This toolkit provides resources for checking and ensuring website compliance with European Union (EU) data protection laws on cookies. It contains:
Below is a breakdown of which countries require implied consent and which require explicit consent.
|Implied Consent||Explicit Consent||Unknown/Unclear|
The Directive provides that businesses only need to comply with the implementing laws of the EU country where they are based. However, non-EU businesses will be required to comply with the laws set by each of the countries whose subjects it is targeting with its websites. (Examples of a website targeting French subjects would be: (a) a .fr website; or (b) a .com website that is in French or has a French language option.)
The EU Commission and Parliament have already passed the General Data Protection Regulation (GDPR) to replace the Data Protection Directive. To accompany GDPR, they also intend to pass an e-Privacy Regulation in May 2018 to replace the e-Privacy Directive.
The e-Privacy Regulation, which has been published in draft form, appears to remove the need for consent to permit the setting of cookies which are not "privacy intrusive". Also, it suggests that consent for privacy intrusive cookies may be inferred from browser settings and, therefore, it may remove the need for a cookie notification banner. However, the timing of the law being passed is likely to be delayed and the law could be subject to revision as it progresses through the legislative process. Until the final version is published, we need to maintain compliance with the current e-Privacy Directive. This guidance will be reviewed after the Regulation is published.
Until the e-Privacy Regulation is passed, where the Informa business operating a website is based in the EU, it should apply the consent model, either implied or explicit, that is required by the laws of the EU country where it is based. Where the relevant country requires explicit consent, then that is the standard to be met. Where the relevant country accepts implied consent, it would be open to Informa to apply the higher standard of an explicit model. However, we do not recommend that strategy.
Where the Informa business is based outside the EU, it has two options for a consent strategy. It could operate:
We recommend that each Informa division adopts the second strategy it order to take advantage of the less restrictive implied consent model wherever possible.
The cookie notification banner should include the following elements:
Below are templates for simple, succinct cookie notification banners - one implied consent version and one explicit consent version.
In order to capture explicit consent, this banner would need to remain visible on the page until the user clicks to close it and no cookies should be set until the user takes that action, with the exception of strictly necessary cookies.
The notification banner should be displayed clearly the first time that a user visits the website, on whatever page he/she visits first.
The notification banner can be at the top or bottom of the page, provided it is clearly visible above the fold, i.e. the user does not have to scroll down to see it.
You can exercise your discretion over the size, font and colour of the banner wording and the background colour of the banner, provided the notification is clear and prominent enough to be seen and read easily.
It is best practice for the banner to remain on the screen for as long as the user stays on that page, remaining visible as the user scrolls up and down. It would only be removed when the user takes the specified action or conduct to indicate consent (e.g. clicking to visit another page or closing the banner). It would be possible for the banner to fade away after a set period of time, provided the time period is long enough for Informa to argue convincingly that the user would have seen and had the opportunity to read and interact with the banner.
It is best practice to provide users with a cookie consent tool enabling them to see the specific cookies used on the site and, unless they qualify as strictly necessary, exercise their choice over whether to continue accepting cookies or disable individual cookies. There are third party providers who can supply a complete consent solution, including site audits and a cookie consent tool, for example Evidon (https://www.evidon.com/solutions/universal-consent/).
Currently Informa does not provide users with such a tool. Given the uncertainty over the new e-Privacy Regulation, it may not make sense to consider implementing one. However, this should be reassessed when the final Regulation is published.
Each division should set up a system to regularly audit and analyse all cookies (and similar technologies) used on its websites. Such system should:
Audits should be conducted every 6 months, as a minimum.