EU Cookies Update

EU LAW ON COOKIES
www.dlapiper.com | 01
summary
EU Member Implemented Regulator Does local Can website EU Member Implemented Regulator Does local Can website
State into local law? guidance regulator operators rely State into local law? guidance regulator operators rely
published? interpret the upon implied1 published? interpret the upon implied1
law as requiring consent? law as requiring consent?
prior opt-in? prior opt-in?
Austria Yes No Yes No Ireland Yes Yes No Yes, under certain
Belgium Yes Yes Yes Yes, under certain circumstances
conditions Italy Yes Yes Yes No
Bulgaria Yes No Yes Unknown Latvia Yes No Yes No
Croatia Yes No Unknown Unclear Lithuania Yes Yes Yes Not Clear
Cyprus Yes No Yes No
Luxembourg Yes No Yes No
Czech Republic Yes No No N/A, opt out
Malta Yes No Unknown Not clear
principle applies
Denmark Yes Yes No Yes Netherlands Yes Yes Yes (unless Yes
exceptions apply)
Estonia Yes No No N/A, opt-out
principle applies Norway2 Yes Yes Yes Yes
Finland Yes No Yes Yes Poland Yes No Yes Yes
France Yes Yes Yes Yes, under certain Portugal Yes No Yes No
conditions
Romania Yes No Yes Not clear
Germany No No No Currently Yes
Slovak Republic Yes No Yes No
Greece Yes No Yes No
Slovenia Yes Yes Yes Very restrictive
Hungary Yes No No Yes
Spain Yes Yes Yes No
Sweden Yes No Yes Not clear
United Kingdom Yes Yes Yes Yes
Some regulators have deemed implied consent as a method to obtain consent. Such consent may be considered valid where the user is given specific and comprehensive information about the use of cookies, and the user
1
gives an indication of his/her wishes to consent (e.g. continues to browse and doesn’t disable cookies).
Norway is not an EU Member but as a consequence of its membership in the EEA (European Economic Area (Nw: EØS)), Norway is under an obligation to adopt EU Directives.
2
02 | EU law on Cookies

Contents
Austria�� 04 Latvia�� 23
Belgium�� 05 Lithuania��24
Bulgaria�� 06 Luxembourg��24
Croatia��07 Malta�� 25
Cyprus�� 08 Netherlands��26
Czech Republic�� 09 Norway�� 28
Denmark��10 Poland��29
Estonia��11 Portugal��32
Finland��13 Romania��33
France��14 Slovak Republic�� 34
Germany��16 Slovenia�� 34
Greece��17 Spain��35
Hungary��18 Sweden��36
Ireland��19 United Kingdom�� 38
Italy�� 20
EU Member State E-Privacy Regulatory Current Position (Legal, Meaning of Consent Does local a) Applicable Legislation
Directive Guidance enforcement and regulatory regulator b) Regulatory Guidance
Implemented Issued? position) interpret the law c) Authority Responsible
into local as requiring prior for implementation
law? opt-in?
AUSTRIA Yes No The E‑Privacy Directive was implemented ■■ Under Austrian law “informed Yes a) In Austrian:
in Austria by amendment of the consent” is required prior to “Telekommunikationsgesetz
DLA Piper Contacts:
relevant provisions of the Austrian the processing of personal 2003” as amended by
Sabine Fehringer
Telecommunications Act (in Austrian: data. The user has to be aware BGBI I Nr. 102/2011
T +43 1 531 78 1453
“Telekommunikationsgesetz 2003” of the fact that consent for
sabine.fehringer@dlapiper.com b) N/A
(“TKG”)). The changes to the TKG came the storage or processing of
Stefan Panic into effect on 22 November 2011. personal data is given, as well c) Austrian Regulatory
T +43 1 531 78 1034 as the details of the data to be Authority for Broadcasting
The relevant section of the TKG states
stefan.panic@dlapiper.com stored or processed, and has and Telecommunications
that a user must give informed consent
to agree actively. Therefore, it (RTR) and Austrian Data
for the storage of personal data.
appears advisable that consent Protection Authority
is obtained via some form (DSB)
of pop up or click-through
agreement.
■■ Consent by way of browser
settings or a pre‑selected
check‑box, etc., is not
sufficient. In cases where
consent is purported to be
obtained by way of browser
settings, the TKG requires that
the information regarding the
storage of personal data must
be made available to the user.
■■ There are no specific
guidelines and case law in
Austria. The most recent
developments in the
commentary refer to the
principles summarised in
Article 29 Working Party
guidelines document WP
208 (see Working Document
02/2013 providing guidance on
obtaining consent for cookies,
adopted on 2 October 2013,
1676/13/EN, WP 208).

law? opt-in?
BELGIUM Yes Yes, the ■■ Article 5(3) of the E‑Privacy Directive ■■ Consent must be (i) freely The law does not a) Article 129 of the
Belgian Privacy was implemented into Belgian given (i.e. in circumstances foresee stricter Electronic Commerce Act
DLA Piper Contact:
Commission Law by means of amendment of where the website visitor has wording than that
Patrick Van Eecke b) Recommendation 1/2015
issued a article 129 of the Belgian Electronic a choice to refuse consent); of article 5(3) of the
T +32 (0)2 500 1630 of the Belgian Privacy
recommendation Communication Act. The amendment (ii) specific (i.e. relate to a E‑Privacy Directive.
patrick.van.eecke@dlapiper.com Commission on the
in 2015. follows the wording of the E‑Privacy specific cookie associated with
The Belgian Privacy use of cookies, dated
Directive closely. As a result, the a clearly defined purpose);
Commission is of 4 February 2015
amended article 129 of the Belgian (iii) informed (i.e. the visitor
the opinion that
Electronic Communication Act must be given information c) The Belgian Privacy
a prior opt‑in is
requires prior informed consent. beforehand, specifying the Commission and the
required to set
cookie’s purpose as well as the Belgian Institute for
■■ The amended article 129 of the cookies (except for
possibility to revoke consent) Postal Services and
Belgian Electronic Communication strictly necessary
and (iv) unambiguously given. Telecommunications
Act does not allow for the website cookies, which do
visitor’s consent to be expressed by ■■ Consent can be obtained in not require the
usage of the appropriate browser various ways including using a website visitor’s
settings or other applications, as banner or an alternative start consent). Under
suggested by the European legislator page providing information certain conditions,
in recital 66 of the E‑Privacy about the cookies to be set consent can be
Directive. where visitors can tick a inferred from
box granting permission for further browsing.
cookies being set.
law? opt-in?
BULGARIA Yes. Directive No ■■ Art. 5(3) of E Privacy Directive ■■ Consent means any freely Yes. In 2011 the a) Electronic Commerce Act
2002/58 is was implemented into Bulgarian given, explicit and informed intention of the
Firm: b) N/A
implemented legislation on 29 December 2011. statement of the data subject legislator was to
Wolf Theiss
into local The latest update of Art. 5(3) as by which the data subject introduce the c) Consumers Protection
Website: law, without adopted in Directive 2009/136 is not unambiguously gives their latest amendments Commission
www.wolftheiss.com the latest yet implemented. The relevant text consent to their personal data of Art. 5(3) of
amendment in the local law now states that users being processed. Directive 2009/136.
Contact:
of Art. 5 (3), should be provided with clear and However, the final
Anna Rizova
introduced comprehensive information about adopted text still
T +359 2 861 3703
by Directive the purposes of data processing and replicates the old
anna.rizova@wolftheiss.com
2009/136. they must be given the opportunity wording before
to refuse storing or accessing such Directive 2009/136.
information. The amendment
itself was widely
interpreted as
implementing the
text of Directive
2009/136 without,
however, introducing
the updated text.
In practice the
regulator interprets
the law as an opt-in
regime.

