The topic of cookies has become a major focal point of the privacy landscape. With the debate around the Proposed Regulation on Privacy and Electronic Communications (2017/003(COD)) (21 January 2017) (‘the Draft ePrivacy Regulation’) still ongoing, cookies remain regulated in the European Union under Article 5(3) of the Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) (‘the ePrivacy Directive’). Recently, the implementation measures of cookies and similar technologies have been addressed by the Court of Justice of the European Union (‘CJEU’) and national supervisory authorities. This Insight breaks down the applicable legislation throughout the EU.
EU Member States
EU
Article 5(3) of the ePrivacy Directive states that:
‘Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.’
Planet49
The CJEU published, on 1 October 2019, its judgment in Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband eV v. Planet49 GmbH (C-673/17) (‘the Planet 49 Judgment’)
The decision of the CJEU reflects the Advocate General’s Opinion delivered on 21 March 2019 and provides further confirmation that the consent requirement in relation to cookies is now the higher standard of consent, as defined in GDPR.
The decision also follows opinions issued by the European Data Protection Board (March 2019), the Irish Data Protection Commissioner (June 2019) and the UK Information Commissioner’s Office (July 2019) which all concurred that the standard of consent required by GDPR must be freely given, specific and informed, and that there must be an indication signifying a user’s agreement, which is unambiguous and involves a clear affirmative action.
The effect of the decision is that the ePrivacy Directive (2002/58/EC), as amended by Directive 2009/136/EC and the Irish ePrivacy Regulations of 2011, which govern the use of cookies (and similar technologies such as device fingerprinting and web beacons), must be read in conjunction with GDPR in terms of defining consent.
Fashion ID
The CJEU also published, on 29 July 2019, its judgment in Fashion ID GmbH & Co. KG v. Verbraucherzentrale NRW eV (C-40/17) (‘the Fashion ID Judgment’), addressing a dispute concerning the insertion by Fashion ID of Facebook Ireland Ltd.’s ‘Like’ button on its website through a plug-in, allowing users’ personal data, such as IP addresses and browser history, to be transferred to Facebook regardless of whether the user clicked on the ‘Like’ button.
The CJEU decision is consistent with previous rulings on joint controllership and expands the concept to cases in which one party has very little influence on the processing of the transferred personal data. Operators of websites implementing the ‘Like’ button or other (social) plug-ins will have to ask for consent and inform data subjects prior to sending personal data to a third party. This might be quite burdensome in practice, as true consent under the GDPR would require users to have a choice. The consent must cover only the part of the processing for which the operator is determining, jointly or alone, the purposes and means. It is likely that Facebook will update its terms shortly after the decision to include a joint controller agreement for this type of processing, like it did after the Wirtschaftsakademie decision.
So how has the rest of Europe dealt with Cookies and the issue of Consent.
Austria
Article 5(3) of the ePrivacy Directive has been implemented by Article 96(3) of the Federal Act Enacting the Telecommunications Act 2003 (as amended), which states that:
‘Operators of public communications services and providers of information society services as defined in Article 3 No. 1 E-Commerce Act, Federal Law Gazette I No. 152/2001, are obliged to inform subscribers or users about the personal data which the operator or provider will collect, process and transmit, about the legal basis for those activities, about the purposes for which these activities will be carried out, and about the period of time for which these data will be stored. Collecting these data shall only be permissible given the consent of the subscriber or user. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over a communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service. The subscriber shall also be informed of the usage possibilities based on search functions embedded in electronic versions of the directories. This information shall be given in an appropriate form, in particular within the framework of general terms and conditions and, at the latest, upon commencement of the legal relations. The right to information pursuant to the Data Protection Act shall remain unaffected.’
In addition, the Austrian data protection authority published, on 7 December 2018, a decision (only available in German here) addressing the nature of consent to data processing for the purposes of direct marketing through the use of third-party cookies.
Belgium
Article 5(3) of the ePrivacy Directive has been implemented by Article 129 of Law of 13 June 2005 on Electronic Communications.
The DPA published, on 17 December 2019, its decision (‘the Decision’) issuing a fine of €15,000 for violation of Articles 6, 7, 12, and 13 of the GDPR. In particular, the Decision outlines, among other things, that there was no process to obtain consent from users prior to posting first party analysis cookies on their terminal equipment, that the defendant’s legal basis of ‘legitimate interest’ for the same was invalid, and that on more than one occasion during the investigation the website did not state clearly how data subjects could withdraw their consent for the use of cookies.
