Академический Документы
Профессиональный Документы
Культура Документы
www.dlapiper.com | 01
summary
EU Member Implemented Regulator Does local Can website EU Member Implemented Regulator Does local Can website
State into local law? guidance regulator operators rely State into local law? guidance regulator operators rely
published? interpret the upon implied1 published? interpret the upon implied1
law as requiring consent? law as requiring consent?
prior opt-in? prior opt-in?
Austria Yes No Yes No Ireland Yes Yes No Yes, under certain
Belgium Yes Yes Yes Yes, under certain circumstances
conditions Italy Yes Yes Yes No
Bulgaria Yes No Yes Unknown Latvia Yes No Yes No
Croatia Yes No Unknown Unclear Lithuania Yes Yes Yes Not Clear
Cyprus Yes No Yes No
Luxembourg Yes No Yes No
Czech Republic Yes No No N/A, opt out
Malta Yes No Unknown Not clear
principle applies
Denmark Yes Yes No Yes Netherlands Yes Yes Yes (unless Yes
exceptions apply)
Estonia Yes No No N/A, opt-out
principle applies Norway2 Yes Yes Yes Yes
Finland Yes No Yes Yes Poland Yes No Yes Yes
France Yes Yes Yes Yes, under certain Portugal Yes No Yes No
conditions
Romania Yes No Yes Not clear
Germany No No No Currently Yes
Slovak Republic Yes No Yes No
Greece Yes No Yes No
Slovenia Yes Yes Yes Very restrictive
Hungary Yes No No Yes
Spain Yes Yes Yes No
Sweden Yes No Yes Not clear
United Kingdom Yes Yes Yes Yes
Some regulators have deemed implied consent as a method to obtain consent. Such consent may be considered valid where the user is given specific and comprehensive information about the use of cookies, and the user
1
gives an indication of his/her wishes to consent (e.g. continues to browse and doesn’t disable cookies).
Norway is not an EU Member but as a consequence of its membership in the EEA (European Economic Area (Nw: EØS)), Norway is under an obligation to adopt EU Directives.
2
Austria������������������������������������������������������������������������������������ 04 Latvia�������������������������������������������������������������������������������������� 23
Belgium����������������������������������������������������������������������������������� 05 Lithuania���������������������������������������������������������������������������������24
Bulgaria���������������������������������������������������������������������������������� 06 Luxembourg���������������������������������������������������������������������������24
Croatia������������������������������������������������������������������������������������07 Malta��������������������������������������������������������������������������������������� 25
Cyprus������������������������������������������������������������������������������������ 08 Netherlands���������������������������������������������������������������������������26
Czech Republic�������������������������������������������������������������������� 09 Norway���������������������������������������������������������������������������������� 28
Denmark���������������������������������������������������������������������������������10 Poland��������������������������������������������������������������������������������������29
Estonia�������������������������������������������������������������������������������������11 Portugal�����������������������������������������������������������������������������������32
Finland�������������������������������������������������������������������������������������13 Romania����������������������������������������������������������������������������������33
France��������������������������������������������������������������������������������������14 Slovak Republic�������������������������������������������������������������������� 34
Germany���������������������������������������������������������������������������������16 Slovenia���������������������������������������������������������������������������������� 34
Greece������������������������������������������������������������������������������������17 Spain�����������������������������������������������������������������������������������������35
Hungary����������������������������������������������������������������������������������18 Sweden������������������������������������������������������������������������������������36
Ireland�������������������������������������������������������������������������������������19 United Kingdom������������������������������������������������������������������ 38
Italy������������������������������������������������������������������������������������������ 20
www.dlapiper.com | 03
EU Member State E-Privacy Regulatory Current Position (Legal, Meaning of Consent Does local a) Applicable Legislation
Directive Guidance enforcement and regulatory regulator b) Regulatory Guidance
Implemented Issued? position) interpret the law c) Authority Responsible
into local as requiring prior for implementation
law? opt-in?
AUSTRIA Yes No The E‑Privacy Directive was implemented ■■ Under Austrian law “informed Yes a) In Austrian:
in Austria by amendment of the consent” is required prior to “Telekommunikationsgesetz
DLA Piper Contacts:
relevant provisions of the Austrian the processing of personal 2003” as amended by
Sabine Fehringer
Telecommunications Act (in Austrian: data. The user has to be aware BGBI I Nr. 102/2011
T +43 1 531 78 1453
“Telekommunikationsgesetz 2003” of the fact that consent for
sabine.fehringer@dlapiper.com b) N/A
(“TKG”)). The changes to the TKG came the storage or processing of
Stefan Panic into effect on 22 November 2011. personal data is given, as well c) Austrian Regulatory
T +43 1 531 78 1034 as the details of the data to be Authority for Broadcasting
The relevant section of the TKG states
stefan.panic@dlapiper.com stored or processed, and has and Telecommunications
that a user must give informed consent
to agree actively. Therefore, it (RTR) and Austrian Data
for the storage of personal data.
appears advisable that consent Protection Authority
is obtained via some form (DSB)
of pop up or click-through
agreement.