law? opt-in?
CROATIA Yes No ■■ The E-Privacy Directive was ■■ Croatian Electronic Communications Prior opt-in is a) Electronic Communications
implemented in Croatia by Act defines consent as free and explicit required according Act (Official gazette of the
Firm:
amendment of the relevant declaration of will of the user of to the Electronic Republic of Croatia nos.
Law Firm Glinska &
provisions of the Croatian services or subscriber, by which he/ Communications 73/2008, 90/2011, 133/2012,
Mišković Ltd.
Electronic Communications she expresses his/her consent to the Act, except in the 80/2013 and 71/2014).
Act (in Croatian: Zakon o processing of his/her personal data for situations when
b) No
elektronićkim komunikacijama). specific purposes. user’s consent is not
Contact: required as set out c) Croatian Regulatory
■■ These amendments ■■ According to the provisions of
Beata Glinska therein. Authority for Network
to the Electronic Croatian Electronic Communications
T +385 1 619 99 30 Industries (in Croatian:
Communications Act are in Act, the use of electronic In practice, the
beata.glinska@gamc.hr Hrvatska regulatorna agencija
force as of 1 July 2013. communications networks for the usual wording of a
za mrežne djelatnosti
purpose of data storage or in order to cookie banner in
(HAKOM)) and Croatian
gain access to already stored data in Croatia reads: “If you
Personal Data Protection
the terminal equipment of a subscriber continue to browse
Agency (in Croatian:
or user of services is allowed only this site, you agree to
Agencija za zaštitu osobnih
when the subject subscriber or user the usage of cookies”,
podataka (AZOP)).
of services has given his/her consent, which suggests that
after being provided with a clear website operators
and comprehensive information in rely upon implied
accordance with special regulations consent. However,
on personal data protection, and as the Legislator and
especially on the purposes of the data the enforcement
processing. authorities did not
provide any guidance
■■ However, this requirement shall not
in this respect, it is
prevent: (i) any technical storage of data
unclear how the law
or access to data for the sole purpose
on cookies should
of carrying out or facilitating the
be interpreted and
transmission of a communication over
implemented.
an electronic communications network,
or (ii) if that is necessary in order to
provide information society services at
the explicit request of a subscriber or
user of services.
law? opt-in?
CYPRUS Yes No ■■ The E Privacy Directive was ■■ Consent means any freely Yes, required by law. a) The Electronic
implemented in Cyprus on given, express and specific Communications and Postal
Firm:
18 May 2012, through Law No. indication by the data subject Services Law of 2004 as
Pamboridis LLC
51(I)/2012 amending the Regulation of their wishes which is clearly amended.
Website: of Electronic Communications and expressed and informed
b) N/A
www.pamboridis.com Postal Services Law. (the data subject must have
been previously informed c) Office of the
Contact: ■■ The amendments follow the wording
that they consent to the Commissioner of Electronic
Christy Spyrou of the E Privacy Directive closely,
processing of personal data Communications and Postal
T +357 22752 525 and leave the detailed compliance
concerning them). Regulation and the Office
spyrou@pamboridis.com requirements to be clarified by the
of the Commissioner for
Cyprus Office of the Commissioner
Personal Data Protection.
for Personal Data Protection.
■■ Prior informed consent is required
in accordance with the provisions of
the Processing of Data (Protection
of the Individual) Law of 2001 and its
amendment Law No. 37(I)/2003.

law? opt-in?
CZECH REPUBLIC Yes No ■■ On 1 January 2011, the Czech Republic ■■ The Czech legislature derived No a) The Act No. 127/2005
implemented the E‑Privacy the meaning of consent Coll., on Electronic
DLA Piper Contact:
Directive. The E-Privacy Directive from the purpose of the Communications.
Barbora Lekesova
was implemented into Czech law E‑Privacy Directive, which is
T +420 222 817 807 b) Information of the
by Act No. 468/2011 Coll., which not to overload a user with
barbora.lekesova@ Office for Personal Data
amended Act No. 127/2005 Coll., a confirmation of his/her
dlapiper.com Protection (OPDP) dated
on Electronic Communications, consent at every website visit,
15 June 2012.
Jan Rataj as amended. The amendment was but to provide him/her with
T +420 222 817 800 effective as of 1 January 2011 and an easy opportunity to refuse c) Ministry of Industry
jan.rataj@dlapiper.com introduced the opt-out principle. storing of personal data. and Trade of the
Czech Republic.
■■ The E-Privacy Directive was
reflected in Act No. 127/2005 Coll.
on Electronic Communications
which states: “Anyone who intends to
use or uses electronic communications
networks to store data or to gain access
to data already stored in the terminal
equipment of the participants or users,
is required to inform such participants
or users in advance and provably about
the scope and purpose of the processing
of data and is obliged to offer them to
refuse the possibility of the processing.”
law? opt-in?
DENMARK Yes Yes ■■ The E-Privacy Directive was ■■ The consent must be freely Not in practice. a) (i) Act No 169 of
implemented in the new Danish given and specific and the user Consent can be 3 March 2011 on Electronic
Firm:
Act on Electronic Communications must be given an option. obtained by the Communications Services
Horten
Services and Networks which continued use of and Networks; and
■■ However, this does not imply
Website: came into force on 25 May 2011, in a homepage after (ii) Executive Order
that consent must be obtained
www.horten.dk accordance with the implementation having received the No 1148 of 9 December 2011
each time a cookie is used
deadline in the E-Privacy Directive. relevant information on Information and Consent
Contacts: but a user must be given an
However, the Act did not implement concerning cookies Required in Case of Storing
Heidi Steen Jensen option. Furthermore, the
the specific provisions concerning the but this should be and Accessing Information
T +45 3334 4116 consent must be informed,
use of cookies, but instead provided used with caution. in End‑user Terminal
HSJ@horten.dk which implies that a user must
an authorisation to the Danish Equipment.
receive information about the
Egil Husum Minister of Business and Growth to
consequences of consenting. b) Second Guidance of
T +45 334 4224 execute an executive order on this
Finally, the consent must be April 2013 to Executive
EHU@horten.dk matter.
an informed indication of Order on Information and
■■ The “Executive Order on Information the user’s wishes. Normally, Consent Required in Case
and Consent Required in Case of consent is obtained through of Storing and Accessing
Storing and Accessing Information in a tick box but also the Information in End‑user
End user Terminal Equipment” came continued use of a homepage Terminal Equipment.
into force on 14 December 2011. after having received
c) The Danish Business
the relevant information
■■ Pursuant to the Order the use Authority.
concerning cookies can
of cookies requires consent. The
constitute consent. However,
consent must be freely given and
consent via this method
specific.
should be used with caution.

