EU-WIDE REGULATIONS AND GUIDELINES
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) protects the personal data of residents of the European Union and European Economic Area. The law is extraterritorial, so it applies to organizations even if they are not located in the EU. Privacy regulation requirements for the GDPR must be applied in addition to country-specific requirements, such as for data subjects’ consent (i.e. online user, customer, visitor, gamer, etc.)
Who needs to comply with the GDPR?
Any organization (not just commercial enterprises) that collects and processes the personal data of residents of the EU/EEA. Unlike the United States, there are no thresholds for GDPR compliance, like company revenue or number of people whose data is processed in a year. There are some exceptions to GDPR compliance, like for journalists or law enforcement, but overall, there are few exceptions for companies and other organizations that need user data.
Legal bases for personal data processing under the GDPR
The GDPR provides six options for legal bases for processing of personal data. Consent is one of the options.
- the data subject has given prior consent to the processing of his or her personal data for one or more specific purposes
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
- processing is necessary for compliance with a legal obligation to which the controller is subject
- processing is necessary in order to protect the vital interests of the data subject or of another natural person
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child
Organizations must be able to prove the necessity and validity of their choice of legal basis. A company cannot just choose legitimate interest to avoid the resource investment required to implement consent management, for example.
However, organizations that need to obtain consent must do so in a way that complies with the GDPR’s requirements, e.g. making consent choices clear and equal. They must also be able to prove — to data protection authorities or in the event of a data subject access request — that valid consent was obtained from users, including when and for what, and recording any changes to consent information over time.
Conditions for valid consent under the GDPR
Art. 7 GDPR outlines the conditions for legally valid consent. These requirements have been influential around the world on data privacy legislation and privacy guidelines.
In short: “Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data.”
ePrivacy Directive (ePD)
The ePrivacy Directive is considered the precursor to the ePrivacy Regulation. Passing of the latter continues to be delayed, though the ePD was significantly updated in 2009.
Colloquially known as the “cookie law”, the ePD influenced the adoption of consent banners. It addresses data privacy and protection in electronic communications and has several mandates:
- prioritizing confidentiality of communications over public networks
- requiring user consent for use of cookies and other tracking technologies
- setting guidelines for the security of electronic communication services
- regulating direct marketing practices
The ePrivacy Directive requires incorporation into national laws of EU member states, as a result enforcement across EU member countries has varied.
The conditions for valid consent under the ePrivacy Directive (and eventual ePrivacy Regulation), and who is required to comply are the same as those for the GDPR.
Digital Markets Act (DMA)
The Digital Markets Act came into force in late 2022 as part of the Digital Services Act Package of regulations. Its goals are to promote fair and competitive digital markets in the EU, and to enhance privacy and protections for consumers’ personal data.
The DMA directly targets six large and influential tech companies, designated “gatekeepers”. However, for those companies to meet regulatory compliance requirements, they need to set their own compliance requirements for all the third-party organizations that rely on their platforms, e.g. for data, audience access, ecommerce, advertising, and more.
Importantly, that includes the requirement of obtaining valid user consent for collection and processing of personal data, and also signaling that consent information to the platform or service, e.g. for Google Ads or Analytics. To comply with this requirement, companies need to implement a consent management platform (CMP) that collects user consent, and then signals that information to the platforms. In Google’s case, it requires implementing a Google-certified CMP integrated with the latest version of Google Consent Mode.
DMA compliance requirements for obtaining consent align with the requirements of the GDPR and ePrivacy Directive, which are also required in the EU.
EU-WIDE FRAMEWORKS AND POLICIES
IAB Europe Transparency & Consent Framework v2.2
Publishers serving ads on websites or in apps in the EU/EEA or UK are now required to have the latest version of the IAB’s Transparency & Consent Framework (TCF) implemented via integration with a consent management platform (CMP).
The TCF originally set industry standards to ensure transparency with users online regarding the collection of data for targeted advertising, as well as provide them control and enable valid consent mechanisms. The framework also standardizes working with vendors, reduces data privacy risks and enables compliance with regulations like the GDPR and ePrivacy Directive.
The update to the TCF v2.2 in late 2023 addresses criticisms and is designed to better meet the needs of regulators and users. Updates include:
- only consent can be selected as a legal basis for advertising and content personalization – legitimate interest can no longer be selected
- information about purposes and features has been made more user-friendly and less “legalese”
- vendor disclosures have been standardized and expanded to include categories of data collected, retention periods, and whether legitimate interest applies
- total number of vendors used by a publisher should be displayed on the first layer of the CMP UI
- consent management platform redesign is mandatory so that users have the ability to opt out of consent
Google EU user consent policy
Google’s EU user consent policy was introduced in 2015 and is a key component in their data privacy requirements for third parties using their platforms and services for marketing, analytics, etc. The policy aligns with the requirements of the GDPR (it was significantly updated when the law came into force) and ePrivacy Directive.