Bulgaria
Article 4a of the Electronic Commerce Act 2006 (as amended) addresses the issue of cookies, and states that:
1. the information society service provider shall store information or gain access to information stored in the terminal equipment of the service recipient, provided that:
1) the information society service recipient has been presented with a clear and detailed information in accordance with Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
2) the information society service recipient shall have the possibility to refuse the storage or access to the information;
in the cases under paragraph (1), the information society service providers shall grant the service recipient the possibility to receive, at any time, information on the data stored in the terminal equipment.
in the cases of subsequent storage of information or receipt of access to information by the same provider, the requirements under paragraph (1) shall not be mandatory, provided that the service recipient has not raised an objection.
the requirements under paragraph (1) shall not apply to the storage of information or granting access thereto when such is needed for:
transmission of a communication over an electronic communication network;
providing an information society service, specifically requested by the information society service recipient.
Croatia
Article 5(3) of the ePrivacy Directive has been implemented by Article 100(4) of the Electronic Communications Act 2008 (as amended) (only available in Croatian here).
Cyprus
Article 5(3) of the ePrivacy Directive has been implemented by Section 99(5) of the Electronic Communications and Postal Services Regulations Act 2004 (Law 112 (I) / 2004) (as amended) (only available in Greek, along with relevant documents, here).
The Office of the Commissioner for Personal Data Protection (‘the Commissioner’) issued its guidance on cookies (only available in Greek here).
The Commissioner also issued, on 30 July 2019, clarifications on the use of cookies by websites (only available in Greek here).
Czech Republic
Section 89(3) of Act No. 127/2005 Coll. Of 22 February 2005 on Electronic Communications and on Amendment to Certain Related Acts (as amended by Act No. 468/2011 Coll.) (‘the Czech E-Commerce Law’), addresses the issue of consent for cookies, and states that:
‘Anybody wishing to use, or using, the electronic communications network for the storage of data or for gaining access to the data stored in the subscribers’ or users’ terminal equipment shall inform those subscribers or users beforehand in a provable manner about the extent and purpose of processing such data and shall offer them the option to refuse such processing. This obligation does not apply to activities relating to technical storage or access and serving exclusively for the purposes of performing or facilitating message transmission via the electronic an information society service communications network, nor does it apply to the cases where such technical storage or access activities are needed for the provision of an information society service explicitly requested by the subscriber or user.’
The UOOU issued, on 19 February 2020, a press release addressing, among other things, the need of a revision of the regulation on cookies (the press release is available, only in Czech, here).
Denmark-Greenland
Article 5(3) of the ePrivacy Directive has been implemented by Articles 3 and 4 of the Executive Order No. 1148 of 9 December 2011 on Information and Consent Required in Case of Storing or Accessing Information in End-User Terminal Equipment, which state that:
3. Natural or legal persons may not store information, or gain access to information already stored, in an end-user’s terminal equipment, or let a third party store information or gain access to information, if the end-user has not consented thereto having been provided with comprehensive information about the storing of, or access to, the information.
Information, cf. subsection (1), shall be comprehensive if it meets the following minimum requirements: 1) it appears in a clear, precise and easily understood language or similar picture writing, 2) it contains details of the purpose of the storing of, or access to information, in the end-user’s terminal equipment, 3) it contains details that identify any natural or legal person arranging the storing of, or access to, the information, 4) it contains a readily accessible means by which the end-user to refuse consent or withdraw consent to storing of or access to information, as well as clear, precise and easily understood guidance on how the end-user should make use thereof, and 5) it is immediately available to the end-user by being communicated fully and clearly to the end-user. In addition, when storing of information or access to information takes place through an information and content service, information to end-users must be directly and clearly marked and accessible at all times for the end-user on the information and content service in question.
4. Notwithstanding section 3, natural or legal persons may store information, or gain access to information already stored, in an end-user’s terminal equipment if: 1) storing of or access to information is for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or 2) storing of or access to information is necessary in order for the service provider of an information society service explicitly requested by the end-user to provide this service.