law? opt-in?
■■ In addition to this, the information
to the user must fulfil the following
requirements: (i) the information
must be clear and easy to
understand; (ii) the purpose of the
use of cookies must be clear; (iii) the
identity of the person or entity which
is responsible for the use of cookies
must be clear; (iv) the possibility of
withdrawal of consent must be easily
accessible and be described in the
information; and (v) this information
must be easily accessible for the user
at all times.
ESTONIA Yes No ■■ The E-Privacy Directive was Due to opt‑out system consent No. However, a) Electronic Communications
implemented in the Electronic to cookies is not needed. the Estonian Act (if the draft law is
Firm:
Communications Act. The relevant Data Protection adopted then also the
SORAINEN
amendment took effect on Inspectorate has Information Society
Website: 25 May 2011. However, the earlier expressed that the Services Act).
www.sorainen.com wording of subsections 102(3) website operator
b) N/A
and 102(4) of the Electronic must provide clear
Contacts:
Communications Act, which have information on the c) Estonian Data Protection
Kaupo Lepasepp
been marked by the Estonian types of cookies Inspectorate and Estonian
T +372 6 400 939
legislator as implementing Article used and the Technical Regulatory
kaupo.lepasepp@sorainen.com
5(3) of the E-Privacy Directive, purpose of their use. Authority.
Mihkel Miidla were not changed.
T +372 6 400 959
■■ Currently no amendments to
mihkel.miidla@sorainen.com
these provisions are planned.
Accordingly, the above mentioned
provisions are currently applicable
to “communications undertakings”
only, i.e., electronic communications
service providers or operators.
law? opt-in?
■■ Electronic communications service
providers or operators were
(and still are) required to notify
the subscriber of the purposes of
processing personal data and give
the subscriber an opportunity to
refuse the processing. The law does
not require the subscriber’s consent
to store information or for them to
have access to information already
stored. An opportunity to refuse
cookies is sufficient.
■■ In addition to the exception
in article 5(3) of the E‑Privacy
Directive, an electronic
communications service provider or
operator may collect and process
information, irrespective of the
subscriber’s consent or refusal,
if the processing is necessary
for the purposes of recording
the transactions made in the
course of business and for other
business‑related exchanges of
information.
■■ A draft law was initiated (but has
been currently stalled), under
which an opt-in system for cookies
would be applicable to providers of
information society services under
the Information Society Services Act.

law? opt-in?
FINLAND Yes No ■■ The ePrivacy Directive was ■■ A user must give his/her Yes, however a) Information Society Code
implemented in Finland on consent for the use of cookies. consent via browser (7.11.2014/917).
DLA Piper Contact:
25th May 2011 by the Act However, the acceptable settings is deemed
Markus Oksanen b) N/A
on Amending the Act on the form of consent has not been sufficient if proper
T +358 9 4176 0431
Protection of Privacy in Electronic specifically stated in Finnish information has c) Finnish Communications
markus.oksanen@
Communications. The Information legislation. been provided to Regulatory Authority and
dlapiper.com
Society Code replaced the Act on the the user. the Finnish Data Protection
■■ Finnish officials have
Protection of Privacy in Electronic Ombudsman (in relation to
interpreted the ePrivacy
Communications on 1st January 2015. collection of personal data).
Directive in way that a user
■■ According to the Information Society can validly give his/her consent
Code, a service provider is only for the use of cookies via web
allowed to save cookies and other browser or other applicable
data in a user’s terminal device, as settings.
well as to use such data, if the user
has given his/her consent thereto and
the service provider has given the
user comprehensive and complete
information on the purpose of saving
the cookies or using the data.
■■ Information about the cookies must
be executed given in a way that is as
convenient as possible for the user.
■■ Use of cookies is allowed only to the
extent necessary for the purpose of
the service.
■■ Consent is not needed if the use of
cookies is only for the purpose of
enabling the transmission of messages
in communications networks or
which is necessary for provision of a
service that the user has specifically
requested.
law? opt-in?
FRANCE Yes Yes ■■ France implemented the E‑Privacy ■■ Consent must be (i) freely Yes. The law copies a) The Law No 78‑17
Directive in the Law No 78‑17 of given (i.e. in circumstances the text of the of 6 January 1978 on
DLA Piper Contact:
6 January 1978. The law states that where the user has a choice E‑Privacy Directive information technology,
Carol Umhoefer
any subscriber or user of electronic to refuse consent); (ii) specific almost word for data files and civil liberties,
T +33 1 40 15 24 31
communication services must be (i.e. relate to a specific word, but as amended.
carol.umhoefer@dlapiper.com
fully and clearly informed by the cookie associated with a December 2013
b) CNIL deliberation No.
data controller or its representative clearly defined purpose); and guidance embraces
2013-978 of 5 December
of: (i) the purpose of any cookie (iii) informed (i.e. the user an implied opt‑in
2013 (https://www.
(i.e. any means of accessing or storing must be given information approach.
legifrance.gouv.fr/affichCnil.
information on the subscriber’s/user’s beforehand, specifying the
do?id=CNILTEX
computer); and (ii) the means of cookie’s purpose as well as the
T000028434058).
refusing cookies, unless the subscriber/ possibility to revoke consent).
user has already been so informed. c) Data Protection Authority
■■ The law also provides that
(in French: Commission
Cookies are lawfully deployed only consent can result from the
nationale de l’informatique et
if the subscriber/user has expressed subscriber’s/user’s connection
des libertés (CNIL)).
consent after having received such settings (e.g. browser settings)
information. or any other means under the
subscriber’s/user’s control.
■■ However, these provisions do
not apply to cookies: (i) the sole ■■ However, according to
purpose of which is to allow or the CNIL, commonly used
facilitate electronic communication browsers do not offer
by a user; or (ii) that are strictly compliant settings.
necessary to provide online
communication services specifically
requested by the user.
■■ In November 2011, again in April 2012,
then again in December 2013, the
French Data Protection Authority
(“CNIL”) issued guidance for
cookies.

law? opt-in?
■■ The CNIL considers that certain ■■ The CNIL regards the
cookies are not covered by the law following consent collection
(e.g. cookies used to constitute a mechanisms as compliant:
“basket” on an e‑commerce
–– Step 1: inform users by
platform, session ID cookies).
implementing a banner on
The December 2013 guidance further
the home page specifying
specified what type of cookies are
(i) purposes of the cookies
not covered by the law.
used; (ii) the possibility
■■ The CNIL considers that the website to object by changing
owner is liable for allowing a third parameters via a link
party to install a cookie on the user’s provided in the banner;
computer. and (iii) that continuing
browsing means consent to
■■ The April 2012 guidance reaffirmed
the use of cookies.
that these rules apply to all cookies,
whether containing personal data –– Step 2: on a separate page
or not. (e.g. in a privacy policy)
accessible through the
■■ The December 2013 guidance
banner, inform users about
introduced an implied opt‑in principle
solutions implemented to
which applies, provided that consent
accept/refuse cookies, for
is obtained in accordance with the
each technology used and
CNIL’s specific requirements.
for each purpose.
■■ In July 2014 the CNIL announced EU
regulators would conduct a “cookies
sweep day” in September 2014 and
would start enforcement audits in
October 2014.
law? opt-in?
GERMANY No No official ■■ The E- Privacy Directive ■■ Due to the contradictory wording of No a) The TMG is the applicable
specific 2002/58/EC, the Directive and the relevant provision legislation regarding the
DLA Piper Contact:
guidance amended by the Cookie of the TMG, data protection advocates use of cookies. If the
Dr Thomas Jansen
has been Directive 2009/136/EC, has demand a change in this legal situation. cookies collect personal
T +49 89 232 372 110
published. not been implemented into Therefore currently several website data or potential personal
thomas.jansen@dlapiper.com
Only a German local law. However, the operators are now requiring users to data, the Federal Data
non-binding Federal Government assumes opt-in, either by giving (i) explicit or (ii) Protection Act also applies.
completed that an implementation is not implied consent (ii).
b) N/A
questionnaire necessary, as – according to (i) Explicit consent is where a website
has been a statement of the European operator informs users about the c) N/A
made publicly Commission – the legal cookie use by a pop-up window and
available. situation in Germany complies requires them to give their consent by
with the specifications of the clicking on a confirmation button.
Directive.
(ii) Implied consent is where a website
■■ Currently the provisions of operator displays the cookie
the German Telemedia Act notification on the side, bottom or
(“TMG”) apply for the use of top of the website. This notification
cookies. displays a message stating that the
website operator assumes that users
■■ According to section 15 para.
agree to the use of cookies and
3 TMG opt-out consent is
otherwise have to object by changing
required.
their browser settings. By not changing
■■ Opt-out in this context means the browser settings and continuing to
that users must have the browse the website, users give their
opportunity to object to the implied consent.
use of cookies.
■■ In summary, currently the opt-out
■■ Website operators are obliged solution is legally admissible in Germany,
to inform users about their but it may be recommendable to keep an
right of objection, according to eye on further developments regarding
section 13 para. 1 TMG this subject.