Google’s EU user consent policy applies to companies that operate websites and/or apps meeting the following criteria:
- use cookies or other local storage where legally required
- collect, share, and use personal data for ad personalization
Websites or apps that serve non-personalized ads that only use contextual information are still subject to the policy if they use cookies or mobile identifiers where legally required. Organizations using third parties to collect and/or process data must also employ “commercially reasonable efforts” to ensure they comply with the policy.
The policy has four main criteria pertaining to consent. Companies must:
- obtain legally valid consent (aligned with the GDPR’s requirements)
- retain consent records
- enable revocation of consent (with clear instructions)
- identify each party involved in data handling
Noncompliance with the policy can result in suspension of access to Google’s services, or contract termination. Additionally, noncompliance with EU regulatory requirements for user consent can result in fines and other penalties.
EU COUNTRY-SPECIFIC CONSENT LAWS AND GUIDELINES
All regulations and guidelines included are currently in effect in the countries listed.
Andorra data privacy laws and consent requirements
Protected groups: Website users (or equivalent)
Relevant cookie use: All cookies and similar tracking technologies used on websites and in apps, as well as smart devices like TVs, video game consoles, voice assistants, network-connected vehicles, etc.
Consent definition: Any specific, informed and unambiguous expression of free will by which the data subject consents, by means of a statement or a clear affirmative action, to the processing of personal data concerning him or her.
Prior consent: Yes, in most cases, though that explicit wording is not used.
Consent withdrawal: Yes, users can withdraw consent any time, and it must be as easy to do so as to give consent.
Cookie duration:
- session-based cookies – deleted at the end of a session (closing the browser window)
- permanent cookies – most have an expiry date for automatic deletion, the guideline does not provide a specific duration
- third-party cookies – duration depends on the party using the third-party cookie, they are also responsible to fulfill requirements on their own website
- maximum storage: twenty-five (25) months is the maximum recommended time
Consent solution requirements in Andorra
- must include an opt out button on the first layer
- clear and complete information provided prior to requesting/receiving consent
- users must receive equal information about all available consent options
- pre-checked boxes in the second layer where users can make granular selections violate valid consent
- consent must be obtained through a clear, explicit, positive action, passive actions like continuing to scroll do not constitute valid consent
- use of manipulative design or other dark patterns may invalidate consent (e.g. confusing colors or interactive elements)
- there must be a simple, persistent element available for withdrawal of consent
- legitimate interest is not a valid legal basis for processing personal data collected via cookies
Austria data privacy laws and consent requirements
Protected groups: Website users
Relevant cookie use: All cookies and similar tracking technologies used on websites that collect personal data. Website operators using cookies or other tracking technologies are responsible for data privacy compliance with the use of those data processing services (with some exceptions) in accordance with Arts. 4 (7) and 26 GDPR.
Consent definition: Follows GDPR consent requirements, and consent must be obtained prior to setting all “technically unnecessary” cookies. Data collected by cookies should not be qualified as personal or non-personal by default and definitions will depend on each case.
Prior consent: Yes, in most cases.
Consent withdrawal: Yes, users can withdraw consent any time, and it must be as easy to do so as to give consent.
Cookie duration: No explicit guidelines.
Consent solution requirements in Austria
- cookies can be grouped based on duration (e.g. session and persistent cookies) or by the domain to which they belong (e.g. first-party and third-party cookies)
- website operators can design to their preference, but consent requirements of Art. 4 (11) and Art. 7 GDPR must be followed for privacy compliance
- must be clear to data subjects that they are giving consent, hidden consent buttons, confusing colors or other elements, etc. that are hard to find or that could be selected accidentally, or other manipulative design
- mechanisms (“nudging” or “dark patterns”) do not constitute valid consent
- passive actions like continuing to scroll do not constitute valid consent, the consent action must be explicit and positive
- pre-checked boxes or other elements are not permitted in the banner
- consent must be voluntary and not coerced, there cannot be the threat of discrimination or disadvantage to data subjects who do not give consent, e.g. denial of access to the website
- the banner must clearly and precisely describe where and how consent can be revoked, and doing so must be as simple as giving consent
- it must be as easy to decline consent as it is to give it
- clear and complete information provided prior to requesting/receiving consent
- paying for access to a website (e.g. “pay or ok”) can be a viable alternative to consent (the current data protection authority view as there is no case law from the CJEU yet) if:
- all data privacy compliance requirements are met
- the price is reasonable and not prohibitively high
- if the user accesses the website via the payment method, no personal data can be collected or used for advertising purposes
- website operator is not an authority or public body
- website owner does not have a monopoly position in the market
- no content or service exclusivity that non-consenting users cannot access
Belgium data privacy laws and consent requirements
Protected groups: Focuses on privacy in device use, so not explicitly user-focused, but all users of devices from which data can be tracked/collected.