Storing of or access to information in an end-user’s terminal equipment is necessary, cf. subsection (1), no. 2, if such storing of or access to information is a technical precondition for being able to provide a service operating in accordance with the purpose of the service.
The Danish Business Authority issued, in April 2013, its Guidelines on Executive Order on Information and Consent Required in Case of Storing and Accessing Information in End-User Terminal Equipment.
Datatilsynet provided, on 6 March 2019, clarifications on the applicable legislation on cookies (only available in Danish here).
Estonia
Sections 102 of the Electronic Communications Act 2005 (as amended) addresses the issue of cookies, and states that:
(1) A communications undertaking is required to maintain the confidentiality of all information which becomes known thereto in the process of provision of communications services and which concerns subscribers as well as other persons who have not entered into a contract for the provision of communications services but who use communications services with the consent of a subscriber; above all, it must maintain the confidentiality of:
1) information concerning specific details related to the use of communications services;
2) the content and format of messages transmitted over the communications network;
3) information concerning the time and manner of transmission of messages.
(3) A communications undertaking may process the information provided for in subsection (1) of this section if the undertaking notifies the subscriber, in a clear and unambiguous manner, of the purposes of processing the information and gives the subscriber an opportunity to refuse the processing.
(4) The obligation of a communications undertaking specified in subsection (3) of this section does not restrict the right of the undertaking to collect and process, without the consent of a subscriber, information which processing is necessary for the purposes of recording the transactions made in the course of business and for other business-related exchange of information. In addition to the above, the restriction provided for in subsection (3) of this section does not limit the right of a communications undertaking to store or process information without the consent of a subscriber if the sole purpose thereof is the provision of services over the communications network, or if it is necessary for the provision, upon a direct request of the subscriber, of information society services within the meaning of the Information Society Services Act.
Finland
Article 5(3) of the ePrivacy Directive has been implemented by Section 205 of the Information Society Code (917/2014), which states that:
‘The service provider may save cookies or other data concerning the use of the service in the user’s terminal device, and use such data, if the user has given his or her consent thereto and the service provider gives the user comprehensible and complete information on the purposes of saving or using such data. Provisions of subsection 1 above do not apply to any storage or use of data which is intended solely for the purpose of enabling the transmission of messages in communications networks or which is necessary for the service provider to provide a service that the subscriber or user has specifically requested. The storage and use of data referred to above in this section is allowed only to the extent required for the service, and it may not limit the protection of privacy any more than is necessary.
The National Cyber Security Centre within the Finnish Transport and Communications Agency address the issue of cookies in its Guidance on Confidential Communications.
France
Article 5(3) of the ePrivacy Directive has been implemented by Article 82 of Act No. 78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties (as amended).
In addition, the French data protection authority (‘CNIL’) issued, on 4 July 2019, its guidelines on cookies and other online trackers (only available in French here).
Moreover, the CNIL digital innovation laboratory (‘LINC’) issued, on 6 November 2019, a visualisation tool to measure the impact of cookies and other trackers whilst browsing (you can access the software here).
The CNIL have also published Guidelines on cookies and other trackers
Germany
The German Data Protection Conference (‘DSK’) published, in March 2019, its Guidance from the Supervisory Authorities for Providers of Telemedia (only available in German here), which addresses, among other things, consent requirements for cookies.
Seven German data protection authorities (‘DPAs’) issued, on 14 November 2019, statements on the use of cookies, consent requirements, and Google Analytics, based on the Guide from data protection authorities to telemedia providers issued, in April 2019, by the DSK. You can read the Federal Commissioner for Data Protection and Freedom of Information press release here, the Hamburg State Commissioner for Data Protection and Freedom of Information press release here, the Berlin data protection authority press release here, the North Rhine-Westphalia data protection authority press release here, the Rhineland-Palatinate data protection authority press release here, the Hessen State Data Protection Commissioner press release here, the Lower Saxony data protection authority press release here, and the Schleswig-Holstein State Commissioner for Data Protection press release here, all only available in German.
