Consider how often you open a website and are asked to accept cookies. Most of us simply click “accept” and move on.
In a recent report (April, 2023) issued by the European Data Protection Board the use of Cookies were listed under the highlights of enforcement actions taken by several Member State supervisory authorities.
That’s yet another reason why businesses should be aware of the legal requirements regarding the placement of cookies, which may vary between jurisdictions.
When we use the term “cookies”, we mean a broad range of technologies, including beacons, pixels, fingerprints and other tracker, item or tool which allows authentication, personalization and tracking which may be stored on an end-user device or browser. For convenience, we will refer to all such technologies as “Cookies”.
These guidelines aim to provide a practical approach for businesses using Cookies. Spoiler – both the applicable laws of the EU and Israel require consent for the placement and use of Cookies before the placement and use of any such Cookie is performed.
The below guidelines are generally mandatory under EU law and recommended as best practice under Israeli law and US law as well (note state law may vary), due to the ongoing development of the interpretation of privacy rights, digital services and consumer rights.
- Not My Way or the High-Way – Implement a Layered Consent Mechanism.
Before placing any Cookie, a user should be prompted to provide separate active consent for each type of Cookie used (e.g. functional, analytical/performance, advertising/targeting), except for necessary Cookies.
Note that passive consent, such as pre-checked checkboxes, continued use as consent, bundled consents (i.e. consenting to a number of actions in one click) or just providing the option to opt-out, do not qualify as valid consent.
The absence of refuse/reject options on any layer with a consent button of the cookie consent banner, may invalidate consent. There are various service providers that offer a Layered Consent Mechanism tool to be implemented within an online platform.
- Don’t Join the Dark (Patterns) Side.
The use of dark patterns would generally invalidate consents. Dark patterns may be defined as interfaces and user experiences that nudge users into making unintended, unwilling and potentially harmful decisions.
For example, deceptive button color, contrast, bolding, underlining, font size – like a clear highlight of the ‘accept all’ option versus reject options, or where the alternative to consent options have minimal contrast to the background, such that they are hidden in plain sight, or where such alternative is located outside the pop-up area.
- You Keep Using that Term, I Don’t Think it Means What You Think it Means – The Strictly Necessary Exemption.
As mentioned, certain Cookies may be exempted from the requirement to obtain consent – to the extent they are strictly necessary, from the users’ perspective, for the provision of the business’s services – meaning, that the business cannot provide the services without the use of such Cookie.
In general, first party Cookies for a short term (e.g. per session) are more likely to be considered necessary.
Third-party operational Cookies used in advertising, frequency capping, financial logging, ad affiliation, click fraud detection, research and market analysis, product improvement and debugging, are likely not exempted, and require consent.
- If You Can’t Prove It, It Didn’t Happen – Maintain a Record of Consents. It is very important that a business can show it has properly obtained consent as required. This is necessary to comply with accountability principles, respond to data subject requests, supervisory authority inquiries, and defense against legal claims.
- Talk the Talk and Walk the Walk – Ensure Consistency between Actual Practices and your Policies. In order to comply with its transparency and notification obligations, a business must properly disclose its data processing and Cookie practices, in a privacy notice, cookie policy or other document available to users.
If the user is not properly notified, meaning that the business’s policy does not accurately reflect its practices, the consent obtained may be invalidated.
As a bonus, complying with a business’s user-facing policies may minimize breach of contract claims or deceptive trade practices enforcement. - It’s Not Crossing the Rubicon – Allow Users to Withdraw Consent (and consider renewing consent). Businesses need to have a solution in place that enables users to easily withdraw consents they have previously given at any time, such as an icon (small hovering and permanently visible icon) or a link placed on a visible and standardized place.
Once you have obtained valid consent and have a proper withdrawal option – is that it? Well, unfortunately, no. There is no specific time limit for how long a consent will last – that depends on the context, scope of the original consent (what it was provided for) and the expectations of the user.
If the purpose of processing changes, or if an extended period has lapsed since consent was obtained, a business should consider refreshing the consents and obtaining new ones.
Do you know the difference between a smart cookie and a tough cookie? A tough cookie will try to figure it all out on its own, a smart cookie asks its lawyer for advice – don’t hesitate to contact us with any question.
This publication is provided as a service to our clients and colleagues, with explicit clarification that each specific case requires individual examination and discussion in writing.
The information presented here is of a general nature and is not intended to answer the unique circumstances of any individual or entity.
Although we strive to provide accurate and available information, we cannot guarantee the accuracy of the information on the day it is received, nor that the information will continue to be accurate in the future. Do not act on the information presented without appropriate professional advice after a comprehensive and thorough examination of the specific situation.