Relevant cookie use: All cookies and similar tracking technologies used on devices, so all companies doing tracking via devices
Consent definition: Follows GDPR and ePrivacy Directive consent requirements for prior consent for use of all but strictly necessary cookies (includes cookies which are absolutely necessary to provide a service that the user has expressly requested and/or to send a communication via an electronic communications network)
Prior consent: Yes, in most cases.
Consent withdrawal: Yes, users can withdraw consent at any time, and it must be as easy as giving consent. Users should also be informed about the ability to withdraw when initially requested to provide consent.
Cookie duration: Cookies cannot be kept beyond the time necessary to fulfill the expressed purpose. No cookies can have an indefinite retention period. Cookies exempt from requiring consent must have a duration directly related to the expressed purpose for use and be configured to expire as soon as no longer needed for that purpose.
Consent solution requirements in Belgium
- the data protection authority recommends providing the ability to select granular-level consent as best practice; this ability is also a legal requirement
- cookies should be categorized according to purpose, e.g. audience measurement, statistical, etc.
- consent must be obtained through a clear, explicit, positive action, having been fully informed prior to the consent request
- passive actions like continuing to scroll do not constitute valid consent
- pre-checked boxes or other elements are not permitted
- use of browser settings to indicate consent is not valid
- cookie walls that block access to the website are not valid as they prevent consent from being freely given
Czechia data privacy laws and consent requirements
Protected groups: Data subjects, e.g. website users
Relevant cookie use: All cookies and similar tracking technologies used on websites.
Consent definition: “Consent should above all be free, specific, informed, and unequivocal. The data subject must have the simple option of not giving consent, without this implying harm for him (e.g. unavailability of website content).”
Prior consent: Yes, in most cases, though that explicit wording is not used. Consent is not required for the use of technical cookies, but that exception only applies to the storage and reading of cookies in the user’s browser.
Consent withdrawal: Data subjects can revoke consent to personal data processing at any time, and doing so must be as easy as giving consent. If consent is granted via a consent banner, for example, requiring withdrawal of consent via a different format, e.g. sending an email cannot be required. Ideally, changing or withdrawing consent should be accessible via an easy to find and use button or link.
“Consent to the processing of personal data can be revoked by the data subject at any time, and the withdrawal of consent must be as easy as giving it. In the case of granting consent via the cookie bar, it cannot be accepted that the withdrawal of consent is only possible, for example, by telephone. Ideally, there should be an easily accessible button or link on the website with which consent can be withdrawn.”
Cookie duration: The data protection authority considers a lifespan of six months to be reasonable in principle. That period can be shorter if one or more processing purposes significantly change or the website operator can no longer monitor previous consent (or rejection) preferences, e.g., due to the user deleting cookies on their device.
Consent solution requirements in Czechia
- appearance and colors of buttons must enable consent to be freely given (no manipulative design)
- cookie walls are not acceptable as they make access to functions or services conditional
- active user action is required for valid consent, e.g. clicking an “Accept” button, or closing the banner is not valid consent
- pre-ticked boxes cannot be used for valid consent
- user must be able to grant informed consent for individual purposes to individual administrators in the browser, so a list of individual cookies with their purposes needs to be clear and easily accessible to the user, e.g. via clicking a “more information” link
- third-party tags cannot be loaded until consent is given, so must be integrated into the CMP
- processing personal data with legitimate interest as the legal basis is allowed in some cases, but if the user does not consent to the storage and reading of cookies, no further processing of personal data can take place.
Denmark data privacy laws and consent requirements
Protected groups: Website visitors
Relevant cookie use: All cookies and similar tracking technologies used on websites.
Consent definition: “A freely given, specific, informed and unambiguous indication of the data subject’s wishes by which the data subject signifies his or her agreement to personal data relating to him or her being processed.”
Prior consent: Yes, in most cases. “Consent of the data subject(s) must be obtained before the controller starts processing the data to which the consent relates”. Only necessary cookies required for the website to function (e.g. shopping cart) can be set without consent.
Consent withdrawal: Yes, consent can be withdrawn at any time and it must be as easy as giving it, and once consent is withdrawn, data processing must cease immediately.
Cookie duration: Not addressed, though users must be provided information about when each cookie expires.
Consent solution requirements in Denmark
- Users must have equal consent and rejection options in the banner, so if there is only an “Accept” button and not a “Reject” one, consent is not valid
- Transparency and granularity are required for consent to be considered voluntary, so sufficient information about data collected via which cookies, for which purposes, by whom, when they expire, etc. must be clear and accessible
- Pre-ticked boxes cannot be used for valid consent
- A click-through (consent is assumed if the user continues to use the website without actually interacting with the consent banner, for example) is not considered valid consent
- “Nudging” or other manipulative design tactics/dark patterns cannot be used for consent to be considered “freely given” and valid
- It must be as easy to reject consent as to give it, and it must be possible to opt out of all data processing/cookie use.
