On the heels of the Planet49 decision, the Spanish data protection authority AEPD has fined Vueling Airlines €30,000 (reduced to €18,000 for payment in full) for failure to provide a compliant cookie disclosure/consent under GDPR.

Key takeaways (pertaining to cookies that require consent under GDPR):

  • You need to provide the individual with the ability to

The Court of Justice of the European Union has issued its Planet 49 decision.

Key takeaways:

  • A pre-checked check box is not sufficient consent for the placement of cookies.
  • You need active consent whether or not cookies collect personal data.
  • The fact that a user activates the promotional game participation button is not sufficient to

“Given the legal requirements for explicit, informed consent, it is obvious that the vast majority of cookie consent notices are not compliant with European privacy law – researchers at the University of Michigan have found.”

“If given a choice, just 0.1 percent of site visitors would freely choose to enable all cookie categories/vendors — i.e.

Much has been discussed about the recent cookie guidance by the UK ICO and the French CNIL, but what do other data protection authorities think? In a detailed position paper, the Association of German Data Protection Authorities (Datenschutzkonferenz, or DSK) sets out its worldview on cookies and provides a very helpful, detailed guide

A web developer study shows that when a cookie banner allows users to refuse cookies, 50 percent of users choose this option and subsequently refuse all third-party services.

However, when this choice is not available, we end up with a cookie acceptance rate between 90 and 98 percent via site users clicking the “I accept”

Analytics cookies in the crossfire.

Different approaches set forth in the CNIL Guidance and in the ICO cookie guidance.

CNIL – Set list of terms to qualify for an exemption from the need to obtain consent.

ICO – This is a non-essential cookie and consent is needed … BUT … unlikely to prioritize enforcement of

Strict is for cookie, that’s good enough for me.

The United Kingdom’s Information Commissioner’s Office highlights “strictly necessary” cookies:

  • Strictly necessary cookies are cookies which are essential, not just nice to have:
    1. for the provision of the service, and not for other functions that you would like
    2. for compliance with legal requirements that apply to

French regulator CNIL has issued its promised guidance on the use of web cookies.

Among the key takeaways:

  • you need to list all third parties involved in data collection
  • consent must be real
  • simply using a website is not sufficient consent and neither, as this point, are browser settings.

Also, if you meet a list

Cookies in the spotlight in France:

Actual consent – in.

Continued browsing – out.

The French Data Protection Authority, CNIL, repealed its 2013 guidelines on cookies consent and announced upcoming cookies guidance will be published later this month (July).  Per the new guidance, continued browsing of a website will not suffice to indicate consent to