Four guidelines to obtain consent for cookies

Christiaan Alberdingk Thijm / 14 Oct 2013

The Article 29 data protection working party released a document providing guidance on obtaining consent for cookies or similar tracking technologies for websites that operate across all EU Member States. According to the working party they should respect four main elements to be legally compliant in each Member State:

1. “Specific information. To be valid, consent must be specific and based on appropriate information. In other words, blanket consent without specifying the exact purpose of the processing is not acceptable.”

2. “Timing. As a general rule, consent has to be given before the processing starts.”

3. “Active choice. Consent must be unambiguous. Therefore the procedure to seek and to give consent must leave no doubt as to the data subject’s intention. There are in principle no limits as to the form consent can take. However, for consent to be valid it should be an active indication of the user’s wishes. The minimum expression of an indication could be any kind of signal, sufficiently clear to be capable of indicating a data subject’s wishes, and to be understandable by the data controller (it could include a handwritten signature affixed at the bottom of a paper form, or an active behaviour from which consent can be reasonably concluded).”

4. “Freely given. Consent can only be valid if the data subject is able to exercise a real choice, and there is no risk of deception, intimidation, coercion or significant negative consequences if he/she does not consent.”

These elements are described in more detail in the original document (.pdf).

Related articles

GDPR Compliance Roadmap

bureau Brandeis / 03 Nov 2017

On 25 May 2018 the General Data Protection Regulation (“GDPR”) comes into effect. From that date the GDPR will have a direct effect on all EU Member States, and must be complied with. The current…

Court of Justice: Data Retention Directive is invalid

bureau Brandeis / 08 Apr 2014

Today, the Court of Justice of the European Union (CJEU) ruled that the so-called Data Retention Directive (2006/24/EC) is invalid. According to the Court, the Directive constitutes a serious interference with the right to private life and…

Court of Appeals: no centralised storage of fingerprints

Christiaan Alberdingk Thijm / 18 Feb 2014

The Dutch government would contravene the right to privacy of Dutch citizens by introducing a centralised storage system for fingerprints, submitted to obtain a passport. This is the outcome of a case of Privacy First…