The European Data Protection Board (EDPB), after a comprehensive public review process, has finally issued important guidelines on cookie consent.
This is timely because even now, 22 years after ePrivacy laws first hit the statute book, the great majority of websites do not comply with them.
Although properly compliant solutions have been available since 2011, most websites employ inadequate CMPs which do not manage cookies or other storage, so the sites continue to use cookies from the off, without the users having first given their consent.
The new EPPB guidance only reiterates guidance given by them and their ancestor organisation the Article 29 Working Party (WP29), it clarifies this guidance and dismisses many widely held misconceptions, including those regarding "first-party" versus "third-party" data..
It points out that cookies are a part of a wider class of terminal or browser-based storage which require consent from users before they they are placed or used.
Anything stored in the browser - cookies, javascript local or session storage, data in the various caches, even permanent storage such as local IP addreses, are potentially covered, unless it is strictly necessary to fulfil a previously requested service or solely used to support the underlying communications channel. Such consent exempt storage can only be retained for a very short period and, importantly, the data it contains, or data derived from it, never communicated away from the browser.
Consent is needed no matter where the data has originated from or is sent to, the top-level website or third-party servers, whether so called "first-party" or "third-party, by whatever means - any client to server or server to server relaying mechanism.
For consent to be valid, the EDPB says that:
- the user must be first given specific and truthful information on how the storage will be used
- cookies and other storage must not be utilised until the user has given their consent for them
- users must have the ability to effectively withdraw their consent whenever they want fo
- if withdrawal of consent is ineffective then the initial consent was invalid
- it must be as easy to withdraw consent as to give it. If it is possible to agree in one "click", then consent should be also withdrawn in one click.
It follows from this that cookies or other storage must be removed when any previous consent is withdrawn, so ensuring the data stored can never again be communicated to servers.
Do not believe any company that pretends "first-party" data is somehow immune, the laws have never differentiated between first-party and third-party storage or data - this was simply misinformation put out by Google and other big tech companes decades ago at the time ePrivacy regulations were first mooted. This applies to any approach that uses first-party cookies, such as "cookie stitching", "clean room" processing, "bounce tracking" or the widely used "link decoration" mechanism.
What is needed is the "bullet-proof" approach chapioned by the the very first consent platform, Baycloud System's CookieQ, which has been providing legal surity and transparently valid consent since 2011, guarenteeing not only that cookies and other storage is properly removed on consent withdrawal, but also maximising resilience by ensuring no malware,or otherwise dangerous or privacy-risk prone unrecognised content gets loaded into visitors' browsers.
This appraoch is equally valid in the US where new State laws such as the California Consumer Privacy Act require user agreement before data is shared with other websites, with such agreement signalled either by clicking a link on the website or by the browser utilising an appropriate "universal opt-out mechanism" such as the DNT or Sec-GPC request headers. Claiming to respect a user's opt-out could be seen as an "unfair methods of competition and deceptive acts or practices in commerce" under the FTC Act. and the only sure way to avoid this is to delete cookies or make sure they are never communicated to third-partiy servers, and use a consent platform like CookieQ that does this while properly responding to any recognised universal opt-out signal.