■■ Consent by way of browser
settings or a pre‑selected
check‑box, etc., is not
sufficient. In cases where
consent is purported to be
obtained by way of browser
settings, the TKG requires that
the information regarding the
storage of personal data must
be made available to the user.
■■ There are no specific
guidelines and case law in
Austria. The most recent
developments in the
commentary refer to the
principles summarised in
Article 29 Working Party
guidelines document WP
208 (see Working Document
02/2013 providing guidance on
obtaining consent for cookies,
adopted on 2 October 2013,
1676/13/EN, WP 208).
www.dlapiper.com | 05
EU Member State E-Privacy Regulatory Current Position (Legal, Meaning of Consent Does local a) Applicable Legislation
Directive Guidance enforcement and regulatory regulator b) Regulatory Guidance
Implemented Issued? position) interpret the law c) Authority Responsible
into local as requiring prior for implementation
law? opt-in?
BULGARIA Yes. Directive No ■■ Art. 5(3) of E Privacy Directive ■■ Consent means any freely Yes. In 2011 the a) Electronic Commerce Act
2002/58 is was implemented into Bulgarian given, explicit and informed intention of the
Firm: b) N/A
implemented legislation on 29 December 2011. statement of the data subject legislator was to
Wolf Theiss
into local The latest update of Art. 5(3) as by which the data subject introduce the c) Consumers Protection
Website: law, without adopted in Directive 2009/136 is not unambiguously gives their latest amendments Commission
www.wolftheiss.com the latest yet implemented. The relevant text consent to their personal data of Art. 5(3) of
amendment in the local law now states that users being processed. Directive 2009/136.
Contact:
of Art. 5 (3), should be provided with clear and However, the final
Anna Rizova
introduced comprehensive information about adopted text still
T +359 2 861 3703
by Directive the purposes of data processing and replicates the old
anna.rizova@wolftheiss.com
2009/136. they must be given the opportunity wording before
to refuse storing or accessing such Directive 2009/136.
information. The amendment
itself was widely
interpreted as
implementing the
text of Directive
2009/136 without,
however, introducing
the updated text.
In practice the
regulator interprets
the law as an opt-in
regime.
www.dlapiper.com | 07
EU Member State E-Privacy Regulatory Current Position (Legal, Meaning of Consent Does local a) Applicable Legislation
Directive Guidance enforcement and regulatory regulator b) Regulatory Guidance
Implemented Issued? position) interpret the law c) Authority Responsible
into local as requiring prior for implementation
law? opt-in?
CYPRUS Yes No ■■ The E Privacy Directive was ■■ Consent means any freely Yes, required by law. a) The Electronic
implemented in Cyprus on given, express and specific Communications and Postal
Firm:
18 May 2012, through Law No. indication by the data subject Services Law of 2004 as
Pamboridis LLC
51(I)/2012 amending the Regulation of their wishes which is clearly amended.
Website: of Electronic Communications and expressed and informed
b) N/A
www.pamboridis.com Postal Services Law. (the data subject must have
been previously informed c) Office of the
Contact: ■■ The amendments follow the wording
that they consent to the Commissioner of Electronic
Christy Spyrou of the E Privacy Directive closely,
processing of personal data Communications and Postal
T +357 22752 525 and leave the detailed compliance
concerning them). Regulation and the Office
spyrou@pamboridis.com requirements to be clarified by the
of the Commissioner for
Cyprus Office of the Commissioner
Personal Data Protection.
for Personal Data Protection.
■■ Prior informed consent is required
in accordance with the provisions of
the Processing of Data (Protection
of the Individual) Law of 2001 and its
amendment Law No. 37(I)/2003.
www.dlapiper.com | 09
EU Member State E-Privacy Regulatory Current Position (Legal, Meaning of Consent Does local a) Applicable Legislation
Directive Guidance enforcement and regulatory regulator b) Regulatory Guidance
Implemented Issued? position) interpret the law c) Authority Responsible
into local as requiring prior for implementation
law? opt-in?
DENMARK Yes Yes ■■ The E-Privacy Directive was ■■ The consent must be freely Not in practice. a) (i) Act No 169 of
implemented in the new Danish given and specific and the user Consent can be 3 March 2011 on Electronic
Firm:
Act on Electronic Communications must be given an option. obtained by the Communications Services
Horten
Services and Networks which continued use of and Networks; and
■■ However, this does not imply
Website: came into force on 25 May 2011, in a homepage after (ii) Executive Order
that consent must be obtained
www.horten.dk accordance with the implementation having received the No 1148 of 9 December 2011
each time a cookie is used
deadline in the E-Privacy Directive. relevant information on Information and Consent
Contacts: but a user must be given an
However, the Act did not implement concerning cookies Required in Case of Storing
Heidi Steen Jensen option. Furthermore, the
the specific provisions concerning the but this should be and Accessing Information
T +45 3334 4116 consent must be informed,
use of cookies, but instead provided used with caution. in End‑user Terminal
HSJ@horten.dk which implies that a user must
an authorisation to the Danish Equipment.