For a more detailed analysis of the German regulatory approach to cookies, please refer to:
The Baden-Württemberg data protection authority (‘LfDI Baden-Württemberg’) issued, on 9 October 2019, a statement on cookies and consent (only available in German here)
Greece
Article 5(3) of the ePrivacy Directive has been implemented by Article 4(5) of Law 3471/2006 on the Protection of Personal Data and Privacy in the Electronic Telecommunications Sector and Amendment of Law 2472/1997, which states that:
‘The storage of data or gaining access to information already stored in the terminal equipment of a subscriber or user is only allowed if the specific subscriber or user has given his/her consent following clear and detailed information, according to Article 11(1) of Law 2472/1997, as effective. The consent of the subscriber or user can be given by means of appropriate settings in the web browser or by means of another application. The aforementioned shall not impede any technical storage or access, the sole purpose of which is the conveyance of information through an electronic communications network, or which is necessary for the provision of information society services explicitly requested by the user or subscriber. An act by the Personal Data Protection Authority analytically defines the manner in which information is provided and consent is declared.’
In addition, the Hellenic data protection authority (‘HDPA’) published, on 25 February 2020, guidance on cookies and similar trackers (only available to download in Greek here).
Hungary
Article 5(3) of the ePrivacy Directive has been implemented by Article 155(4) of Act C of 2003 on Electronic Communications (only available in Hungarian here).
In addition, the National Authority for Data Protection and Freedom of Information (‘NAIH’) has issued, on July 2018, an information letter discussing, among other things, the use of cookies (only available in Hungarian here).
In addition, the NAIH has published, in January 2017, an information note Concerning data protection requirements for web-shops (only available in Hungarian here), where the use of cookies is discussed in Chapter 3.
Ireland
Article 5(3) of the ePrivacy Directive has been implemented by Article 5(3), (4), and (5) of the S.I. No. 336/2011 – European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011, which states that:
(3) A person shall not use an electronic communications network to store information, or to gain access to information already stored in the terminal equipment of a subscriber or user, unless (a) the subscriber or user has given his or her consent to that use, and (b) the subscriber or user has been provided with clear and comprehensive information in accordance with the Data Protection Acts which— (i) is both prominently displayed and easily accessible, and (ii) includes, without limitation, the purposes of the processing of the information.
(4) For the purpose of paragraph (3), the methods of providing information and giving consent should be as user-friendly as possible. Where it is technically possible and effective, having regard to the relevant provisions of the Data Protection Acts, the user’s consent to the storing of information or to gaining access to information already stored may be given by the use of appropriate browser settings or other technological application by means of which the user can be considered to have given his or her consent.
(5) Paragraph (3) does not prevent any technical storage of, or access to, information for the sole purpose of carrying out the transmission of a communication over an electronic communications network or which is strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.
The Data Protection Commissioner also issued, in June 2019, its Guidance on Cookies and Similar Technologies.
Italy
Article 5(3) of the ePrivacy Directive has been implemented by Article 122 of the Personal Data Protection Code, Legislative Decree No. 196/2003 (a consolidated version with the amendments made by Legislative Decree No. 101/2018 on Provisions for the Adaptation of the National Legislation to the Provisions of the General Data Protection Regulation (Regulation (EU) 2016/679) is only available in Italian here).
In addition, the Italian data protection authority (‘Garante’) issued FAQs on Information and Consent for the Use of Cookies (last updated on 2 October 2019) (only available in Italian here).
Finally, the Garante published, on 8 May 2014, its Simplified Arrangements to Provide Information and Obtain Consent Regarding Cookies.
Latvia
Article 5(3) of the ePrivacy Directive has been implemented by Section 7(1) of the Law on Information Society Services 2004, as amended, which states that:
Storage of information in a terminal equipment of a subscriber or user or acquisition of access to the information stored in a terminal equipment shall be permitted, if the relevant subscriber or user has provided his or her consent after he or she has received clear and comprehensive information regarding the purpose of the aforementioned processing in accordance with Personal Data Protection Law.
The consent referred to in Paragraph one of this Section shall not be necessary, if storage of the information in a terminal equipment or acquisition of access to the information stored in a terminal equipment is necessary for ensuring of circulation of the information in the electronic communications network or for intermediary service provider in order to provide a service requested by a subscriber or user.
In addition, the Data State Inspectorate addresses cookie requirements in its FAQs (only available in Latvian here).
Lithuania
Article 5(3) of the ePrivacy Directive has been implemented by Article 61(4) of the Law on Electronic Communications 2004 (as amended) (only available in Lithuanian here).
