With this article, you will see the differences and similarities between countries on consent.
❓ Not specified/No clear data
⚙️ Further details about the country's standards
* Cross-references to the end of the article, toward the section dedicated to the DPA (Data Protection Authorities) and their respective guidelines
⚠️ Italian framework may be subject to change!
📆 In December 2020, the Italian Data Protection Authority (the “Garante per la Protezione dei Dati Personali”) reconsidered the Italian guidelines for cookies as they don't always meet the GDPR which entered into force beforehand: they may be some important changes in the future. You'll be able to have a look and anticipate these potential changes (cf.🔎).
🍪 Are explicit "Accept" and "Refuse" buttons required on a consent notice?
|France||✔️||⚙️ Accept and reject buttons need to be equally conspicuous.|
|UK||✔️||⚙️ No "reject all" button is mandatory although preferable, an identical alternative (regarding the non-processing of consent) is fine. It also needs to be as equally visible as the granular option and "Accept" buttons.|
|Ireland||✔️||⚙️ Accept and reject buttons need to be equally conspicuous for the Irish DPA*.|
⚙️ Possibility to withdraw consent as easy as to give it: the user needs to be informed of this when giving his consent.
|Portugal||✔️||⚙️ Preferably, especially to get the proof of consent.|
|Italy||❌||🔎 This may change to ✔️: "accept"; "refuse" alongside granular choice buttons.|
|Poland||❓||⚙️ Not precisely specified: consent must be freely given (active motion from the user), specific, informed, unambiguous. It can be collected by other means: if it's by ticking the appropriate box, the user can withdraw consent in an equally easy way.|
|Croatia||❓||⚙️ Not specified: consent has to be given freely (active motion from the user), specific, informed and non-ambiguous. It can be collected by other means: if it's by ticking the appropriate box, the user should be able to untick it as easily.|
🍪 Is it needed to block cookies before getting the consent of the user to cookies?
🍪 Are cookie walls legal?
|France||✔️||⚙️ Legal uncertainty for now: legality case-by-base. In case of complaint from users, the CNIL* can investigate and invalidate them if needed.|
|UK||❌||⚙️ "Unlikely to be valid" according to the ICO*.|
|⚙️ "Cookie walls are only acceptable if the user has an alternative for accessing the service without accepting cookies."|
|Ireland||❓||Likely not legal, but not specified.|
|Italy||❌||🔎 Users will maybe need to be given the option to access an equivalent content/service without having to give their consent (case-by-case basis).|
|Poland||❌||⚙️ cf. EDPB*'s guidelines: if a website provider blocks the content from being visible as long as the user does not "Accept cookies", the consent is not freely given.|
🍪 What is the duration of validity of consent choices once collected?
⚙️ Analytics cookies cannot last more than 13 months. Information collected by cookies can be stored for a maximum of 25 months.
|UK||6 months||⚙️ Consent duration must be justifiable for the stated purpose of the cookie. Users need to be informed of the duration of the cookies.|
24 months maximum
|⚙️ The AEPD* says consent should be asked again no later than 24 months after it has been collected.|
|Belgium||❓||⚙️ The consent to a cookie cannot be stored for longer than necessary to achieve the stated purpose for the Belgian DPA*.|
|Italy||❓||🔎 This may change with the GPDP*'s new guidelines.|
|Poland||❓||⚙️ No specific time limit for the UODO*, that follow the best practice suggested by the EDPB: refreshing of consent at appropriate intervals. Providing all the information again helps to ensure the data subject remains well informed about how their data is processed and how to exercise their rights.|
|Croatia||❓||⚙️ Session cookies, for example, which are designed to only function for the duration of a browser session or slightly longer, should have a short lifespan and to be set to expire once they have served their limited purpose. The expiry date of a cookie should be proportionate to its purpose.|
⚙️ EDPB* guidelines: "In principle, it can be sufficient to ask for a data subject’s consent once. However, controllers do need to obtain a new and specific consent if purposes for data processing change after consent was obtained or if an additional purpose is envisaged." If the processing operations change or evolve considerably then the original consent is no longer valid.
🍪 Is consent valid by scrolling/continuing navigation?
|Ireland||❌||⚙️ For scrolling, the cookie notice must not disappear until the user makes a choice on his own, whatever the action is.|
|Belgium||❌||⚙️ Consent is valid if there is an active interaction from the user, like a like a click or the activation of a button by dragging (toggle buttons).|
|Italy||✔️||🔎 This may change to ❌ in the future.|
|Poland||❌||⚙️ cf. EDPB* May 2020 guidelines : scrolling or swiping through a webpage or similar user activity will not under any circumstances satisfy the requirement of an affirmative action as "silence, pre-ticked boxes or inactivity should not [...] constitute consent." (GDPR* Recital 32)|
⚙️ Cookies that do not meet one of the two specific use cases in the ePrivacy Directive that make them exempt from the need to obtain consent must not be set or deployed on a user’s device before you obtain their consent.