law? opt-in?
GREECE Yes No ■■ The E‑Privacy Directive was ■■ Law 4070/2012 has authorised Yes a) Law 3471/2006, as amended
implemented into Greek law the Hellenic Data Protection and in force today.
Firm:
by Law 4070/2012, which was Authority (DPA) to specify
Kyriakides Georgopoulos b) No
approved by the Greek Parliament the mechanisms for providing
Law Firm
on 6 April 2012. information and obtaining c) Hellenic Data Protection
Website: the user’s consent. Although Authority (DPA).
■■ This amends Law 3471/2006
www.kglawfirm.gr the DPA has not yet issued
on Protection of personal data
any official act or directive,
Contact: and privacy in the electronic
guidelines and advice on
Michailidou Ersi telecommunications sector.
its official site state that
T +30 210 817 1500
■■ According to article 4 par. 5 of consent must be given only
michailidou@kglawfirm.gr
Law 3471/2006 as amended by after, appropriate, clear and
Law 4070/2012, the storage of extensive information given to
information or the access to the user.
information already stored to the
■■ Consent can be obtained
terminal equipment of a subscriber
by appropriate browser
or user is permitted only if
mechanisms or other
this specific subscriber or user
applications. Examples include
has provided his/her consent
pop‑up banners. Internet
following an updating.
browsers which reject
cookies and require the
active selection by the user
in order to accept same, are
considered as valid consent.
Preselected browser settings
which accept all cookies
and which the user must
specifically reject, are not
satisfying the requirements of
a valid consent.
law? opt-in?
HUNGARY Yes No ■■ Article 5(3) of the E‑Privacy Directive ■■ There is no specific guidance No a) Section 155(4) of
was implemented into Hungarian law or regulation in relation to the Hungarian Act
DLA Piper Contacts:
by section 155(4) of the Hungarian the meaning of consent. (2003 on Electronic
Monika Horvath
Act C of 2003 on Electronic However, from the wording Communications).
T +36 1 510 1110
Communications (“Act C of 2003”). of the relevant Act, it is clear
monika.horvath@dlapiper.com b) No
The relevant provision provides that it must be prior consent,
Zoltán Kozma that “the storing of information, or after the subscriber has c) National Media and
T +36 1 510 1100 the gaining of access to information on been provided with clear and Infocommunications
zoltan.kozma@dlapiper.com the electronic terminal equipment of a comprehensive information Authority.
subscriber or user obtained via electronic (including the purpose of
communications networks is only allowed processing).
on the condition that the subscriber or
■■ Service providers shall be
the user concerned has given his or her
authorised to obtain and store
consent, after having been provided with
communications transmitted
clear and comprehensive information
on their network only to the
which also includes the purpose of the
extent strictly necessary for
data processing”.
the provision of services for
technical reasons.
■■ General practice is that
consent can be obtained via
browser settings; however,
to date this has not been
confirmed by the opinion
or the guidance of the
Authorities.

law? opt-in?
IRELAND Yes Yes ■■ Implemented into Irish law by ■■ The Regulations do not No. Implied consent a) European Communities
Statutory Instrument No. 336/2011, specify how consent should could be relied (Electronic
Firm:
the European Communities be given beyond stating that upon in certain Communications
Mason, Hayes and Curran
(Electronic Communications the methods of giving consent circumstances. Networks and Services)
Website: Networks and Services) (Privacy should be as “user friendly as (Privacy and Electronic
Guidance from
www.mhc.ie and Electronic Communications) possible”. Communications)
the regulator
Regulations 2011, with effect from Regulations 2011 (SI 336 of
Contact: ■■ The user’s consent may indicates that
1 July 2011. 2011).
Philip Nolan be given by the use of website operators
T +353 1 614 5000 ■■ Users must be provided with “clear appropriate browser settings can obtain consent b) Guidance Note on
pnolan@mhc.ie and comprehensive” information, where it is technically possible by implication. Data Protection
including as to the purpose of the and effective. Such settings This can be done in the Electronic
cookie. Such information must be would require, as a minimum, by a prominent Communications Sector.
“prominently displayed and easily clear communication to the notification (usually
c) Data Protection
accessible” and be as “user friendly as user as to what he or she was a pop-up), which
Commissioner.
possible”. being asked to consent to and should contain a
a means of giving or refusing link to a Cookie
■■ The Regulations do not apply to
consent to any information Statement. This link
cookies which are “strictly necessary
being stored or retrieved. would outline in
in order to provide an information
greater detail how
society service explicitly requested” ■■ Consent can be obtained
the site makes use of
by the user. by other technological
cookies.
applications by means of which
the user can be considered to
have given his or her consent.
law? opt-in?
ITALY Yes Yes ■■ Implemented into Italian law with ■■ The Data Protection Yes, albeit from a) Legislative Decree n. 69 of
effect from June 2012. Authority’s guidance (Decision the latest guidance 28 May 2012, amending the
DLA Piper Contacts:
of 8 May 2014 entitled on cookie notices Italian (Legislative Decree
Giangiacomo Olivi ■■ The new provisions are a very
“Simplified Arrangements some forms of n. 196 of 30 June 2003).
T +39 02 80 618 515 close reflection of the wording
to Provide Information and simplified consent
giangiacomo.olivi@dlapiper.com of Recital 66 of the E‑Privacy b) Decision of the Italian Data
Obtain Consent Regarding are provided.
Directive and section 5(3) of Protection Authority on
Giulio Coraggio Cookies”, an English version
Directive 2002/58/EC (as amended Simplified Arrangements
T +39 02 80 618 619 of which is available at: http://
by the E‑Privacy Directive). As to Provide Information and
giulio.coraggio@dlapiper.com www.garanteprivacy.
such, they pose exactly the same Obtain Consent Regarding
it/web/guest/home/
Saverio Cavalcanti interpretation problems as these Cookies of 3 June 2014.
docweb/‑/docweb‑display/
T +39 06 68 880 616 provisions of EU law, especially with
docweb/3167654) provides c) the Data Protection
saverio.cavalcanti@ regard to the nature of consent
for two layers of information Authority (in Italian:
dlapiper.com required for compliance. However
notice: a short information “Garante per la protezione
the guidelines issued 3 June 2014
Gianluigi Marino notice to be placed in the dei dati personali”).
by the Italian Data Protection
T +39 02 80 618 654 homepage, which in turn links
Authority clarified the situation and
gianluigi.marino@dlapiper.com to a more detailed notice.
the position of the Authority on
Giulia Zappaterra this issue.
T +39 02 80 618 826
giulia.zappaterra@dlapiper.com