- If a company wants to use a cookie wall, but a user does not want to consent to the processing of their data (to get access to the website), the company must provide a reasonable alternative to the user, such as access for a moderate fee (that still enables real choice) or access to similar functions or services
- If offering the choice between consent to data processing and an alternative, the necessity of the consent request (the data and use purposes) must be demonstrable (so that it is reasonable for those not to be included if the user chooses the alternative)
- If the user chooses not to consent to data use, but to access the functions or services account creation is needed, the company can process the personal data that is necessary to manage the user profile and provide the service in question, but no more
Finland data privacy laws and consent requirements
Protected groups: End users, e.g. for websites and apps
Relevant cookie use: This applies to cookies and similar technologies used by service providers when creating and operating websites or other electronic communications services, like mobile apps.
Consent definition: “Any voluntary, individualized, informed and unambiguous expression of will by which the data subject accepts the processing of his personal data by giving a statement expressing consent or by taking an action clearly expressing consent.” The conditions for valid consent are the same as for the GDPR.
Prior consent: Yes, in most cases. Consent is not required for “essential” cookies, but it’s recommended to include information about them and their use. Essential uses for cookies include:
- enabling the website to function correctly, e.g. shopping cart
- if the sole purpose of storing or using the data is to carry out the transmission of a message in communication networks
- storing and using the data is necessary for the service provider to provide a service that the subscriber or service user has specifically requested
- if analytics cookies are categorized as strictly necessary for the provision of the service in question, the service provider must be able to provide clear justification for the procedure and ensure that the user’s privacy
- is protected, e.g. ensuring data collected through analytics is not shared with third parties or that individual visitors cannot be identified
Consent withdrawal: Changing or withdrawing consent (or refusing it in the first place) must be as easy to do as giving it.
Cookie duration:
- Session-specific cookies – stored on the user’s device only during the use of the site or service, removed when the browser is closed. Can enable ecommerce, for example, wherein the site can “remember” user activity for a short time.
- Permanent cookies – stored on the user’s device until the time specified for each cookie or until the user manually deletes them. Can “remember” user preferences for the site, like language or login credentials for a longer period of time.
Consent solution requirements in Finland
- Cookies may not be set on the user’s device, e.g. browser, until the user has given valid consent. Consent via browser settings is not considered valid as they may not be configured or configurable to the user’s preference.
- Consent must be an active expression of will, so it is not valid if you silence it, ignore consent requests/options, or do not take action.
- Consent must be freely given, so pre-ticked boxes, activated sliders, etc. cannot be used.
- Service providers must clearly inform users about the cookies or similar tracking technologies they use, the types, purposes of use, and duration of operation, and ask for your consent to store and use the information.
- The service provider is responsible for requesting consent and doing so in a compliant way. The consent request mechanism should include at least the following information:
- clear and thorough explanation of what cookies and other tracking technologies are in use and what data they collect
- clear and thorough information about the purpose of the cookies in use and their period of duration
- whether any third parties may process cookie data (and who those parties are and what the purposes are)
- access to more detailed information, e.g. privacy policy
France data privacy laws and consent requirements
Protected groups: Focuses on privacy re. end user devices, so any computer, phone, etc. users on which companies use trackers.
Relevant cookie use: All cookies and trackers used on devices, e.g. websites, apps, etc.
Consent definition:
- Uses the GDPR definition.
- While lack of explicit action cannot be construed as consent, silence can be construed as explicit denial of consent.
- Pre-ticked boxes cannot be construed as valid consent.
- Cookie walls cannot likely be used to obtain valid consent due to the likelihood of infringing on the user’s consent freedom, but they are not universally prohibited.
- Companies need to be able to prove valid consent at any time.
Prior consent:
- Yes, “before any action aimed at storing information or accessing information stored in the equipment terminal of a subscriber or user, apart from the applicable exceptions”
- References the GDPR and ePrivacy Directive regarding valid consent and the requirement to clearly and comprehensively notify users prior to collecting data.
- Essential cookies/trackers do not require consent, but use must be strictly limited; they include audience and performance measurement, navigation detection issues, technical optimization, etc.
- Consent withdrawal: Yes, consent can be withdrawn at any time and it must be as easy to do so as it was to give it. It also must be as easy to deny consent initially (e.g. same action or number of steps) as to give consent.
Cookie duration:
- CNIL recommends consent renewal every six months for publishers.
- CNIL recommends that the lifetime of the trackers should be limited to a duration allowing a relevant comparison of audiences over time, as is the case for a 13-month period.
- Tracker duration should not be automatically extended for new visits.