The two exemptions are known as the communications exemption and the strictly necessary exemption.*
🍪 Is it legal to have pre-ticked boxes on cookie banners?
🍪 Is the proof of consent mandatory as it is specified in the GDPR?
|France||✔️||⚙️ The consent collecting entity must also be able to hand over proof of consent to the third parties who processed the user's data based on that consent.|
|Spain||✔️||⚙️ Not specified but implied.|
⚙️ The publisher must, in any case, keep track of the user’s consent: "an ad-hoc technical cookie might be relied upon […] The availability of this type of “documentation” of the user’s preferences will enable the publisher not to display the information notice on subsequent visits made by that user to the website." (May 2014 Italian DPA*)
🔎 This may change to ✔️ in the future.
⚙️ cf. GDPR Recital 42: “Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation.”
|EDPB||✔️||⚙️ Not specified but implied.|
🍪 Does consent have to be granular per-purpose on consent notices?
⚙️ Consent is collected by website/app except if it is clearly specified that it is collected for a group of websites/apps. Consent should be unique and renewed for each platform. In case of consent to cross-website/apps trackers, the user should be informed on the first level.
|UK||❌||⚙️ Not necessarily on a per-purpose basis but consent must be specific to a particular service.|
|Spain||✔️||⚙️ Not specified but implied.|
|Ireland||✔️||⚙️ For scrolling, the cookie notice must not disappear as long as the user hasn't made a choice on his own, whatever the action is.|
|Germany||✔️||The need for granularity per purpose is implied: "it must be possible to select single processing activities singularly".|
🔎 This may change to ✔️ in the future.
|Poland||✔️||⚙️ cf. EDPB* guidelines on granularity.|
|Croatia||✔️||⚙️ cf. GDPR guidelines about granularity: Recital 32*. If multiple purposes are conflated for the processing and that there is no possibility to seek consent independantly for each, there is a lack of freedom.|
🍪 Do cookies have to be listed one by one?
|UK||❌||⚙️ The best practice would be giving a description of the cookies.|
|Spain||❌||⚙️ A per-purpose listing is valid.|
|Ireland||✔️||Likely: ⚙️ Consent is obtained for each purpose for which cookies are set. Consent doesn't necessarily need to be obtained individually for each cookie, "but merely for the purpose for which it is being used."|
|Belgium||❓||⚙️ Ambivalence between the per-purpose basis suggested on the first level of consent, and the per-cookie basis afterward, whilst highlighting that the GDPR doesn't make a per-cookie basis mandatory.|
⚙️ For the CNPD*, consent has to be given to each cookie along with relevant information, including the retention period. As the choice is individual, it should also be possible to accept all or reject all.
|Italy||❓||⚙️ Unuasual practice to list cookies one-by-one.|
|Croatia||✔️||⚙️ It is highly recommended to list cookies one by one.|
💡 In case of doubt, please get in touch with your Data Protection Officer (DPO) or your legal department!
📕 Useful sources and information about cookies guidelines
DPA (Data Protection Authority): Commission Nationale de l'Information et des Libertés (CNIL)
DPA: Information Commissioner's Office (ICO)
- The Privacy and Electronic Communications Regulations (PECR) - Cookies and similar technologies 2019
DPA: Comissão Nacional de Proteção de Dados (CNPD)
- Directive 2016 European Parliament on the Europa Law website
- Personal Data Protection Code Containing provisions to adapt the national legislation to Regulation (EU) 2016/679
- GDPR Recital 32
- EDPB guidelines May 2020 (cf. page 23, first paragraph)
- Telecommunications Act of 16 July 2004 (cf. Articles 173 and 174 page 86: the Act requires the consent of a subscriber or an end user, the provisions on the protection of personal data shall apply to obtaining such consent. Therefore, the consent for cookies must meet the same requirements of consent for personal data processing).
DPA: Agencija za zaštitu osobnih podataka (AZOP)
*Is consent valid by scrolling/continuing navigation?
- The communications exemption
This applies to cookies whose only purpose is to carry out the transmission of a communication over a network, for example to identify the communication endpoints. This may also apply to cookies used to allow data items to be exchanged in their intended order, like numbering data packets. It also applies to cookies used to detect transmission errors or data loss.
- The strictly necessary exemption
A cookie that is exempt under this criterion must simultaneously pass two tests:
- the exemption applies to ‘information society services’ (ISS) – i.e. a service delivered over the internet, such as a website or an app.
- This service must have been explicitly requested by the user and the use of the cookie must be restricted to what is strictly necessary to provide this service.