law? opt-in?
■■ The short information on the
homepage can be in a banner
and shall mention/provide:
a) that the website uses profiling
cookies to send advertising
messages in line with the user’s
online navigation preferences
(where applicable); b) that the
website also allows setting
third‑party cookies (where
applicable); c) a clickable link
to the extended information
notice, where information on
technical and analytics cookies,
if any, must be provided,
along with tools to select the
cookies to be enabled; d) that
on the page with the extended
information notice, the user
may refuse to consent to the
installation of the relevant
cookies; and e) that if the user
continues browsing by accessing
any other section or selecting
any item on the website (e.g. by
clicking a picture or a link),
he or she consents to the use
of cookies.
■■ The banner in question must
be an integral part of the action
through which the user provides
his/her consent. In other words,
the consent must cause a
“discontinuity”, albeit a minimal
one, in the browsing experience:
for instance, the banner will only
cease being displayed on
law? opt-in?
screen if the user takes action –
by selecting any active item
on the page underneath the
banner.
■■ The extended information
notice must include all the
items provided for under
the Privacy Code: describe
the detailed features and
purposes of the cookies set
through the website and allow
users to select/deselect the
individual cookies. It must be
linkable from the short notice
as well as from a hyperlink in
the bottom section of each
website page. The notice must
also contain an updated link
to the information notices
and consent forms of the
third parties that set cookies
through the operator’s
website. If the operator is
not directly contracting with
such third parties, it will have
to include the links to the
websites of the intermediaries
or brokers that are in turn
liaising with such third parties.
The extended information
notice must also refer to the
possibility for users to express
their consent to the use of
cookies through browser
settings.

law? opt-in?
LATVIA Yes No ■■ Latvia has implemented the E‑Privacy ■■ Since the Personal Data Yes a) Law on Information Society
Directive through amendments to Protection Law implements Services, article 71.
Firm:
the Law on Information Society Directive 95/46/EC, the
Klavins Ellex b) N/A
Services. The implementation of consent for cookies must be
Website: the E‑Privacy Directive does not “unambiguously given”. c) Data State Inspectorate.
www.klavinsellex.lv expressly address the use of browser
settings to obtain consent. It provides
Contact:
that cookies may be stored only
Sarmis Spilbergs
after the user has consented, which
T +371 67814848
shall occur only after information
sarmis.spillbergs@klavinsellex.lv
regarding the intended purpose
of data processing is provided, in
accordance with Personal Data
Protection Law.
■■ No official guidance has been issued
by the Data State Inspectorate
regarding the collection of consent
for the use of cookies. There are no
signs of relaxation of general rules
with respect to consent for cookies.
law? opt-in?
LITHUANIA Yes Yes ■■ Lithuania implemented the E‑Privacy ■■ “Prior” explicit consent is Yes, required by a) The Law on Electronic
Directive through amendments required. law and regulatory Communications of the
Firm:
to the Law on Electronic guidance. Republic of Lithuania
Valiunas Ellex ■■ Users must be given a genuine
Communications which came into No IX 2135 (in Lithuanian:
opportunity not to consent.
Website: effect on 1 August 2011. “Lietuvos Respublikos
www.valiunasellex.lt ■■ There is no clear guidance on elektroninių ryšių įstatymas”).
■■ The amendments mirror the text of
the possibility to obtain an
Contacts: the E‑Privacy Directive and require b) http://www.ada.lt/images/
implied consent.
Jaunius Gumbis that consent to the use of cookies cms/File/naujienu/slapuk_
T +370 52681830 must be “opt-in”. DV.pdf.
jaunius.gumbis@valiunasellex.lt
■■ The Lithuanian State Data Protection c) State Data Protection
Julius Zaleskis Inspectorate has published Inspectorate (in Lithuanian:
T +370 52191934 recommendations about the method “Valstybinė duomenų
julius.zaleskis@valiunasellex.lt of consent to the use of cookies. apsaugos inspekcija”).
The guidance confirmed that consent
can be obtained through pop-ups,
banners or website registration while
relevant settings contained within
current browsers are not likely to
form a valid consent.
LUXEMBOURG Yes No ■■ Luxembourg implemented ■■ “Consent” means any freely Yes, required by law. a) Law of 30 May 2005 as
Directive 2009/136/EC by a law of given specific and informed modified laying down
Firm:
28 July 2011 which modified the law indication of his wishes by specific provisions for the
Bonn & Schmitt
of 30 May 2005 and came into effect which the person concerned protection of persons with
Website: on 1 September 2011. or his legal, judicial or regard to the processing
www.bonnschmitt.net ■■ Prior informed consent of a statutory representative of personal data in the
Contacts: subscriber/user is required. Other signifies his agreement to electronic communications
Alain Grosjean requirements include: the method personal data relating to him sector.
T +352 27 855 of providing information and right to being processed (Art 2(b) law
b) No
agrosjean@bonnschmitt.net refuse should be as user friendly as of 30 May 2005 as modified).
possible and where it is technically c) Data Protection Authority
Simon Malterre (in French: “Commission
T +352 27 855 possible and effective, the users
consent may be expressed by Nationale pour la protection
smalterre@bonnschmitt.net des données”).
appropriate browser/application
settings.

law? opt-in?
MALTA Yes No ■■ Legal Notice 239 of 2011, entitled ■■ The amended law makes it The situation is a) Processing of Personal
“Processing of Personal Data clear that cookies, – although unclear in Malta Data (Electronic
Firm:
(Electronic Communications Sector) not explicitly mentioned in the and will remain so Communications Sector)
Mamo TCV Advocates
(Amendment) Regulations 2011” was law, are only permissible with until the regulator Regulations, Legal Notice
Website: brought into force with effect from the consent of the subscriber publishes local 16 of 2003 as amended (in
www.mamotcv.com 1 January 2013. or user. guidelines on particular, the amended
this matter. No regulation 5 thereof).
Contacts: ■■ This Legal Notice amended prior ■■ There is no specific regulation
indication has been
Antoine Camilleri regulations by implementing into that defines “consent” in the b) N/A
given as to when
T (+356) 21231345 Maltese Law the amendments context of cookies. Therefore,
such guidelines will c) Office of the Information
antoine.camilleri@ under Article 2(5) of the E‑Privacy the general rules on data
be published. and Data Protection
mamotcv.com Directive. The Maltese Office of the protection must be complied
Commissioner (IDPC).
Information and Data Protection with, meaning that consent
Claude Micallef-Grimaud
Commissioner (IDPC) is still in the must be prior, free, specific
T (+356) 21231345
process of drafting local guidance on and informed.
claude.micallefgrimaud@
the way in which the so called ‘cookie
mamotcv.com ■■ In the context of cookies, for
clause’ is to be interpreted. No
consent to be deemed valid,
indication has been given as to when
the amended law states that
such guidance will be published.
controllers must provide
■■ It is worth noting that the IDPC’s to subscribers or users “...
website presently makes reference clear and comprehensive
to the Article 29 Data Protection information...”. However,
Working Party Document 02/2013 there is no local guidance that
providing guidance on obtaining explains this in any further
consent for cookies (adopted on detail.
2 October 2013).
law? opt-in?
NETHERLANDS Yes Yes, the ■■ The Dutch Telecommunications Act ■■ Consent must be freely Prior (implied) a) Article 11.7a Dutch
regulator has (“Act”) was amended with effect given, specific and informed: consent consent Telecommunications Act,
DLA Piper Contacts:
provided a from March 2015. Among other it should refer clearly and is required, unless Dutch Personal Data
Richard Van Schaik
Q&A. things, that amendment introduced precisely to the scope and the strictly necessary Protection Act.
T +31 20 541 9828
less strict rules for placing and consequences of the cookie cookies or cookies
richard.vanschaik@dlapiper.com b) A Q&A provided by the
accessing cookies. With effect from processing. that have little or
regulatory body can be
Robin de Wit March 2015 cookies may only be no impact on the
■■ Where personal data will be found at www.acm.nl.
T +31 20 541 9674 placed and accessed after website internet user’s
processed, consent must be
robin.dewit@dlapiper.com visitors have been clearly and privacy are set. c) The Authority for
unambiguously given: there
unambiguously informed about these Consumers & Markets
can be no doubt that the data Granting (implied)
cookies (purpose, type of cookies, (ACM) is responsible
subject has given consent consent can be a
etc) and have granted their prior and for monitoring and
to the processing of their condition for using a
explicit consent to that effect (opt in). enforcement of the
personal data. This means that website.
Telecommunications
■■ The Dutch legislature provides the website visitor must have
If a user does Act (www.acm.nl). The
guidance on how the opt in consent had a choice to either accept
not give consent, Dutch Data Protection
can be obtained. It is essential that an (e.g. by continuing to browse
either access to the Authority (DPA) is
indication is provided by which the the website or pushing a
website must be responsible for monitoring
visitor signifies agreement to cookies, “accept”-button) or reject (by
denied, or cookies and enforcement of the
like continuing browsing of the e.g. pushing a “reject”-button)
cannot be placed. Dutch Data Protection
website involved. Consent may be the use of cookies. In any case,
Act (presumed applicable
provided or obtained through default the visitor must have given
to tracking cookies)
browser settings, provided that all an indication by which s/he
(www.
conditions for a valid consent have signifies acceptance.
autoriteitpersoonsgegevens.
been fulfilled.
nl/en).