- Information collected through trackers should be kept for a maximum period of 25 months.
Consent solution requirements in France
- Clearly and accessibly include all purposes with short descriptions, categorized, including for personalized advertising, geo-specific advertising, sharing on other social platforms, etc.
- Recommended to provide accept and reject buttons on the first layer of the consent banner.
- Dark patterns cannot be used to manipulate user actions.
Germany data privacy laws and consent requirements
Protected groups: Focuses on privacy regarding end user devices, so any computer, phone, etc. users on which companies use trackers.
Relevant cookie use: All cookies and trackers used on devices, e.g. websites, apps, etc.
Consent definition:
- Uses the GDPR definition.
- If personal data is not processed, the GDPR does not apply, but the TTDSG still does.
Prior consent: Yes, in most cases, with conditions.
- GDPR and TTDSG consent can be “bundled” with a single button click (accept or reject). However, for consent to be valid (e.g. device access and data processing for marketing purposes) users must be informed about the two distinct consent requests: access (under the TTDPA) and processing (under the GDPR).
- There are two options for accessing data without consent. Art. 6 para. 1 lit. f GDPR is not enough for the TTDSG. Consent is not required if a message is transmitted via a public telecommunications network or if the user desires the service.
Consent withdrawal: Required, and should be as easy to withdraw as it is to give consent.
Cookie duration: Not explicitly stated, but cookie duration must be part of the information communicated to users, and consent renewal every 6 to 12 months is recommended.
Consent solution requirements in Germany
- Bundled consent for the GDPR and TTDSG is acceptable, but the user must be informed about both distinct consent requests.
- The legal basis for data collection/processing must be communicated to users.
- If the banner’s “accept” option is placed on the first layer, all data collection/processing purposes must also be stated in the first layer. However, granular consent choices do not have to be provided in the first layer.
- It must be as prominent, accessible, and easy to deny or opt out of consent as to give consent, i.e., in the banner. Browser settings changes are not enough, and dark patterns cannot be used to obtain consent.
- Cookie walls are not explicitly prohibited, but the “deny/reject” option requirements must be met.
Greece data privacy laws and consent requirements
Protected groups: Focuses on privacy re. end user devices, so any computer, phone, etc. users on which companies use trackers.
Relevant cookie use: All cookies and trackers used on devices, e.g. websites, apps, etc., even if personal data is not collected.
Consent definition: Uses GDPR definition.
Prior consent: Yes, in most cases.
- Consent is not required for trackers that are necessary for the website to function, or if it’s a service explicitly requested by the user, for example:
- identifying and/or maintaining content or user-provided information for the duration of the session (e.g. shopping cart)
- connection to services that require prior authentication
- security
- load balancing
- user preferences for website appearance and experience, e.g. language, search history, etc.
- Browser settings that allow the use of cookies are not considered consent.
- If the user does not make a choice, no non-essential cookies should be used.
Consent withdrawal: Yes, consent can be withdrawn at any time, and it must be as easy to do so as to give it. It also must be as easy to deny consent initially (e.g., the same action or number of steps) as to give consent.
Cookie duration: Not explicitly stated, but cookie duration must be part of the information communicated to users, and consent renewal every 6 to 12 months is recommended.
Consent solution requirements in Greece
- Accepting or rejecting the use of non-essential cookies or trackers must require the same amount of effort or number of clicks (e.g., you can’t enable accepting on the first layer of the banner but rejecting only on the second layer). Not giving users a reject option is not valid consent.
- Cookie walls are not explicitly prohibited, but the “deny/reject” option requirements must be met.
- Users who deny consent cannot be penalized in their website experience.
- Dark patterns/nudging are prohibited.
- The consent banner should reappear after the same period of time, regardless if the user consented or rejected it, e.g. if users who do consent see the banner again to renew consent after 12 months, then users who reject consent can also only see the banner again after 12 months, and not sooner.
Ireland data privacy laws and consent requirements
Protected groups: Focuses on privacy re. end user devices, so any computer, phone, etc. users on which companies use trackers.
Relevant cookie use: All cookies and trackers used on devices, e.g. websites, apps, etc.
Consent definition: Uses GDPR definition, and also ePrivacy Directive definition: “The law applies to any storage of information on a user’s device or equipment, as well as to access to any information already stored on the equipment – this means through the use of browser cookies or other technologies such as device fingerprinting or the use of pixels or similar devices. It is irrelevant whether the information stored or accessed consists of, or contains, personal data. The ePrivacy Regulations apply when any information is stored on or accessed from the device.”
Prior consent: Yes, in most cases, and its requirement for cookie use is explicit.
Consent withdrawal: Required, users must be informed how they can withdraw consent, and should be as easy to withdraw as it is to give consent. Also cannot be bundled, e.g. with terms and conditions.