receive information about the
Egil Husum Minister of Business and Growth to
consequences of consenting. b) Second Guidance of
T +45 334 4224 execute an executive order on this
Finally, the consent must be April 2013 to Executive
EHU@horten.dk matter.
an informed indication of Order on Information and
■■ The “Executive Order on Information the user’s wishes. Normally, Consent Required in Case
and Consent Required in Case of consent is obtained through of Storing and Accessing
Storing and Accessing Information in a tick box but also the Information in End‑user
End user Terminal Equipment” came continued use of a homepage Terminal Equipment.
into force on 14 December 2011. after having received
c) The Danish Business
the relevant information
■■ Pursuant to the Order the use Authority.
concerning cookies can
of cookies requires consent. The
constitute consent. However,
consent must be freely given and
consent via this method
specific.
should be used with caution.
www.dlapiper.com | 11
EU Member State E-Privacy Regulatory Current Position (Legal, Meaning of Consent Does local a) Applicable Legislation
Directive Guidance enforcement and regulatory regulator b) Regulatory Guidance
Implemented Issued? position) interpret the law c) Authority Responsible
into local as requiring prior for implementation
law? opt-in?
■■ Electronic communications service
providers or operators were
(and still are) required to notify
the subscriber of the purposes of
processing personal data and give
the subscriber an opportunity to
refuse the processing. The law does
not require the subscriber’s consent
to store information or for them to
have access to information already
stored. An opportunity to refuse
cookies is sufficient.
■■ In addition to the exception
in article 5(3) of the E‑Privacy
Directive, an electronic
communications service provider or
operator may collect and process
information, irrespective of the
subscriber’s consent or refusal,
if the processing is necessary
for the purposes of recording
the transactions made in the
course of business and for other
business‑related exchanges of
information.
■■ A draft law was initiated (but has
been currently stalled), under
which an opt-in system for cookies
would be applicable to providers of
information society services under
the Information Society Services Act.
www.dlapiper.com | 13
EU Member State E-Privacy Regulatory Current Position (Legal, Meaning of Consent Does local a) Applicable Legislation
Directive Guidance enforcement and regulatory regulator b) Regulatory Guidance
Implemented Issued? position) interpret the law c) Authority Responsible
into local as requiring prior for implementation
law? opt-in?
FRANCE Yes Yes ■■ France implemented the E‑Privacy ■■ Consent must be (i) freely Yes. The law copies a) The Law No 78‑17
Directive in the Law No 78‑17 of given (i.e. in circumstances the text of the of 6 January 1978 on
DLA Piper Contact:
6 January 1978. The law states that where the user has a choice E‑Privacy Directive information technology,
Carol Umhoefer
any subscriber or user of electronic to refuse consent); (ii) specific almost word for data files and civil liberties,
T +33 1 40 15 24 31
communication services must be (i.e. relate to a specific word, but as amended.
carol.umhoefer@dlapiper.com
fully and clearly informed by the cookie associated with a December 2013
b) CNIL deliberation No.
data controller or its representative clearly defined purpose); and guidance embraces
2013-978 of 5 December
of: (i) the purpose of any cookie (iii) informed (i.e. the user an implied opt‑in
2013 (https://www.
(i.e. any means of accessing or storing must be given information approach.
legifrance.gouv.fr/affichCnil.
information on the subscriber’s/user’s beforehand, specifying the
do?id=CNILTEX
computer); and (ii) the means of cookie’s purpose as well as the
T000028434058).
refusing cookies, unless the subscriber/ possibility to revoke consent).
user has already been so informed. c) Data Protection Authority
■■ The law also provides that
(in French: Commission
Cookies are lawfully deployed only consent can result from the
nationale de l’informatique et
if the subscriber/user has expressed subscriber’s/user’s connection
des libertés (CNIL)).
consent after having received such settings (e.g. browser settings)
information. or any other means under the
subscriber’s/user’s control.
■■ However, these provisions do
not apply to cookies: (i) the sole ■■ However, according to
purpose of which is to allow or the CNIL, commonly used
facilitate electronic communication browsers do not offer
by a user; or (ii) that are strictly compliant settings.
necessary to provide online
communication services specifically
requested by the user.
■■ In November 2011, again in April 2012,
then again in December 2013, the
French Data Protection Authority
(“CNIL”) issued guidance for
cookies.
www.dlapiper.com | 15
EU Member State E-Privacy Regulatory Current Position (Legal, Meaning of Consent Does local a) Applicable Legislation
Directive Guidance enforcement and regulatory regulator b) Regulatory Guidance
Implemented Issued? position) interpret the law c) Authority Responsible
into local as requiring prior for implementation
law? opt-in?