law? opt-in?
■■ An exemption to the aforementioned ■■ Providing information and
prior informed consent requirement obtaining (implied) consent
applies to the use of strictly can be done in various ways.
necessary cookies (those which Examples include using a
are necessary to carry traffic data header bar, a pop-up or an
over an electronic communication alternative start page which
network or for a service that is provides information about
requested by the user) and cookies the cookies to be placed
that have little or no impact on the and accessed where website
internet user’s privacy (e.g. some visitors can tick a box
types of analytic cookies). Such accepting/rejecting for the
cookies may be placed without relevant acts. The Act requires
obtaining prior informed consent, that users are given clear and
on the condition that: (i) the data complete information. This
collected by such cookies are not information must explain,
used for, among other things, creating among other things, who will
profiles by the website owner and/ place the cookies and for what
or the third party with whom the purpose they will be used.
data are shared; and (ii) the website
■■ Permission to use cookies must
owner sharing the data with a third
be granted before they are used.
party shall take additional measures
in order to limit any possible privacy ■■ When the proposed legislative
impact (e.g. entering into a data amendments on cookie
processor agreement). consent have become formal
law, cookies that have no or
■■ The Act also prescribes that the
low consequences to the user’s
use of tracking cookies or similar
privacy may be exempted from
data is considered to be a form of
the consent requirement.
processing personal data (unless
Furthermore, the required
the party setting such cookies or
opt‑in consent may also be
information can prove otherwise).
given implicitly, as long as the
This goes only for tracking cookies.
user is clearly informed upon
entering the website that the
continued use of the website
constitutes consent to setting
cookies. This can be done
through the use of a banner on
top of the website.
law? opt-in?
NORWAY Yes Yes ■■ The E Privacy Directive was Provided that the information Yes a) The ECA section 2-7b.
implemented in the Electronic regarding cookies is visible when
DLA Piper Contact: b) Guidelines posted on
Communications Act (ECA) section 2 the user accesses the website
Cecilie Rønnevik www.nkom.no 26 June 2013
7b (effective from 1 July 2013). (e.g. a link to the information in
T +47 2413 1540 and www.datatilsynet.no
the header, use of textbox or
cecilie.ronnevik@dlapiper.com ■■ Storing of information in the user’s 26 June 2013.
“pop-up”), it will be sufficient
communication equipment, or
that the user has consented to c) The Norwegian
gaining access to such equipment, is
the use of cookies in the browser Communications Authority
not permitted unless the user:
settings (even if consent is the (in Norwegian: “Nasjonal
(i) is provided with information on
default status in browser settings) kommunikasjonsmyndighet”)
the data processed, the purpose of
or by other means within the and the Ministry of Transport
the processing and the identity of the
user’s control. and Communications (in
entity that will process the data; and
Norwegian:
(ii) consents to this.
“Samferdselsdepartementet”).
■■ The information and consent
requirement does not apply for
technical storage or access to
information (i) exclusively for the
purpose of transferring communication
in an electronic communications
network; or (ii) which is necessary to
supply a service in accordance with the
user’s explicit request.

law? opt-in?
POLAND Yes No ■■ The E-Privacy Directive, in particular ■■ Prior explicit consent is Yes. Explicit prior a) The Telecommunication law.
article 5(3), was implemented required (Article 174 of the TL). opt-in consent is
DLA Piper Contacts: b) No, there are no official
into Polish law by Act of required by law,
Justyna Wilczyńska – ■■ However, according to guidelines, however, there
16 November 2012 on the Change but implied consent
Baraniak Article 173(2) of the TL a are guidelines issued by
of the Telecommunication Law and under Article 173(2)
T +48 22 540 74 15 subscriber or user may give industrial organizations
Other Acts. This Act amended, of the TL can be
justyna.wilczynska-baraniak@ his/her consent using settings such as IAB Polska, that are
among others, Article 173 of the relied upon.
dlapiper.com of the software installed commonly used.
Telecommunications Law (TL), which
on its telecommunications
Maciej Olejnik governs cookies. This change took c) The Ministry of
terminal equipment or
T +48 22 540 74 95 effect on 22 March 2013. Administration and
service configuration. This
maciej.olejnik@dlapiper.com Digitization (currently the
■■ The storing of information, means that consent can be
Ministry of Digitization).
Aleksandra Bączykowska or the gaining of access to inferred by a user’s actions
T +48 22 540 74 13 information already stored, in (e.g. the user is given clear and
aleksandra.baczykowska@ the telecommunications terminal relevant information about
dlapiper.com equipment (TTE) of a subscriber the cookies that are used, and
or end user is only allowed on on that basis decides to click
condition that: through and continue to use
the website). The Ministry
1) the subscriber or end user
of Digitization of Poland has
concerned has previously been
stated clearly that unless a
directly informed, in a manner
subscriber’s or user’s browser
that is unambiguous, easy, and
is set to disallow “cookies”,
comprehensible, of:
his/her consent to the use of
a) t he purpose for which the cookies should be implied.
information is stored and
accessed, and
law? opt-in?
b) the possibility of defining
the conditions under which
this information is stored
and accessed, by adjusting
the settings of the software
installed in the TTE used by
that subscriber or end user, or
by adjusting the configuration
of the service;
2) the subscriber or user concerned
has given his consent for terms
provided in point 1) above.
This consent may be provided
by adjusting the settings of the
software installed in the TTE used
by that subscriber or end user, or
by adjusting the configuration of
the service;
3) the stored information or the
access to such information will
not change the configuration of
the subscriber’s or end user’s
TTE, or of any software installed
on that TTE.
■■ The above conditions do not apply
where the storage of and access to
the information is necessary to:
1) transmit a communication over a
public telecommunications network;
2) provide a telecommunications
service or an electronically supplied
service requested by a subscriber or
end user.