Cookie duration: Six months for cookie use requiring consent. For other cookies, lifespan should be proportional to their purpose and no longer than necessary to fulfill the purpose.
Consent solution requirements in Ireland
- As the six-month expiry requirement for some cookies is shorter than the common 12-month default, the configuration in the CMP needs to be updated.
- It must be as prominent, accessible, and easy to deny or opt out of consent as to give consent, i.e. in the banner. Browser settings changes are not enough. Dark patterns/nudging to obtain consent cannot be used, nor can pre-checked boxes, etc.
- A banner that only displays an “Accept” option does not enable valid consent.
- A “Manage cookies” button, for example, could be used with an “Accept” button if the “Manage cookies” button immediately takes the user to a layer (of the banner) where they can directly accept or reject granular cookie category usage).
- Users must be provided with information to reject non-essential cookies and/or request information about cookie use. The banner’s second layer must include information about the types and purposes of cookies used and third parties that will have access to/process the information the cookies collect.
- Users must have easy access to the privacy notice or policy, which cannot be obscured, so without having to provide consent choices before accessing that information.
- Implementing accessibility best practices in the design and implementation of the consent banner is recommended.
- Having a specific cookie policy is recommended, while not explicitly required.
Italy data privacy laws and consent requirements
Protected groups: Focuses on privacy re. end user devices, so any computer, phone, etc. users on which companies use trackers.
Relevant cookie use: “all the entities providing their users with publicly accessible online services through electronic communications networks or else operating websites that rely on cookies and/or other tracking tools”
Consent definition: Uses GDPR definition.
Prior consent: Yes, in most cases, and its requirement for cookie use is explicit.
Consent withdrawal: Required, or modifying consent choices or providing consent after rejecting it. It must be provided in a simple, easy, and user-friendly way accessible via the website footer, and that is as easy as giving consent.
Cookie duration: Not explicitly referenced, recommended to err on as short a period of time as is necessary to fulfill the purpose of the specific cookie type and/or processing operations.
Consent solution requirements in Italy
- ”Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them.”
- Users should be able to close the banner (i.e. via clicking the “X” at the top right of the banner UI) to maintain default settings and not provide additional consent. As a result, this should enable only essential cookies and does not provide consent for use of any others.
- Users must be notified about the use of cookies, including those that can be used without consent (i.e. “technical” ones).
- A link to the privacy policy must be easily accessible, or it should be included in the second layer of the banner.
- Users must be able to select the cookie functions and/or third parties with access to their data at a granular level. These services and vendors in use must be kept up to date.
- Use of pre-checked boxes is not allowed.
- Use of cookie walls is not allowed as the requirement to accept all cookie use or not gain access to the website is not valid consent.
- Continued scrolling by the user (e.g. ignoring the consent banner) does not constitute valid consent.
- New consent must be obtained from users if the purposes for requesting consent change or if previous consent choices cannot be detected when the user revisits the website (e.g., they cleared their settings).
Latvia data privacy laws and consent requirements
Protected groups: Users who use services and whose data is collected on websites, etc.
Relevant cookie use: All cookies and trackers used on devices, e.g. websites, apps, etc.
Consent definition: Uses GDPR definition.
Prior consent: Yes, in most cases, and its requirement for cookie use is explicit.
Consent withdrawal: This is required. Users must be informed how they can withdraw consent, and it should be as easy to withdraw as it is to give consent.
Cookie duration: “There is no specific time limit for how long consent is valid. The length of time consent is valid depends on the context, the scope of the original consent and what the data subject expects. If the processing activities change or evolve significantly, the original consent will no longer be valid. In that case, a new consent must be obtained. If the processing activities change or evolve significantly, the original consent will no longer be valid. In that case, a new consent must be obtained.”
Consent solution requirements in Latvia
- The first layer of the banner should include:
- name of the controller (unless provided in other areas of the website like the “About” section or Contact Us page, etc.)
- purposes of cookies used on the website
- whether cookies in use are first-party only (controller) or third-party
- types of data collected and used
- where user profiling is carried out (e.g. analytical cookie use)
- how users can accept, reject, or change consent for the use of cookies
- a clearly visible link to the second layer, which contains more detailed information
- Users must be provided with granular information and options re. cookie use purposes (so not necessarily for each specific cookie)
- There can be no risk of negative consequences if users decline cookie use.
- Users must have granular ability to accept or reject all cookies or use at a granular level, and must have easy access to comprehensive information about the cookies in use, their purposes, etc., as well as easy access to the cookie and privacy policy.
- User-facing language must be clear and simple.
- All options must be visually equal and accessible, nudging and dark patterns are prohibited.
- Ignoring, scrolling, or closing the consent banner without making a consent choice cannot be construed as accepting cookie use, and no cookies except strictly necessary ones can be used.
- Browser settings are not considered valid consent (per GDPR guidelines).