GERMANY No No official ■■ The E- Privacy Directive ■■ Due to the contradictory wording of No a) The TMG is the applicable
specific 2002/58/EC, the Directive and the relevant provision legislation regarding the
DLA Piper Contact:
guidance amended by the Cookie of the TMG, data protection advocates use of cookies. If the
Dr Thomas Jansen
has been Directive 2009/136/EC, has demand a change in this legal situation. cookies collect personal
T +49 89 232 372 110
published. not been implemented into Therefore currently several website data or potential personal
thomas.jansen@dlapiper.com
Only a German local law. However, the operators are now requiring users to data, the Federal Data
non-binding Federal Government assumes opt-in, either by giving (i) explicit or (ii) Protection Act also applies.
completed that an implementation is not implied consent (ii).
b) N/A
questionnaire necessary, as – according to (i) Explicit consent is where a website
has been a statement of the European operator informs users about the c) N/A
made publicly Commission – the legal cookie use by a pop-up window and
available. situation in Germany complies requires them to give their consent by
with the specifications of the clicking on a confirmation button.
Directive.
(ii) Implied consent is where a website
■■ Currently the provisions of operator displays the cookie
the German Telemedia Act notification on the side, bottom or
(“TMG”) apply for the use of top of the website. This notification
cookies. displays a message stating that the
website operator assumes that users
■■ According to section 15 para.
agree to the use of cookies and
3 TMG opt-out consent is
otherwise have to object by changing
required.
their browser settings. By not changing
■■ Opt-out in this context means the browser settings and continuing to
that users must have the browse the website, users give their
opportunity to object to the implied consent.
use of cookies.
■■ In summary, currently the opt-out
■■ Website operators are obliged solution is legally admissible in Germany,
to inform users about their but it may be recommendable to keep an
right of objection, according to eye on further developments regarding
section 13 para. 1 TMG this subject.
www.dlapiper.com | 17
EU Member State E-Privacy Regulatory Current Position (Legal, Meaning of Consent Does local a) Applicable Legislation
Directive Guidance enforcement and regulatory regulator b) Regulatory Guidance
Implemented Issued? position) interpret the law c) Authority Responsible
into local as requiring prior for implementation
law? opt-in?
HUNGARY Yes No ■■ Article 5(3) of the E‑Privacy Directive ■■ There is no specific guidance No a) Section 155(4) of
was implemented into Hungarian law or regulation in relation to the Hungarian Act
DLA Piper Contacts:
by section 155(4) of the Hungarian the meaning of consent. (2003 on Electronic
Monika Horvath
Act C of 2003 on Electronic However, from the wording Communications).
T +36 1 510 1110
Communications (“Act C of 2003”). of the relevant Act, it is clear
monika.horvath@dlapiper.com b) No
The relevant provision provides that it must be prior consent,
Zoltán Kozma that “the storing of information, or after the subscriber has c) National Media and
T +36 1 510 1100 the gaining of access to information on been provided with clear and Infocommunications
zoltan.kozma@dlapiper.com the electronic terminal equipment of a comprehensive information Authority.
subscriber or user obtained via electronic (including the purpose of
communications networks is only allowed processing).
on the condition that the subscriber or
■■ Service providers shall be
the user concerned has given his or her
authorised to obtain and store
consent, after having been provided with
communications transmitted
clear and comprehensive information
on their network only to the
which also includes the purpose of the
extent strictly necessary for
data processing”.
the provision of services for
technical reasons.
■■ General practice is that
consent can be obtained via
browser settings; however,
to date this has not been
confirmed by the opinion
or the guidance of the
Authorities.
www.dlapiper.com | 19
EU Member State E-Privacy Regulatory Current Position (Legal, Meaning of Consent Does local a) Applicable Legislation
Directive Guidance enforcement and regulatory regulator b) Regulatory Guidance
Implemented Issued? position) interpret the law c) Authority Responsible
into local as requiring prior for implementation
law? opt-in?
ITALY Yes Yes ■■ Implemented into Italian law with ■■ The Data Protection Yes, albeit from a) Legislative Decree n. 69 of
effect from June 2012. Authority’s guidance (Decision the latest guidance 28 May 2012, amending the
DLA Piper Contacts:
of 8 May 2014 entitled on cookie notices Italian (Legislative Decree
Giangiacomo Olivi ■■ The new provisions are a very
“Simplified Arrangements some forms of n. 196 of 30 June 2003).
T +39 02 80 618 515 close reflection of the wording
to Provide Information and simplified consent
giangiacomo.olivi@dlapiper.com of Recital 66 of the E‑Privacy b) Decision of the Italian Data
Obtain Consent Regarding are provided.
Directive and section 5(3) of Protection Authority on
Giulio Coraggio Cookies”, an English version
Directive 2002/58/EC (as amended Simplified Arrangements
T +39 02 80 618 619 of which is available at: http://
by the E‑Privacy Directive). As to Provide Information and
giulio.coraggio@dlapiper.com www.garanteprivacy.
such, they pose exactly the same Obtain Consent Regarding
it/web/guest/home/
Saverio Cavalcanti interpretation problems as these Cookies of 3 June 2014.
docweb/‑/docweb‑display/
T +39 06 68 880 616 provisions of EU law, especially with
docweb/3167654) provides c) the Data Protection
saverio.cavalcanti@ regard to the nature of consent
for two layers of information Authority (in Italian:
dlapiper.com required for compliance. However
notice: a short information “Garante per la protezione
the guidelines issued 3 June 2014
Gianluigi Marino notice to be placed in the dei dati personali”).
by the Italian Data Protection
T +39 02 80 618 654 homepage, which in turn links
Authority clarified the situation and
gianluigi.marino@dlapiper.com to a more detailed notice.
the position of the Authority on
Giulia Zappaterra this issue.
