The TrustArc “Current State of Cookie Consent Compliance and Enforcement” Privacy Advisory provides a brief background on cookies and tracking technologies, the role of the GDPR’s definition of consent and that law’s relationship to ePrivacy. Also addressed are recent cookie consent-related activities by several regulatory authorities, clarifying compliance requirements within the EU, and early possible interpretations relating to cookie practices under the forthcoming California Consumer Privacy Act (CCPA).
The EU ePrivacy Directive regime, as implemented among the individual Member States, independently requires consent as a pre-condition to lawfully accessing or storing information on an end user’s device. ePrivacy uses the GDPR definition of consent as its standard, meaning that consent must be a “freely given, specific, informed and unambiguous indication” of an individual’s wishes, by a statement or clear affirmative action signifying agreement.
Regional regulatory authorities have begun to articulate and enforce their views concerning consent practices around the accessing or processing of personal data collected via cookies and other tracking technologies. One such example involves the French CNIL (Commission nationale de l’informatique et des libertés) issuing four enforcement notices, each providing subject organizations 90 days to remedy the identified infringements. The French supervisory authority provided notices to mobile, SDK-based geo-targeting advertising companies to revise their consent collection practices. Although there were variations among the entities consent collection practices, in general, the CNIL found that when mobile device users installed an application containing one of the companies’ SDKs, the users were not informed that their location, device identifier or other information would be used for serving location-based targeted ads.
To learn more about the recent regulatory opinions and enforcement notices of consent practices, download your copy of the priv ..