In addition, the State Data Protection Inspectorate issued its Order on the Approval of the Use of Cookies and Similar Measures (only available in Lithuanian here).
Luxembourg
Article 5(3) of the ePrivacy Directive has been implemented by Article 4 of Act of 30 May 2005 Laying Down Specific Provisions for the Protection of Persons with regard to the Processing of Personal Data in the Electronic Communications Sector and amending Articles 88-2 and 88-4 of the Code of Criminal Procedure, as amended, which states:
It is prohibited for persons other than users to listen, tap, store or to use other kinds of interception or surveillance of communications and the related traffic data, without the consent of the users concerned.
However, Article 4.3.e of the same law states that Article 4.2 ‘shall not apply where electronic communications networks are used to store information or to gain access to information stored in the terminal equipment of a subscriber or user on condition that the subscriber or user concerned is provided with clear and comprehensive information, in particular about the purposes of the processing. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Where it is technically possible and effective, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application.
This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.
In addition, National Commission for Data Protection (‘CNPD’) addressed the use of cookies in its guidance on specific provision in the field of electronic communications (only available in French here).
Malta
Article 5(3) of the ePrivacy Directive has been implemented by Article 5 of the Processing of Personal Data (Electronic Communications Sector) Regulations of 2003, which states that:
(1) The storing of information or the gaining of access to information stored in the terminal equipment of a subscriber or user shall only be allowed on condition that the subscriber or user concerned has given his consent, having been provided by the controller with clear and comprehensive information in terms of Article 19 of the Act.
(2) The requirements contained in this regulation shall not prevent the technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network or as may be strictly necessary in order for the service provider to provide an information society service explicitly requested by the subscriber or user to provide the service.
Netherlands
Article 5(3) of the ePrivacy Directive has been implemented by Article 11.7a of the Telecommunications Act 1998, which states that:
1. Without prejudice to the provisions of the Personal Data Protection Act, any party that wishes to acquire access by means of an electronic communications network to data stored in a user’s terminal equipment or that wishes to store data in the user’s terminal equipment:
Must provide the user with clear and complete information in accordance with the Personal Data Protection Act and in any case regarding the purposes for which such party wishes to acquire access to the data concerned or wishes to store data; and
Must have acquired the user’s consent for the action concerned.
2. The requirements within the meaning of paragraph 1(a) and (b) shall also apply if it is effectuated in a manner other than by means of an electronic communications network that data are stored via an electronic communications network or access is provided to data stored on the terminal equipment.
3. The provisions of paragraphs 1 and 2 shall not apply if technical storage or access to data are concerned that have the sole purpose of:
Implementing the communication via an electronic communications network; or
Delivering the information society service requested by the subscriber or user and said storage or access to data is strictly necessary for that purpose.
4. In agreement with Our Minister of Security and Justice, rules may be set by a general administrative order regarding the requirements within the meaning of paragraph 1(a) and (b). The opinion of the Dutch data protection authority (‘AP’) shall be secured regarding a draft of such general administrative order.
The Authority for Consumers and Markets (‘ACM’) has issued the following guidance:
Guidance on legal requirements for types of cookies (only available in Dutch here).
Frequently Asked Questions about the Dutch Cookie Act.
Poland
Article 5(3) of the ePrivacy Directive has been implemented by Article 173 of the Telecommunications Act of 16 July 2004, which states that:
1. The storing of information or the gaining of access to information already stored in the telecommunications terminal equipment of a subscriber or a user is only allowed on condition that:
The subscriber or the end user is directly informed in advance in an unambiguous, easy and understandable manner with regard to: a) the purpose of storing and the manner of gaining access to this information, b) the possibility to define the conditions of the storing or the gaining of access to this information by using settings of the software installed on its telecommunications terminal equipment or service configuration;
The subscriber or end user, having obtained information referred to above, gives its consent;
The stored information or the gaining of access to this information do not cause changes in the configuration of the subscriber’s or end user’s telecommunications terminal equipment and in the software installed on this equipment.
2. The subscriber or end user may give its consent referred to in paragraph 1(2) using settings of the software installed on its telecommunications terminal equipment or service configuration.