Netherlands data privacy laws and consent requirements
Protected groups: Users of websites, or equivalent, e.g. apps, etc.
Relevant cookie use: All cookies and trackers used on devices, e.g. websites, apps, etc.
Consent definition: Uses GDPR definition.
Prior consent: Yes, in most cases. Consent can be provided in writing, by ticking a box, clicking a button or link, filling out an electronic form, sending an email, providing an electronic signature or scanned document with a signature, or verbal consent.
Consent withdrawal: Yes, and it has to be as easy to withdraw consent as it was to give consent.
Cookie duration: No explicit time period is provided, but users must be notified about the duration of all cookies set.
Consent solution requirements in the Netherlands
- The guidelines divide cookie types into Functional, Analytical, and Tracking. Users must be provided with information about the use of cookies in these categories.
- Pre-checked boxes, use of cookie walls, and manipulating users into consenting (e.g. dark patterns, nudging, etc.) are all prohibited.
- Ignoring the consent banner and continuing to scroll/browse or closing the banner without making a consent selection cannot be construed as having given consent.
- Conditional consent is prohibited, e.g. users cannot be required to sign up for a newsletter in order to be able to provide or reject consent.
- Website operators must maintain consent records and be able to prove consent was obtained, when, how, and what information they received before making consent choices, etc.
Spain data privacy laws and consent requirements
Protected groups: Users of websites, mobile applications, or other platforms. (Contractual agreements are also required with third parties.)
Relevant cookie use: All cookies and trackers used on devices, e.g. websites, apps, etc.
Consent definition: Uses GDPR definition.
Prior consent: Yes, in most cases. Cookies used for the purpose of obtaining traffic or performance statistics may be exempt from consent requirements under specific conditions:
- use is limited to what is strictly necessary for the provision of the service
- processing must be carried out exclusively on behalf of the publisher and used only to produce anonymous statistical data
- use of these cookies/trackers must not result in data being matched with other processing operations or transmitted to third parties
- aggregate tracking of the navigation of the person using different applications or browsing different websites is prohibited
Consent withdrawal: Required, at any time, as easily as it is to give consent, and users must be provided with information on how to do so.
Cookie duration:
- Duration or lifetime of cookies or similar technologies must be limited to a period that allows meaningful comparison of audiences over time, e.g. 13 months. Duration cannot automatically be extended if users make new visits to the site.
- Information collected via cookies or other tracking technologies will not be retained for more than 25 months. (Best practices state no more than 24 months.)
- Lifetime and retention periods will be subject to periodic review to limit it to what is strictly necessary.
Consent solution requirements in Spain
- Consent options must be presented equally, at the same time, in the same place, e.g. on the same level of the consent banner.
- Ignoring or closing the consent banner, scrolling, taking no action, or any other non-explicit action is prohibited from being construed as valid consent.
- Use of pre-checked boxes, other default opt-ins, or cookie walls that block access to the website unless the user consents are prohibited.
- Users must be able to consent at a granular level to cookie purposes. If a cookie is used for two purposes but the user only consents to one, the cookie can only be used for the consented purpose.
- Users must be provided with information about the use of cookies and similar technologies – purpose, duration, third parties with access to the data, etc.
- The first layer of the consent banner must present essential information and be displayed when users access the page or application:
- identify the managing website editor/name of the publisher
- purpose of the cookies in use
- if cookies are owned by the website provider (or comparable) or are set by third parties
- types of cookies and types of data that will be collected and used
- options to accept, set up/configure, or reject cookie use
- link to a second information layer to access more detailed information
- The second layer must contain more detailed information:
- more specific information about the cookies in use, purposes, third-party access, etc.
- control panel or settings panel with info about how to save the selection
- If cookies in use, purposes, or other factors affecting consent change, the user must be given the opportunity to provide or reject new consent.
- Language must be simple and clear.
- Dark patterns/nudging are prohibited.
Sweden data privacy laws and consent requirements
Protected groups: Users of websites, mobile applications, etc.
Relevant cookie use: All cookies and trackers used on devices, e.g. websites, apps, etc.
Consent definition: Uses GDPR definition, and granular consent options for specific purposes are required.
Prior consent: Yes, with no exceptions for necessary cookies.
Consent withdrawal: Yes, and it must be as easy as giving consent. Users must also be provided clear information on how to withdraw consent or otherwise change preferences. Revoking consent cannot have negative consequences for users, e.g., no longer being able to access the website.
Cookie duration: No explicit time period provided.
Consent solution requirements in Sweden
- Conditional consent is prohibited, e.g. users cannot be required to sign up for a newsletter in order to be able to provide or reject consent.
- Consent language must be clear and explicit, e.g. “I understand” is not the same as “I accept”.
- New consent options must be provided to users if the purposes for cookie usage change.