law? opt-in?
Non-compliance with the Article
173 of the TL constitutes an
administrative offence, punishable
by fines up to 3% of the revenue
of the infringing entity taking into
account scope of the infringement,
the previous activity of the entity
and its financial abilities. Fines may
be imposed also in a case where the
entity concerned has put an end to
the infringement or has repaired the
damage caused. The financial penalty
may be also imposed on a person
who manages a telecommunications
undertaking.
law? opt-in?
PORTUGAL Yes No ■■ Article 5(3) of the E‑Privacy Directive N/A Yes. The Law a) Law no. 41/2004, of
addressing cookies was transposed by does not require 18 of August.
Firm:
Law no. 46/2012, of 29 August 2012, “express” consent.
ABBC & Associados b) N/A
amending Law no. 41/2004, of However, because
Website: 18 of August 2004 on the protection consent must be c) Data Protection Authority
www.abbc.pt and processing of personal data in prior and based on (CPND) and National
e‑communications. full information, Communications Authority
Contact:
considering existing (ANACOM).
João Costa Quinta ■■ Article 5 of the Law (“storage and
rules and guidelines,
T +351 213 583 620 access to information”) determines
it does not appear
j.quinta@abbc.pt that the storing of information and
that implied consent
the possibility to access information
shall suffice.
stored in a subscriber’s/user’s
terminal is only allowed on the
condition the subscriber/user has
provided his or her prior consent,
which must be based on clear and
comprehensive information about
the purposes of the processing, in
accordance with the provisions laid
down in the Law on the Protection
of Personal Data. This does not
prevent technical storage or access
for the sole purpose of carrying out
the transmission of a communication
over an e‑communication network or
if strictly necessary for the provider
of an information society service to
provide a service expressly requested
by the subscriber/user.
■■ The local Data Protection Authority
(CNPD) has not yet issued any
guidelines.

law? opt-in?
ROMANIA Yes No ■■ The national implementation of ■■ Express consent is required. Yes, although not a) Law No. 506/2004 on the
the E‑Privacy Directive (through Consent may be given by using expressly stated in processing of personal
DLA Piper Contacts:
Law No. 506/2004 on the the appropriate settings of the an official document. data and the protection of
Ana-Maria Andronic
processing of personal data and web browser or other similar privacy in the electronic
T +40 372 155 816
the protection of privacy in the technologies, by which it may communications sector,
AnaMaria.Andronic@
electronic communications sector, as be deemed that the user or published in the Official
dlapiper.com
subsequently amended) follows the subscriber expressed his/her Gazette no. 1101/25
Ioana Popescu wording of the Directive closely. The consent. November 2004, as
T +40372 155 871 setting of cookies on user’s terminals subsequently amended
Ioana.Popescu@dlapiper.com is allowed provided users have: (latest amendments as of
17 October 2015).
–– provided their consent; and
b) N/A
–– been informed in an easily
accessible manner and c) The National Supervisory
user‑friendly language about the Authority for Personal Data
data processing operations and Processing (ANSPDCP).
of their purpose in accordance
with Data Protection Law
No. 677/2001.
■■ User consent is not required where
the setting of cookies is necessary
solely for the purpose of ensuring
transmission through an electronic
communications network or such
operations are strictly necessary
to provide an information society
service expressly requested by the
subscriber or the user.
law? opt-in?
SLOVAK REPUBLIC Yes No ■■ Formal “informed consent” is ■■ It has to be proven that the Yes, required by law. a) Act No. 351/2011 Coll. on
required prior to the storage of user was provided with exact electronic communications.
DLA Piper Contact:
data or the acquisition of access to and precise information
Michaela Stessl b) N/A
data already stored in the terminal regarding the purpose of
T +421 2 59202 142
equipment of the participants such processing of data. The c) Ministry of Transport,
michaela.stessl@dlapiper.com
or users. consent of the user must be Construction and Regional
given actively, so obtaining Development of the Slovak
consent through pop‑up Republic.
agreements or similar means
will be sufficient.
SLOVENIA Yes Yes ■■ The E‑Privacy Directive was ■■ Consent is defined as a free Yes a) Act on Electronic
implemented in Slovenia by an declaration of will by an Communications (in
Firm:
amendment to the Act on Electronic individual, provided that such Slovenian: “Zakon o
DLA Piper
Communications (In Slovenian: individual has beforehand been elektronskih komunikacijah;
(Vienna office)
Zakon o elektronskih komunikacijah; given certain information. ZEKom-1”); Personal
DLA Piper Contact: ZEKom-1). Data Protection Act (in
■■ The information to be
Dr. Jasna Zwitter-Tehovnik Slovenian: “Zakon o varstvu
provided to the individual
T +43 1 531 78 1042 osebnih podatkov; ZVOP-1”).
should include: name of
jasna.zwitter-tehovnik@
the data controller, types b) Guidelines by the
dlapiper.com
of cookies, and purpose of Information Commissioner
cookie use. Furthermore, (in Slovenian: “Smernice
a link to a site with a more Informacijskega pooblaščenca
detailed description and Republike Slovenije o uporabi
explanation is advisable. piškotkov ‑ Kdaj lahko
uporabimo piškotke?”).
■■ Consent can be given by
clicking a button or a link, c) Information Commissioner
checking a box, or by sending (in Slovenian: “Informacijski
an email. Implied consent or pooblaščenec”).
consent by way of browser
settings will (usually) not be
sufficient.

law? opt-in?
SPAIN Yes Yes ■■ The Spanish Information Society ■■ Guidance provides that Yes, by law, but this a) The Spanish Information
Services and Electronic Commerce consent must be made may be general by Society Services and
DLA Piper Contact:
Law was amended in to implement expressly or be clearly way of browser Electronic Commerce
Diego Ramos
the changes required by the E‑Privacy inferred from the users’ settings. Law 34/2002.
T +34 91 790 1658
Directive. actions after being given
diego.ramos@dlapiper.com b) Use of Cookies April 2013
proper information about the
■■ Cookies or similar technologies (issued by the Spanish Data
use of cookies.
can be lawfully set only if the Protection Agency) and
subscriber/user has expressed ■■ Layered consent is Report 0196/2014.
consent after having been duly permissible, if sufficiently clear
c) The Spanish
informed. The information about and detailed.
Telecommunications and
the use of cookies must be “clear
Online Services Authority
and complete”, specifying the reasons
and, for privacy features, the
why data is being collected via such
Data Protection Agency.
devices, and must comply with
existing information requirements
under Spanish data protection law.
The provisions allow such consent to
be obtained via adequate browser or
application settings.
law? opt-in?
SWEDEN Yes No ■■ Sweden has implemented the ■■ Consent is defined as Yes a) Electronic Communications
E‑Privacy Directive through any voluntary, specific and Act (in Swedish: “lag
DLA Piper Contact:
amendments to the Electronic unambiguous expression of will. 2003:389 om elektronisk
Johan Sundberg
Communications Act (2003:389) There may not be any doubts kommunikation”).
T +46 (0)8701 7824
which came into effect on 1 July 2011. that the user provides his/
johan.sundberg@dlanordic.se b) N/A
her consent to the processing.
■■ In relation to “legitimate techniques”
Hypothetical or silent c) Swedish Post and Telecom
(i.e., non‑intrusive cookies such as
consent is thus not sufficient Agency.
user input cookies or authentication
as in such circumstances the
cookies), the Swedish Government
user might not be required
has concluded that for practical
to actively take measures to
reasons, the amendments shall not
avoid the processing of the
be regarded as a change in substance,
personal data.
i.e. the opt‑out requirement shall
still apply. ■■ However, implicit behaviour
may be valid consent (as
■■ In addition, the Swedish Data
long as there is no sensitive
Inspection Board is of the opinion
personal data involved).
that different types of cookies
Implicit behaviour means in
should be distinguished. When using
this context that the user
cookies for purposes other than
provides data after having
to adjust settings on a site for the
received clear information
user’s previous requests and similar,
about the intended processing
informed consent would be required.
of the data, the fact that it is
According to the Data Inspection
optional to provide the data,
Board’,, whether consent is required
and also that submitting the
depends on the purpose of the
data would be considered
cookie.
as providing consent to the
■■ On the other hand, the Swedish Post processing.
and Telecom Agency (“Agency”)
■■ The Swedish government has
(the regulatory body in relation to
also indicated that the rules on
cookies) does not seem to agree and
consent should not be seen as
is of the opinion that the requirement
a change from the old regime
for consent can be waived without this
and, therefore, web browser
possibility being expressly provided for
settings would probably be
by the Electronic Communications Act
regarded as indicating consent.
(2003:389).