T +39 02 80 618 826
giulia.zappaterra@dlapiper.com
www.dlapiper.com | 21
EU Member State E-Privacy Regulatory Current Position (Legal, Meaning of Consent Does local a) Applicable Legislation
Directive Guidance enforcement and regulatory regulator b) Regulatory Guidance
Implemented Issued? position) interpret the law c) Authority Responsible
into local as requiring prior for implementation
law? opt-in?
screen if the user takes action –
by selecting any active item
on the page underneath the
banner.
■■ The extended information
notice must include all the
items provided for under
the Privacy Code: describe
the detailed features and
purposes of the cookies set
through the website and allow
users to select/deselect the
individual cookies. It must be
linkable from the short notice
as well as from a hyperlink in
the bottom section of each
website page. The notice must
also contain an updated link
to the information notices
and consent forms of the
third parties that set cookies
through the operator’s
website. If the operator is
not directly contracting with
such third parties, it will have
to include the links to the
websites of the intermediaries
or brokers that are in turn
liaising with such third parties.
The extended information
notice must also refer to the
possibility for users to express
their consent to the use of
cookies through browser
settings.
www.dlapiper.com | 23
EU Member State E-Privacy Regulatory Current Position (Legal, Meaning of Consent Does local a) Applicable Legislation
Directive Guidance enforcement and regulatory regulator b) Regulatory Guidance
Implemented Issued? position) interpret the law c) Authority Responsible
into local as requiring prior for implementation
law? opt-in?
LITHUANIA Yes Yes ■■ Lithuania implemented the E‑Privacy ■■ “Prior” explicit consent is Yes, required by a) The Law on Electronic
Directive through amendments required. law and regulatory Communications of the
Firm:
to the Law on Electronic guidance. Republic of Lithuania
Valiunas Ellex ■■ Users must be given a genuine
Communications which came into No IX 2135 (in Lithuanian:
opportunity not to consent.
Website: effect on 1 August 2011. “Lietuvos Respublikos
www.valiunasellex.lt ■■ There is no clear guidance on elektroninių ryšių įstatymas”).
■■ The amendments mirror the text of
the possibility to obtain an
Contacts: the E‑Privacy Directive and require b) http://www.ada.lt/images/
implied consent.
Jaunius Gumbis that consent to the use of cookies cms/File/naujienu/slapuk_
T +370 52681830 must be “opt-in”. DV.pdf.
jaunius.gumbis@valiunasellex.lt
■■ The Lithuanian State Data Protection c) State Data Protection
Julius Zaleskis Inspectorate has published Inspectorate (in Lithuanian:
T +370 52191934 recommendations about the method “Valstybinė duomenų
julius.zaleskis@valiunasellex.lt of consent to the use of cookies. apsaugos inspekcija”).
The guidance confirmed that consent
can be obtained through pop-ups,
banners or website registration while
relevant settings contained within
current browsers are not likely to
form a valid consent.
LUXEMBOURG Yes No ■■ Luxembourg implemented ■■ “Consent” means any freely Yes, required by law. a) Law of 30 May 2005 as
Directive 2009/136/EC by a law of given specific and informed modified laying down
Firm:
28 July 2011 which modified the law indication of his wishes by specific provisions for the
Bonn & Schmitt
of 30 May 2005 and came into effect which the person concerned protection of persons with
Website: on 1 September 2011. or his legal, judicial or regard to the processing
www.bonnschmitt.net ■■ Prior informed consent of a statutory representative of personal data in the
Contacts: subscriber/user is required. Other signifies his agreement to electronic communications
Alain Grosjean requirements include: the method personal data relating to him sector.
T +352 27 855 of providing information and right to being processed (Art 2(b) law
b) No
agrosjean@bonnschmitt.net refuse should be as user friendly as of 30 May 2005 as modified).
possible and where it is technically c) Data Protection Authority
Simon Malterre (in French: “Commission
T +352 27 855 possible and effective, the users
consent may be expressed by Nationale pour la protection
smalterre@bonnschmitt.net des données”).
appropriate browser/application
settings.
www.dlapiper.com | 25
EU Member State E-Privacy Regulatory Current Position (Legal, Meaning of Consent Does local a) Applicable Legislation
Directive Guidance enforcement and regulatory regulator b) Regulatory Guidance
Implemented Issued? position) interpret the law c) Authority Responsible
into local as requiring prior for implementation
law? opt-in?