- Users must be provided with clear information about cookies in use, purposes, duration, third-party access to data, etc.
- The use of pre-checked boxes is prohibited.
- Cookie walls that block or restrict access to a site unless the user gives consent are prohibited.
- Scrolling, browsing, ignoring the consent banner or closing it cannot be construed as valid consent.
NON-EU COUNTRY-SPECIFIC CONSENT LAWS AND GUIDELINES
Norway data privacy laws and consent requirements
Protected groups: Website users.
Relevant cookie use: All cookies and similar tracking technologies used on websites that collect personal data.
Consent definition: Follows GDPR definition and requirements. Storage and processing of information is not permitted unless the user is informed about, and has consented to, which information is processed, the purpose(s) of the processing, and who processes the information.
Prior consent: Yes, in most cases.
Consent withdrawal: Yes, at any time.
Cookie duration:
- Session-based cookies: deleted after the end of the session, i.e. when the user closes the browser.
- Persistent cookies: not deleted after the end of the session and often contain information about authentication, language settings, and menu selections. Most permanent cookies have an expiry date when they are automatically deleted after a certain period. However, the guidelines do not set a specific expiration date.
- Third-party cookies: can be session-based or persistent, but they’re set by someone other than the website operator. Their duration is dependent on the third-party vendor, who is also responsible for providing relevant information about their cookies’ use, their identity, duration, etc.
Consent solution requirements in Norway
- Users must be informed about and be able to consent to cookie use at a granular level.
- A consent banner or other consent solution must be clearly accessible on the site and clear about what it’s for.
- Pre-checked boxes are prohibited. No guidelines on the use of cookie walls.
- Scrolling, ignoring, or closing the consent banner without making a consent action cannot be construed as the user has given consent.
- Browser settings to accept cookies are considered valid consent.
Switzerland data privacy laws and consent requirements
Protected groups: Swiss citizens.
Relevant cookie use: Yes, in some cases when personal data is collected and processed, and also if data is transferred across international borders.
Consent definition: Uses GDPR requirements.
Prior consent:
- Yes, in some cases. However, it is not always necessary to obtain consent from users before collecting or processing personal data. Though there are other legal bases, it is always necessary to inform them about the controller and processing.
- Prior consent is always required for processing:
- of sensitive data
- for high-risk profiling by a private person
- for profiling by a federal body (government)
- with data transfers to third countries where there is not adequate data protection
Consent withdrawal: Yes, at any time.
Cookie duration: There are no explicit guidelines, but data must be deleted or anonymized when the processing purpose has been fulfilled.
Consent solution requirements in Switzerland
- Uses the principles of “privacy by design” and “privacy by default” by law, requiring companies to take data processing principles into account in the planning and design states of websites and applications (and not just seek to secure and protect data retroactively).
- Default browser settings and similar mechanisms are not considered valid for consent for more processing than is absolutely necessary.
- Consent must involve an explicit action, e.g. checking a box.
- Consent banners are not legally required, but clear user notification is required about whether a legal basis is required for data collecting and processing, and about the parties involved, as is a user-friendly consent mechanism where data processing requiring consent takes place.
United Kingdom data privacy laws and consent requirements
Protected groups: Individuals whose personal data is processed.
Relevant cookie use: The cookie rules apply to the subscriber or user’s “terminal equipment” e.g. computer or mobile phone. The subscriber is the person who pays the bill for the use of an online service, and the user is the person who uses a device to access an online service.
Consent definition: Uses GDPR definition and requirements.
Prior consent: Yes, in most cases.
Consent withdrawal: Yes, users must be able to withdraw consent at any time as easily as they gave it, and receive information about how consent can be withdrawn, and how cookies already set can be removed.
Cookie duration: There are no explicit guidelines, but it will depend on the service and the purpose of the processing for the data the cookie collects (and for which user consent is required). It should be limited to the minimum time necessary to fulfill the purpose of processing. Cookie duration may also affect exemptions in Regulation 6(4).
Consent solution requirements in the UK
- Users must be given clear and equal access to all consent choices. Dark patterns or nudging are prohibited (as is denying the option to reject cookies entirely).
- Users should have access to information about cookie use and the opportunity to make consent choices as soon as they arrive on the website.
- The privacy policy or notice must include full details about data collection and processing, third-party access, and other relevant details. It should be easily accessible via a prominent link in the site’s header or footer.
- Use of pre-checked boxes is prohibited.
- Inactivity, scrolling, ignoring, or closing the consent banner cannot be construed as valid user consent.
- Users cannot be penalized for rejecting consent, e.g. lack of access to the website or features.
- Browser settings do not constitute valid consent.
- Consent cannot be bundled into terms and conditions or other documentation.
- Cookie walls are not prohibited, but they must comply with GDPR standards. For example, users cannot be blocked from the site unless or until they give consent.