law? opt-in?
■■ The Swedish part of the European
Trade Association of the Digital
and Interactive Marketing Industry
(IAB Sweden) has created a
self‑regulating committee in
response to the introduction of the
consent requirements for cookies.
The committee has assembled a
group with representatives from
industry and other organisations.
The committee was set up with
a view to producing best practice
guidance for the use of cookies
and its first recommendation
was published in November
2011 (“Recommendation on the
use of cookies and comparable
technology”, November 2011,
http://www.minacookies.se/
wp‑content/uploads/2011/11/
Rekommendation_‑cookies_
nov18_2011_English_version.pdf.).
law? opt-in?
UNITED KINGDOM Yes Yes (in Implemented into UK law with effect ■■ Strictly speaking, “prior” Yes, but it is possible a) The Privacy and Electronic
May 2011, from 26 May 2011. explicit consent is required. to rely upon Communications (EC
DLA Piper Contact:
December implied consent Directive) Regulations
Andrew Dyson ■■ Amendments follow the wording ■■ However, implied consent will
2011 and which means it is 2003, as amended by the
T +44 0113 369 2403 of the E Privacy Directive closely also be a valid form of consent
May 2012). not necessary to Privacy and Electronic
andrew.dyson@dlapiper.com and leave the detailed compliance under certain circumstances.
obtain an explicit Communications (EC
requirements to be clarified by
James Clark ■■ Implied consent means acknowledgment. Directive) (Amendment)
the Information Commissioner’s
T +44 113 369 2461 consent which “specific and Regulations 2011.
Office (“ICO”). It is possible to
james.clark@dlapiper.com informed” and an “indication
rely on continued b) http://www.ico.gov.uk/
■■ On 25 May 2012, the ICO issued of wishes”. This means that
use of the website news/blog/2012/~/media/
revised guidance to clarify and consent can be inferred by a
as an indication of documents/library/
reaffirm that implied consent can be user’s actions (e.g. the user
implicit consent, Privacy_and_electronic/
relied upon as a valid form of consent is given clear and relevant
subject always to Practical_application/
(rather than explicit opt in consent). information about the cookies
the requirement cookies_guidance_v3.ashx
that are used, and on that
■■ The enforcement approach adopted to provide
basis decides to click through c) Information
by the ICO to date has been to write relevant, clear and
and continue to use the site). Commissioner’s Office
to companies who they consider to comprehensive
be in breach and ask them to remedy ■■ General market practice information. There
the website and provide a more (endorsed by the ICO) in is no need to include
apparent method to obtain consent/ the UK has been for “cookie a tick box or click
provide notification to website users banner/pop ups” to be placed acceptance.
of cookie usage and storage. on the landing page of a
website notifying a user that
■■ As of June 2015, the latest date
cookies are being used and
when figures are available, the ICO
including a link to a more
had written to 291 organizations
detailed cookie policy. These
regarding compliance with the rules
banners do not normally
on cookies.
require the user to tick an
acceptance box but may
obscure some of the pages’
text until closed by the user.
As the consent is “prior” the
popup should strictly appear
before any cookies are placed
on a user’s terminal. However,
in practice this may not be
feasible in all cases.

COOKIE AUDITS
STEP 1 – COOKIES AUDIT
Businesses should begin identifying the cookies (and similar technology) which are used by their website. A “cookie audit” should be undertaken with the assistance of your
IT department/specialist legal advisors. Cookie audits should include a review of the types of cookies used by the website; the life span of such cookies; and how intrusive
the cookies are.
STEP 2 – MAP OUT COMPLIANCE OPTIONS

Once the company understands the cookies which its website(s) use, they must then consider the options available to them in order to comply. The “strictly necessary”
exemption should also be considered, and companies should look to local regulator guidance and also the WP29 Opinion (as referred to above) when applying this
exemption.
STEP 3 – IMPLEMENTATION

The deadline for compliance has expired in many European jurisdictions, therefore companies must act now to avoid any possible enforcement action.
STEP 4 – ADDITIONAL CONSIDERATIONS AND STEPS

When conducting a cookie audit, you should also consider and undertake the following:
■■ Due Diligence: conduct due diligence of ad network/metrics partners and vendors before contracting.
■■ Click wrap agreements: make sure your business never signs click wrap agreements without legal review.
■■ Effective contracts: bind your partner to: a) comply with applicable laws; b) clear and conspicuous disclosure; c) opt in/opt out; d) flow through terms to vendors;
and e) audit rights.
■■ Post contract monitoring: is your partner fulfilling its contractual promises?
■■ Test/Evaluation Agreements: always check/test agreements against legal requirements and your Privacy Policy. Reviews become long term arrangements.
www.dlapiper.com
DLA Piper is a global law firm operating through various separate and distinct legal entities. Further details of these entities can be found at www.dlapiper.com.
This publication is intended as a general overview and discussion of the subjects dealt with, and does not create a lawyer-client relationship. It is not intended to be, and should not be used as, a substitute for taking legal
advice in any specific situation. DLA Piper will accept no responsibility for any actions taken or not taken on the basis of this publication. This may qualify as “Lawyer Advertising” requiring notice in some jurisdictions.
Prior results do not guarantee a similar outcome.
Copyright © 2016 DLA Piper. All rights reserved. | JUN16 | 2823096

EU Cookies Update

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

EU Cookies Update

Загружено:

Авторское право:

Доступные форматы

EU LAW ON COOKIES

02 | EU law on Cookies

04 | EU law on Cookies

06 | EU law on Cookies

08 | EU law on Cookies

10 | EU law on Cookies

12 | EU law on Cookies

14 | EU law on Cookies

16 | EU law on Cookies

18 | EU law on Cookies

20 | EU law on Cookies

22 | EU law on Cookies

24 | EU law on Cookies

26 | EU law on Cookies

28 | EU law on Cookies

30 | EU law on Cookies

32 | EU law on Cookies

34 | EU law on Cookies

36 | EU law on Cookies

38 | EU law on Cookies

STEP 2 – MAP OUT COMPLIANCE OPTIONS

STEP 3 – IMPLEMENTATION

STEP 4 – ADDITIONAL CONSIDERATIONS AND STEPS

Copyright © 2016 DLA Piper. All rights reserved. | JUN16 | 2823096

Вам также может понравиться