NETHERLANDS Yes Yes, the ■■ The Dutch Telecommunications Act ■■ Consent must be freely Prior (implied) a) Article 11.7a Dutch
regulator has (“Act”) was amended with effect given, specific and informed: consent consent Telecommunications Act,
DLA Piper Contacts:
provided a from March 2015. Among other it should refer clearly and is required, unless Dutch Personal Data
Richard Van Schaik
Q&A. things, that amendment introduced precisely to the scope and the strictly necessary Protection Act.
T +31 20 541 9828
less strict rules for placing and consequences of the cookie cookies or cookies
richard.vanschaik@dlapiper.com b) A Q&A provided by the
accessing cookies. With effect from processing. that have little or
regulatory body can be
Robin de Wit March 2015 cookies may only be no impact on the
■■ Where personal data will be found at www.acm.nl.
T +31 20 541 9674 placed and accessed after website internet user’s
processed, consent must be
robin.dewit@dlapiper.com visitors have been clearly and privacy are set. c) The Authority for
unambiguously given: there
unambiguously informed about these Consumers & Markets
can be no doubt that the data Granting (implied)
cookies (purpose, type of cookies, (ACM) is responsible
subject has given consent consent can be a
etc) and have granted their prior and for monitoring and
to the processing of their condition for using a
explicit consent to that effect (opt in). enforcement of the
personal data. This means that website.
Telecommunications
■■ The Dutch legislature provides the website visitor must have
If a user does Act (www.acm.nl). The
guidance on how the opt in consent had a choice to either accept
not give consent, Dutch Data Protection
can be obtained. It is essential that an (e.g. by continuing to browse
either access to the Authority (DPA) is
indication is provided by which the the website or pushing a
website must be responsible for monitoring
visitor signifies agreement to cookies, “accept”-button) or reject (by
denied, or cookies and enforcement of the
like continuing browsing of the e.g. pushing a “reject”-button)
cannot be placed. Dutch Data Protection
website involved. Consent may be the use of cookies. In any case,
Act (presumed applicable
provided or obtained through default the visitor must have given
to tracking cookies)
browser settings, provided that all an indication by which s/he
(www.
conditions for a valid consent have signifies acceptance.
autoriteitpersoonsgegevens.
been fulfilled.
nl/en).
www.dlapiper.com | 27
EU Member State E-Privacy Regulatory Current Position (Legal, Meaning of Consent Does local a) Applicable Legislation
Directive Guidance enforcement and regulatory regulator b) Regulatory Guidance
Implemented Issued? position) interpret the law c) Authority Responsible
into local as requiring prior for implementation
law? opt-in?
NORWAY Yes Yes ■■ The E Privacy Directive was Provided that the information Yes a) The ECA section 2-7b.
implemented in the Electronic regarding cookies is visible when
DLA Piper Contact: b) Guidelines posted on
Communications Act (ECA) section 2 the user accesses the website
Cecilie Rønnevik www.nkom.no 26 June 2013
7b (effective from 1 July 2013). (e.g. a link to the information in
T +47 2413 1540 and www.datatilsynet.no
the header, use of textbox or
cecilie.ronnevik@dlapiper.com ■■ Storing of information in the user’s 26 June 2013.
“pop-up”), it will be sufficient
communication equipment, or
that the user has consented to c) The Norwegian
gaining access to such equipment, is
the use of cookies in the browser Communications Authority
not permitted unless the user:
settings (even if consent is the (in Norwegian: “Nasjonal
(i) is provided with information on
default status in browser settings) kommunikasjonsmyndighet”)
the data processed, the purpose of
or by other means within the and the Ministry of Transport
the processing and the identity of the
user’s control. and Communications (in
entity that will process the data; and
Norwegian:
(ii) consents to this.
“Samferdselsdepartementet”).
■■ The information and consent
requirement does not apply for
technical storage or access to
information (i) exclusively for the
purpose of transferring communication
in an electronic communications
network; or (ii) which is necessary to
supply a service in accordance with the
user’s explicit request.
www.dlapiper.com | 29
EU Member State E-Privacy Regulatory Current Position (Legal, Meaning of Consent Does local a) Applicable Legislation
Directive Guidance enforcement and regulatory regulator b) Regulatory Guidance
Implemented Issued? position) interpret the law c) Authority Responsible
into local as requiring prior for implementation
law? opt-in?
b) the possibility of defining
the conditions under which
this information is stored
and accessed, by adjusting
the settings of the software
installed in the TTE used by
that subscriber or end user, or
by adjusting the configuration
of the service;
2) the subscriber or user concerned
has given his consent for terms
provided in point 1) above.
This consent may be provided
by adjusting the settings of the
software installed in the TTE used
by that subscriber or end user, or
by adjusting the configuration of
the service;
3) the stored information or the
access to such information will
not change the configuration of
the subscriber’s or end user’s
TTE, or of any software installed
on that TTE.