3. The conditions referred to in paragraph 1 shall not apply, if the storing of or the gaining of access to information referred to in paragraph 1 is necessary to:
Transmit communication over a public telecommunications network;
provide a telecommunications service or services by electronic means, requested by the subscriber or an end user.
4. Entities providing telecommunications services or services by electronic means may install software on the subscriber’s or end user’s terminal equipment intended for using these services or use this software, provided that a subscriber or an end user:
Is directly informed, before the installation of the software, in an unambiguous, easy and understandable manner, about the purpose of installing this software, and about the manner in which the service provider uses this software;
Is directly informed, in an unambiguous, easy and understandable manner, about the manner in which the software may be removed from the end-user’s or subscriber’s terminal equipment;
Gives its consent for the installation and use of the software prior to its installation.
Portugal
Article 5(3) of the ePrivacy Directive has been implemented by Article 5(1) and (2) of the Law No. 46/2012 of 29 August 2012, which states that:
(1) The storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user shall only be allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with the Law on Protection of Personal Data, inter alia, about the purposes of the processing.
(2) Nothing in this article and in the preceding article shall prevent any technical storage or access:
a) For the sole purpose of carrying out the transmission of a communication over an electronic communications network;
b) As strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.
Romania
Article 5(3) of the ePrivacy Directive has been implemented by Article 4(5) of Law No. 506/2004 on the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector (only available in Romanian here).
Slovakia
Article 5(3) of the ePrivacy Directive has been implemented by Section 55(5) of the Act No. 351/2011 Coll. on Electronic Communications, which states that:
Every person that stores or gains access to information stored in the terminal equipment of a user shall be authorised for that only if the user concerned has given his consent on the basis of clear and comprehensive information about the purpose of the processing; for this purpose the consent shall be also the use of a respective setting of the web browser or other computer programme. The obligation to gain the consent shall not apply to a body acting in criminal proceedings or other state body.
This shall not prevent any technical storage of data or access thereof for the sole purpose of the conveyance or facilitation of the conveyance of a communication by means of a network or if it unconditionally necessary for the provider of an information society service to provide information society services if explicitly requested by the user.
Slovenia
Article 5(3) of the ePrivacy Directive has been implemented by Article 157 of the Electronic Communications Act (as amended) (only available in Slovenian here).
The Information Commissioner (‘the Commissioner’) issued its Guidelines on cookies (only available in Slovenian here).
The Commissioner also published FAQs on cookies (only available in Slovenian here).
Spain
Article 5(3) of the ePrivacy Directive has been implemented by Article 22(2) of Law No. 34/2002, of 11 July 2002, on Information Society Services and Electronic Commerce (‘the Spanish Electronic Commerce Law’) (only available in Spanish here).
The Spanish data protection authority (‘AEPD’) published, on 8 November 2019, its Guide on the Use of Cookies.
Sweden
Article 5(3) of the ePrivacy Directive has been implemented by Section 18 of Chapter 6 of the Electronic Communications Act (2003:389) (only available in Swedish here).
The Post and Telecom Authority issued questions and answers about cookies (only available in Swedish here).
The Swedish Advertising Ombudsman issued, jointly with different advertisement industry bodies, its cookie rules (only available in Swedish here).
UK
Article 5(3) of the ePrivacy Directive has been implemented by Section 6 of the Privacy and Electronic Communications (EC Directive) Regulations 2003, which states that:
(1) Subject to paragraph (4), a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment:
Is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
has given his or her consent.
(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.
(3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.
(4) Paragraph (1) shall not apply to the technical storage of, or access to, information:
For the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.
The Information Commissioner’s Office (‘ICO’) issued, on 3 July 2019, a new Guidance on the Use of Cookies and Similar Technologies, as well as a Blog Post on the same.
Other European jurisdictions
Gibraltar
Article 5(3) of the ePrivacy Directive has been implemented by Section 5 of the Communications (Personal Data and Privacy) Regulations 2006, which states that:
(1) Subject to sub-regulation (4), a person shall not store information, or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirement of sub-regulation (2) is met.
(2) The requirement is that the subscriber or user of that terminal equipment has given his consent, having been provided with clear and comprehensive information, in accordance with the provisions of the Data Protection Act 2004, about the purposes of the storage of, or access to, that information.
