Eventually, different mechanisms aimed at complying with the law whilst preserving the normal functioning of the Internet emerged. These ranged from the pure opt-in box approach to momentarily waving a cookie warning to users entering a website for the first time. In reality, these mechanisms differed in the level of compliance they achieved, so the EU data protection authorities were at pains to clarify what they regarded as good enough and what didn't meet the consent requirement.
In the end, deploying an "implied consent" mechanism was generally regarded as the minimum baseline for compliance across the EU. Implied consent did not mean simply returning to the old “notice and opt-out” approach.
In order to be regarded as valid consent, this approach needs to meet the following criteria:
- Action that amounts to consent – The cookie banner or pop-up must spell out as clearly and prominently as possible what specific action or conduct will amount to consent. As a minimum, the notice must state that if a visitor continues to use the site without changing the settings, then the website operator will assume that the visitor is happy to receive cookies. Only after the user has taken that action will it be lawful to proceed to drop the cookies onto the device.
The bottom line is that if a website operator deploys a mechanism that properly meets these features, it will be regarded as compliant with the consent requirement.
So what's the problem then?
Now the mighty CNIL has warned French website operators that it intends to audit the level of compliance with this requirement in October. That's not a massive notice to get your house—well, your website or mobile app—in order, but then again, this has been the law for nearly five years. Will this lead to a drop of enforcement in a sea of noncompliance? Possibly, but do you want to be the next target?
If you want to comment on this post, you need to login.