■■ The above conditions do not apply
where the storage of and access to
the information is necessary to:
1) transmit a communication over a
public telecommunications network;
2) provide a telecommunications
service or an electronically supplied
service requested by a subscriber or
end user.
www.dlapiper.com | 31
EU Member State E-Privacy Regulatory Current Position (Legal, Meaning of Consent Does local a) Applicable Legislation
Directive Guidance enforcement and regulatory regulator b) Regulatory Guidance
Implemented Issued? position) interpret the law c) Authority Responsible
into local as requiring prior for implementation
law? opt-in?
PORTUGAL Yes No ■■ Article 5(3) of the E‑Privacy Directive N/A Yes. The Law a) Law no. 41/2004, of
addressing cookies was transposed by does not require 18 of August.
Firm:
Law no. 46/2012, of 29 August 2012, “express” consent.
ABBC & Associados b) N/A
amending Law no. 41/2004, of However, because
Website: 18 of August 2004 on the protection consent must be c) Data Protection Authority
www.abbc.pt and processing of personal data in prior and based on (CPND) and National
e‑communications. full information, Communications Authority
Contact:
considering existing (ANACOM).
João Costa Quinta ■■ Article 5 of the Law (“storage and
rules and guidelines,
T +351 213 583 620 access to information”) determines
it does not appear
j.quinta@abbc.pt that the storing of information and
that implied consent
the possibility to access information
shall suffice.
stored in a subscriber’s/user’s
terminal is only allowed on the
condition the subscriber/user has
provided his or her prior consent,
which must be based on clear and
comprehensive information about
the purposes of the processing, in
accordance with the provisions laid
down in the Law on the Protection
of Personal Data. This does not
prevent technical storage or access
for the sole purpose of carrying out
the transmission of a communication
over an e‑communication network or
if strictly necessary for the provider
of an information society service to
provide a service expressly requested
by the subscriber/user.
■■ The local Data Protection Authority
(CNPD) has not yet issued any
guidelines.
www.dlapiper.com | 33
EU Member State E-Privacy Regulatory Current Position (Legal, Meaning of Consent Does local a) Applicable Legislation
Directive Guidance enforcement and regulatory regulator b) Regulatory Guidance
Implemented Issued? position) interpret the law c) Authority Responsible
into local as requiring prior for implementation
law? opt-in?
SLOVAK REPUBLIC Yes No ■■ Formal “informed consent” is ■■ It has to be proven that the Yes, required by law. a) Act No. 351/2011 Coll. on
required prior to the storage of user was provided with exact electronic communications.
DLA Piper Contact:
data or the acquisition of access to and precise information
Michaela Stessl b) N/A
data already stored in the terminal regarding the purpose of
T +421 2 59202 142
equipment of the participants such processing of data. The c) Ministry of Transport,
michaela.stessl@dlapiper.com
or users. consent of the user must be Construction and Regional
given actively, so obtaining Development of the Slovak
consent through pop‑up Republic.
agreements or similar means
will be sufficient.
SLOVENIA Yes Yes ■■ The E‑Privacy Directive was ■■ Consent is defined as a free Yes a) Act on Electronic
implemented in Slovenia by an declaration of will by an Communications (in
Firm:
amendment to the Act on Electronic individual, provided that such Slovenian: “Zakon o
DLA Piper
Communications (In Slovenian: individual has beforehand been elektronskih komunikacijah;
(Vienna office)
Zakon o elektronskih komunikacijah; given certain information. ZEKom-1”); Personal
DLA Piper Contact: ZEKom-1). Data Protection Act (in
■■ The information to be
Dr. Jasna Zwitter-Tehovnik Slovenian: “Zakon o varstvu
provided to the individual
T +43 1 531 78 1042 osebnih podatkov; ZVOP-1”).
should include: name of
jasna.zwitter-tehovnik@
the data controller, types b) Guidelines by the
dlapiper.com
of cookies, and purpose of Information Commissioner
cookie use. Furthermore, (in Slovenian: “Smernice
a link to a site with a more Informacijskega pooblaščenca
detailed description and Republike Slovenije o uporabi
explanation is advisable. piškotkov ‑ Kdaj lahko
uporabimo piškotke?”).
■■ Consent can be given by
clicking a button or a link, c) Information Commissioner
checking a box, or by sending (in Slovenian: “Informacijski
an email. Implied consent or pooblaščenec”).
consent by way of browser
settings will (usually) not be
sufficient.
www.dlapiper.com | 35
EU Member State E-Privacy Regulatory Current Position (Legal, Meaning of Consent Does local a) Applicable Legislation
Directive Guidance enforcement and regulatory regulator b) Regulatory Guidance
Implemented Issued? position) interpret the law c) Authority Responsible
into local as requiring prior for implementation
law? opt-in?
SWEDEN Yes No ■■ Sweden has implemented the ■■ Consent is defined as Yes a) Electronic Communications
E‑Privacy Directive through any voluntary, specific and Act (in Swedish: “lag
DLA Piper Contact:
amendments to the Electronic unambiguous expression of will. 2003:389 om elektronisk
Johan Sundberg
Communications Act (2003:389) There may not be any doubts kommunikation”).
T +46 (0)8701 7824
which came into effect on 1 July 2011. that the user provides his/
johan.sundberg@dlanordic.se b) N/A
her consent to the processing.
