Updated February 3, 2020.
Efforts to regulate online surveillance and secure the right to digital privacy has crystalized in the European Union in the shape of the General Data Protection Regulation (GDPR) and in the US with the California Consumer Privacy Act (CCPA).
European data protection authorities have also begun to tighten their national guidelines for cookie control in the wake of the Planet 49 ruling from the Court of Justice of the European Union (CJEU).
In this blogpost, we look at efforts of cookie control, including Cookiebot’s consent management platform that enables compliance with the emerging data privacy laws of the world, such as the GDPR and CCPA.
The Information Commissioner’s Office (ICO) is the data protection authority of the UK.
ICO enforces the European GDPR on UK soil – and after Brexit, will enforce the new domestic UK-GDPR (United Kingdom General Data Protection Regulation). It is also responsible for the enforcement of the various other data protection laws in effect, such as the Data Protection Act 2018 (DPA2018) and the PECR.
PECR stands for Privacy Electronic Communications Regulations. It dates from 2003 and is the national implementation of the ePrivacy Directive (ePR) in the UK.
When it comes to a website’s cookie management, implied consent as we know it today – the soft opt-in that allows websites to interpret as consent the continued browsing of its users – do not meet the requirements for valid consent, ICO has ruled.
Instead, users must give their affirmative consent to anything that is not necessary cookies (or non-essential, as ICO calls them) and it is the legal responsibility of websites to have a cookie manager in place that enables this for their users.
Pre-ticked boxes (or any equivalents) are not lawful to use on anything but necessary cookies, according to the new ICO guidelines. This means that preference, statistics and marketing cookies must abide by the same rules: they all need to be un-ticked and now require affirmative opt-in to be viewed as valid consent.
GDPR/ePR compliant banner in the EU by Cookiebot.
In other words, users must now choose to tick the boxes of preference, statistics and marketing cookies alike, in order for these categories of cookies to be activated.
This is in line with the ruling from the CJEU, the highest legal body of the EU, which decided that no pre-ticked boxes are allowed on consent banners inside the EU.
The ICO guidelines now include that –
The UK left the EU on January 31, 2020.
On Exit Day, the new UK-GDPR took effect alongside an amended Data Protection Act 2018. However, the EU’s GDPR and ePR will still apply the UK for the duration of the transition period (likely until December 31, 2020).
This means that the CJEU Planet 49 ruling which prohibits any pre-ticked checkboxes on consent banners in the EU applies to the UK until December 31, 2020.
After December 31, 2020 – when the UK is formally and finally independent from the EU – the UK-GDPR, DPA2018 and PECR will be the domestic data protection in laws in effect.
California became the first state in the US to enact a comprehensive data privacy law on January 1, 2020.
The California Consumer Privacy Act regulates how businesses are allowed to collect, handle and sell or disclose the personal information of California residents.
CCPA forces those commercial entities who fall under its definition of business to:
Read more about the CCPA, learn who is liable for compliance and how to be compliant.
The American equivalent of the European data protection authorities, the Federal Trade Commission, operates in a different climate altogether, since the US do not have a federal data privacy law akin to the GDPR, and so no strict cookie control from an enforceable, federal level.
However, the Federal Trade Commission recently levied a record $5 billion fine against Facebook for its mishandling of user data in the Cambridge Analytica scandal. It is the highest fine ever imposed by the FTC… but a fraction of Facebook’s annual revenue of $56 billion. Part of the FTC’s ruling was also to impose stronger oversight on Facebook’s collection and handling of users’ data.
Cookie control in the US takes shape as record enforcement against Facebook.
Moreover, the FTC recently directed a multimillion-dollar fine against Google for data collection targeting children under the age of 13.
European data protection authorities have started collaborating on cross-country cookie control, e.g. the Irish Data Protection Commission (who currently has 11 investigations open against Facebook), who has met with government officials in Washington. Even the European Commission has shared information with the FTC about its past investigations into Google.
The guidelines apply to all types of operations involving cookies and trackers on any type of device, effective after a grace period of around a year from now (approximately July 2020).
CNIL is also in line with the Planet 49 ruling by the CJEU.
It rules that the soft opt-in or implied consent as it stands today – i.e. continuing to browse a website after its cookie banner is displayed equals consent – is a thing of the past in France.
CNIL rules that implied consent is unlawful and strengthens French cookie control.
French website owners and operators must obtain affirmative, unambiguous and freely given consent before any non-necessary cookie or tracker can be activated.
Digital self-defense is also an option a lot of people are choosing in exasperation of learning about the ugly truth of the dismal state of privacy on the Internet today.
This type of digital self-defense is essentially a version of privacy protection, where everyone has to fend for themselves, by downloading the right browser that then block cookies automatically.
The downside is that they often break websites, because they block cookies that support the basic functions of a domain. This full cookie stop is the default mode of both Epic and Brave, whereas Firefox utilizes a tracker list from Disconnect to determine which cookies they block.
This digital self-defense is not a viable final solution to the privacy problems of surveillance capitalism, since most people don’t have the time or the technical skills to navigate the abundant market of privacy tools, browsers, VPNs or adblockers.
There is also another way to protect privacy in our digital infrastructures… One that doesn't require digital self-defense, but puts the responsibility on the shoulders of website owners and operators, as directed by the GDPR.
Cookie control through a cookie manager like Cookiebot is a technology that we – obviously – have put our weight behind and think of as a vital part of a sustainable solution for protecting privacy.
Using a consent solution that is specific to each website (implemented through the cloud and integrated seamlessly onto a domain) not only prevents websites from breaking by allowing them to discriminate between different categories of cookies, it also holds the potential to be fully GDPR and CCPA compliant, including compliance with the new guidelines of ICO and CNIL.
A website owner looking for cookie control can use Cookiebot to –