Several EU data protection supervisory authorities (“SAs”) have recently issued guidance on cookies.  On January 11, 2024, the Spanish SA published guidance on cookies used for audience measurement (often referred to as analytics cookies) (available in Spanish only).  On December 20, 2023, the Austrian SA published FAQs  on cookies and data protection (available in German only).  On October 23, 2023, the Belgian SA published a cookie checklist (available in Dutch and French).

The new guidance builds on existing guidance but addresses some new topics which we discuss below.

The Austrian SA’s FAQ states that:

  • Cookies that store information about a user’s consent status (that is to say, a cookie indicating whether the user has consented or not to the placing of cookies) do not require consent unless a unique online identifier is assigned to the user for this purpose.  This does not seem to align with previous guidance from other regulators.  The Belgian checklist, discussed below, below mentions that cookies used to store the user’s choice regarding cookies are exempt from consent.  Similarly, the French SA considers that cookies storing the user’s choice about the use of cookies do not require consent (see point 49 of the French SA’s guidelines on cookies, available in French).  Neither the Belgian checklist nor the French guidelines specifically mention whether or not these cookies are tied to a unique online identifier.
  • Advertising cookies used to display personalized ads require consent even if displaying such ads is necessary for the site’s financial viability.
  • The “pay or ok” model (also known as a “cookie wall”) – where users are given a choice between a free version of the website that includes tracking cookies and a paid version that does not – may be permissible if certain conditions are met such as:
    • the company implementing the model is not dominant in the market;
    • the price for the paid-for version is reasonable and fair; and
    • the user is offered granular consent options. 

The Spanish SA’s Guidance on Analytics Cookies states that:

  • The only analytics cookies and similar technologies that are strictly necessary for the “proper administration of a website” (and therefore do not require consent) are those that perform the following measurements:
    • page-level audience measurements;
    • the list of pages from which a link has been followed to request the current page, either internal or external to the website, by page and aggregated daily;
    • determination of users’ device type, browser, and screen size, by page and aggregated daily;
    • page load time statistics, per page and aggregated per hour;
    • statistics on time spent per page, bounce rate, scroll depth, per page and aggregated daily;
    • statistics on user actions (clicks, selections), per page and aggregated daily; and
    • statistics on the geographic area of origin of the requests, per page and aggregated on a daily basis.
  • Publishers of websites and mobile applications that use analytics cookies or similar technologies that are exempt from consent must:
    • inform users about the use of these cookies or similar technologies;
    • limit the lifetime of these cookies or similar technologies to a period of time that allows for meaningful comparisons of audiences over time, such as a thirteen-month period, and this period must not automatically renew with each time a user visits the website;
    • retain information collected through these cookies or similar technologies for no longer than twenty-five months; and
    • periodically review the useful life and retention periods to limit them to what is strictly necessary.
  • A vendor providing a comparative audience measurement service to multiple publishers must give “objective assurances” to the publisher that: (i) data are collected, processed, and stored separately for each publisher; and (ii) the cookies or similar technologies used are completely independent of each other and of any other cookie or similar technology.

The Belgian SA’s Cookies Checklist states that:

  • Publishers of websites and mobile applications should avoid using the same cookie for multiple purposes.
  • Publishers of websites and mobile applications should document that their consent mechanism (such as a banner) has been modified over time by retaining previous versions of the cookie policy and providing a date and version number in the cookie policy.

The EDPB approach

At the EU level, the European Data Protection Board (“EDPB”) has been active in considering cookie issues. In 2023, it published its latest guidance on cookies and similar technologies (see our blog post), the findings of its cookie banner taskforce (see our blog post), and its thoughts on the European Commission’s so-called “cookie pledge” to simplify cookie banners (see here). 

In addition, the EDPB discussed the “pay or ok” consent model at its December plenary meeting and intends to issue guidance on this topic.

*                             *                             *

The Covington Privacy & Cybersecurity team regularly advises clients on the laws governing the use of cookies and similar technologies, particularly in the adtech context, and continues to keep a close eye on the guidance issued by European supervisory authorities.  If you have any questions, feel free to reach out to any member of the team.

(This blog post was written with the contributions of Alberto Vogel.)

Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of…

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of advising clients on government affairs strategies concerning the lawmaking, to compliance advice on the adopted laws regulations and guidelines, and the representation of clients in non-contentious and contentious matters before data protection authorities.

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.  She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).  Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.  Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.