t being shared with another party without your permission.

John Dancy