ICO, CNIL, German and Spanish DPA Revised Cookies Guidelines: Convergence and Divergence.

Similarities

Rules applicable to cookies only?

No, the authorities consider that the rules apply to any technology that stores or accesses information on the user’s device (e.g. pixels, SDK in mobile applications, local objects, browser fingerprinting technologies, etc). In the case of the German guidance, the technology must also involve processing of personal data; so long as that is the case, then the rules will apply to any of the types of technology listed above.

Implied consent

All authorities stress that if consent is required, users must give specific, freely given and unambiguous consent before the respective activity commences. The authorities highlight that a user continuing to browse a website does not amount to that user's consent.

Contractual consent

The French, U.K. and Spanish authorities are clear that terms and conditions cannot be used as a method for obtaining consent, as this breaches Article 7(2) of the EU General Data Protection Regulation (need for clearly distinguishable data-processing consents). The German authorities did not comment on this but likely agree.

Global consent

The consent must cover each purpose for which personal data will be processed (i.e., each purpose for which cookies are used). The U.K., French and Spanish authorities accept that organizations can offer a global consent for all cookies for which consent is required in their first consent layers. German authorities do not comment on this. ICO guidance but, based on the ICO’s own practice, purpose-specific consent options are likely to be regarded as best practice. The German authorities require granular consent but do not specify whether this should be part of the first layer or could be moved to a second layer.

Differences

Issues

France

UK

Germany

Are cookie walls allowed?

The CNIL revised its position on cookie walls after the partial annulation of its July 2019 guidelines by the French highest administrative court (i.e. Conseil d'Etat) in June 2020. 

The revised October 2020 guidelines no longer provide a blanket prohibition of cookies walls. Instead, the CNIL notes that cookie walls are unlikely to meet the threshold for valid consent under the GDPR. However, such cookie walls should be reviewed and analysed on a "case by case" basis.

ICO notes that consent that is forced via a cookie wall is “unlikely to be valid.” However, it also notes that GDPR must be balanced against other rights, including freedom of expression and freedom to conduct a business. ICO seems to be “sitting on the fence” on this — at least for the moment.

No, similar to the CNIL.

Do analytic cookies require consent?

Not always and the position of the CNIL has changed on this topic. 

Indeed, the French regulator previously

(i) required consent for analytic cookies and

(ii) by derogation had provided an opt out regime for certain types of analytic cookies if cumulative conditions were met. 
Under the October 2020 new rules, the CNIL now

(i) requires consent for analytic cookies and

(ii) by derogation accepts that certain types of analytic cookies can be regarded as “strictly necessary” (for which no opt out needs to be provided) if cumulative conditions are met (e.g. lifespan of analytic cookies must not exceed 13 months, etc).  

This approach from the CNIL seems to anticipate a possible analytic cookie exemption suggested in certain drafts of the still being debated ePrivacy Regulation.

Yes. There is no exception. Though ICO states that it is “unlikely that priority for any formal action would be given to uses of cookies where there is a low level of intrusiveness and low risk of harm to individuals,” and first-party analytics cookies are given as an example of cookies that are potentially low risk.

No, unless they lead to a transfer of personal data to a third party. Even in that case, likely no consent would be necessary if users can easily opt out from the data transfer to the third party.

Lawful basis for subsequent processing of personal data?

Unlike ICO, the French regulator remains silent on this question

For ICO, in most circumstances, legitimate interest is not the appropriate lawful basis for the processing of personal data relating to cookies. Because consent is required under ePrivacy rules, consent should also be the legal basis under GDPR. Relying on legitimate interests when GDPR-compliant consent is already in place would be unnecessary and would cause confusion to users.

Legitimate interests would never be available for profiling related processing of personal data.

Like the CNIL, the German authorities take the view that consent is not always required. They mention contract performance (Article 6(1) (b) GDPR) and the balance-of- interests test (Article 6(1)(f) GDPR) as further possible legal bases.

Prominence of options given to users

The French regulator provides three options (to be placed in the first layer of the cookie consent banner). 

1) The first option is for the publisher to include "reject all" and "accept all" buttons alongside a "preferences" option in the first layer.

2) The second option is for the publisher to have an "accept all" and  a "preferences"  buttons and offer the possibility for users to reject cookies by clicking on a sentence such as "continue without accepting [X]" in the top right corner of the first layer of the cookie consent banner for instance. 

3) The third option is for the publisher to have an "accept all" and a "preferences" buttons and offer the possibility for users to reject all cookies by continuing browsing/not interacting with the cookie consent banner. However, in such  cases

(i) the text of the first layer of the cookie consent banner must make this clear and

(ii) the cookie consent banner must “disappears after a short period of time, so as not to hinder the use of the site or the application and so as not to condition the user's browsing comfort on the expression of his consent to the cookies”

Organizations emphasizing the “agree”/“allow” cookie  options over the “reject”/“block” cookie options influences users toward the “accept” option. This is not a compliant way to collect consent. The same would be true if the “reject”/“block” option were located in a second layer and the “agree”/“allow” cookie   option were available in the first layer.

A simple banner with cookie information and an “OK” button would not be sufficient; the consent must be recognizable
as such. This means that the banner must list specifically all data-processing activities that require consent (and not any other) and that users must be able to decline their consent. The German authorities require granular options (for each data-processing activity) but do not specify whether these options can be part of a multiple-layer concept (where
a simple “accept all” option is complemented with more granular “refuse” options on the  second layer).

Cookie lifespan and retention periods

The lifespan of analytic cookies benefitting from the CNIL consent exemption must not exceed 13 months. Information collected through these can be kept for a maximum of 25 months.

As a best practice, the French regulator considers that  consent given to cookies should be valid for 6 months but emphasizes that there is no perfect "one size fits all" answer to this question.  
The CNIL also recommends that any refusal to the placement of cookies must be retained for the same duration as consent. 

The lifespan of cookies must be proportionate in relation to the intended outcome and limited to what is necessary to achieve the purpose.

The maximum possible technical duration of a cookie (e.g., “31/12/9999”) would not be regarded as proportionate in any circumstances.

German authorities do not specify the lifespan of cookies, but take the view that a shorter lifespan (aka “recognition period”) is more likely to meet the requirements of the balance- of-interests test (Article 6(1)(f) GDPR).