(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirement of sub-regulation (2) is met in respect of the initial use.
(4) Sub-regulation (1) shall not apply to the technical storage of, or access to, information:
for the sole purpose of carrying out the transmission of a communication over an electronic communications network;
where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user to provide the service; or
Where such storage or access are strictly necessary for compliance with regulations 15A and 15B.
The Gibraltar Regulatory Authority issued, on 17 May 2012, its Guidance on Use of Cookies in Websites.
Guernsey
Article 5(3) of the ePrivacy Directive has been implemented by Section 4 of the European Communities (Implementation of Privacy Directive) (Guernsey) Ordinance 2004, which states that:
‘(1) Subject to subsection (4), a person shall not use an electronic communications network to store information, or to gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of subsection (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment:
Is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
Is given the opportunity to refuse the storage of, or access to, that information.
(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this section that the requirements of subsection (2) are met in respect of the initial use.
(4) Subsection (1) shall not apply to the technical storage of, or access to, information:
For the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network; or
Where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.
Isle of Man
Article 5(3) of the ePrivacy Directive has not yet been implemented by the Unsolicited Communications Regulations 2005 (‘the Regulations’). However, the Information
Monaco
Article 14-2 of Act No. 1.165 on the Protection of Personal Data states that:
Prior to the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user, the subscriber or user must be provided with clear and comprehensive information about the purpose of the processing, and the means available to them to refuse such processing.
It shall be prohibited to make access to a service available through an electronic communications network conditional upon the acceptance, by the subscriber or the user concerned, of the processing of data stored in their terminal equipment, unless storage or technical access is for the sole purpose of transmitting or facilitating the transmission of a communication via an electronic communications network, or is strictly necessary in order to provide a service expressly requested by the subscriber or user.
The Monegasque data protection authority published, on 15 May 2019, its recommendation on the deposit and shelf-life of cookies and other tracers (only available in French here).
Montenegro
Article 172(3), (4), (5), and (6) of the Law on Electronic Communications 40/2003 states that:
(3) Technical storage or access to communication content or data shall be permitted without consent of the user of such communication if the sole purpose is to transfer the data through the public communications network or when the operator provides such service at user’s request.
(4) Exceptionally, the actions referred to in paragraph 2 of this Article may be undertaken only if necessary, appropriate and proportional to protection measures of national security, defence and for the purpose of criminal offence prevention, investigation, uncovering and prosecution of offenders and unauthorised use of electronic communications system, as well as in the events of providing assistance in search and rescue of people when this is necessary for the protection of life and health of people and property, in accordance with the law.
(5) Use of electronic communications networks to store or gain access to data and information stored in the terminal equipment of users shall be allowed on condition that the user has agreed thereto and upon being provided with information about the purpose of data collection and processing.
(6) The user whose personal data are being processed can withdraw its consent mentioned in paragraph 5 of this Article at any time.
San Marino
Cookies requirements are addressed by Article 111 of Law No. 171 of 21 December 2018, Protection of Natural Persons with Regard to the Processing of Personal Data, which states that:
1. The storage of information on the terminal equipment of a subscriber or user or access to information already stored shall be permitted only if subscribers or users have given their consent after having been informed in accordance with Articles 13 and 14. This shall not preclude any technical storage of or access to already stored information for the sole purpose to transmit a communication on an electronic communications network, or to the extent strictly necessary for the provider of an information communication service explicitly requested by the subscriber or user to provide such a service.
To determine the above mentioned simplified procedures, the Data Protection Authority shall also take into account the proposals made by the most representative consumer associations and economic categories involved at national level, to also guarantee the use of procedures that ensure effective awareness of subscribers or users.
2. To give the consent referred to in paragraph 1, specific configurations of computer software or devices may be used as long as they are easy and clear for subscribers or users.
3. Without prejudice to paragraph 1, the use of an electronic communications network to access information stored in the terminal equipment of a subscriber or a user, to store information or to monitor user operations shall be prohibited.
Switzerland
Article 45(c) of the Telecommunications Act (TCA) of 30 April 1997 states that:
Processing of data on external equipment by means of transmission using telecommunications techniques is permitted only:
For telecommunications services and charging purposes; or
if users are informed about the processing and its purpose and are informed that they may refuse to allow processing.