■■ In relation to “legitimate techniques”
Hypothetical or silent c) Swedish Post and Telecom
(i.e., non‑intrusive cookies such as
consent is thus not sufficient Agency.
user input cookies or authentication
as in such circumstances the
cookies), the Swedish Government
user might not be required
has concluded that for practical
to actively take measures to
reasons, the amendments shall not
avoid the processing of the
be regarded as a change in substance,
personal data.
i.e. the opt‑out requirement shall
still apply. ■■ However, implicit behaviour
may be valid consent (as
■■ In addition, the Swedish Data
long as there is no sensitive
Inspection Board is of the opinion
personal data involved).
that different types of cookies
Implicit behaviour means in
should be distinguished. When using
this context that the user
cookies for purposes other than
provides data after having
to adjust settings on a site for the
received clear information
user’s previous requests and similar,
about the intended processing
informed consent would be required.
of the data, the fact that it is
According to the Data Inspection
optional to provide the data,
Board’,, whether consent is required
and also that submitting the
depends on the purpose of the
data would be considered
cookie.
as providing consent to the
■■ On the other hand, the Swedish Post processing.
and Telecom Agency (“Agency”)
■■ The Swedish government has
(the regulatory body in relation to
also indicated that the rules on
cookies) does not seem to agree and
consent should not be seen as
is of the opinion that the requirement
a change from the old regime
for consent can be waived without this
and, therefore, web browser
possibility being expressly provided for
settings would probably be
by the Electronic Communications Act
regarded as indicating consent.
(2003:389).
www.dlapiper.com | 37
EU Member State E-Privacy Regulatory Current Position (Legal, Meaning of Consent Does local a) Applicable Legislation
Directive Guidance enforcement and regulatory regulator b) Regulatory Guidance
Implemented Issued? position) interpret the law c) Authority Responsible
into local as requiring prior for implementation
law? opt-in?
UNITED KINGDOM Yes Yes (in Implemented into UK law with effect ■■ Strictly speaking, “prior” Yes, but it is possible a) The Privacy and Electronic
May 2011, from 26 May 2011. explicit consent is required. to rely upon Communications (EC
DLA Piper Contact:
December implied consent Directive) Regulations
Andrew Dyson ■■ Amendments follow the wording ■■ However, implied consent will
2011 and which means it is 2003, as amended by the
T +44 0113 369 2403 of the E Privacy Directive closely also be a valid form of consent
May 2012). not necessary to Privacy and Electronic
andrew.dyson@dlapiper.com and leave the detailed compliance under certain circumstances.
obtain an explicit Communications (EC
requirements to be clarified by
James Clark ■■ Implied consent means acknowledgment. Directive) (Amendment)
the Information Commissioner’s
T +44 113 369 2461 consent which “specific and Regulations 2011.
Office (“ICO”). It is possible to
james.clark@dlapiper.com informed” and an “indication
rely on continued b) http://www.ico.gov.uk/
■■ On 25 May 2012, the ICO issued of wishes”. This means that
use of the website news/blog/2012/~/media/
revised guidance to clarify and consent can be inferred by a
as an indication of documents/library/
reaffirm that implied consent can be user’s actions (e.g. the user
implicit consent, Privacy_and_electronic/
relied upon as a valid form of consent is given clear and relevant
subject always to Practical_application/
(rather than explicit opt in consent). information about the cookies
the requirement cookies_guidance_v3.ashx
that are used, and on that
■■ The enforcement approach adopted to provide
basis decides to click through c) Information
by the ICO to date has been to write relevant, clear and
and continue to use the site). Commissioner’s Office
to companies who they consider to comprehensive
be in breach and ask them to remedy ■■ General market practice information. There
the website and provide a more (endorsed by the ICO) in is no need to include
apparent method to obtain consent/ the UK has been for “cookie a tick box or click
provide notification to website users banner/pop ups” to be placed acceptance.
of cookie usage and storage. on the landing page of a
website notifying a user that
■■ As of June 2015, the latest date
cookies are being used and
when figures are available, the ICO
including a link to a more
had written to 291 organizations
detailed cookie policy. These
regarding compliance with the rules
banners do not normally
on cookies.
require the user to tick an
acceptance box but may
obscure some of the pages’
text until closed by the user.
As the consent is “prior” the
popup should strictly appear
before any cookies are placed
on a user’s terminal. However,
in practice this may not be
feasible in all cases.
www.dlapiper.com | 39
www.dlapiper.com
DLA Piper is a global law firm operating through various separate and distinct legal entities. Further details of these entities can be found at www.dlapiper.com.
This publication is intended as a general overview and discussion of the subjects dealt with, and does not create a lawyer-client relationship. It is not intended to be, and should not be used as, a substitute for taking legal
advice in any specific situation. DLA Piper will accept no responsibility for any actions taken or not taken on the basis of this publication. This may qualify as “Lawyer Advertising” requiring notice in some jurisdictions.
Prior results do not guarantee a similar outcome.