Recent EU Data Protection Supervisory Authority Guidance on Cookies: Key Takeaways and Analysis

EU Data Protection Authorities Issue New Guidance on Cookies

Several EU data protection supervisory authorities have recently issued new guidance on cookies, addressing some key topics that impact website publishers and users alike.

The Austrian SA’s FAQ clarifies that cookies storing information about a user’s consent status do not require consent unless a unique online identifier is assigned to the user for this purpose. This differs from previous guidance from other regulators. The Belgian SA’s cookie checklist mentions that cookies used to store the user’s choice regarding cookies are exempt from consent, while the French SA also considers such cookies exempt from consent.

The Spanish SA’s guidance on analytics cookies specifies the types of measurements that are strictly necessary for the proper administration of a website and do not require consent. Publishers using these exempt cookies must inform users, limit the lifetime of the cookies, retain information for a specific period, and ensure data is collected separately for each publisher.

The EDPB has also been active in addressing cookie issues at the EU level, publishing guidance on cookies and similar technologies, findings on cookie banners, and thoughts on the European Commission’s cookie pledge to simplify cookie banners. The EDPB intends to issue guidance on the “pay or ok” consent model in the future.

The Covington Privacy & Cybersecurity team advises clients on cookie laws, particularly in the adtech context, and monitors guidance from European supervisory authorities closely. If you have any questions, reach out to any member of the team for assistance.