Cookie Consent - Ensuring GDPR Compliance

Background

Under Article 5(3) of the EU ePrivacy directive (as implemented in national law), website owners generally must provide clear information and obtain consent before storing information on — or accessing information from — a user's device (e.g., via cookies, tracking pixels, or similar technologies), unless a limited exemption applies (e.g., where the storage or access is strictly necessary to provide a service explicitly requested by the user).

The policy objective behind Article 5(3) of the foregoing Directive is to protect the user's "terminal equipment" (device) and to prevent hidden identifiers and similar technologies from entering or interacting with a device in a way that can intrude into the user's private sphere.

Because the ePrivacy Directive is implemented through national laws, requirements and enforcement approaches can differ between Member States, including which authorities are competent and how certain technical scenarios are interpreted. This is important for N.Rich customers, who may operate across multiple jurisdictions.

Following the EDPB's adoption of Guidelines 2/2023 on the Technical Scope of Art. 5(3) (Version 2.0, finalized 7 October 2024), the consent requirement is interpreted broadly to cover not only traditional cookies but also tracking pixels, URL tracking, device fingerprinting techniques, certain types of local processing where information leaves the device, and in some cases IP-based tracking. N.Rich's own analysis of these guidelines (available internally on demand) identifies numerous areas of uncertainty — in particular, whether the passive receipt of technically necessary information (such as IP addresses transmitted automatically as part of the TCP/IP protocol) constitutes "gaining access" within the meaning of Article 5(3). It is also important to highlight that key EU regulators (the German DPA or the French DPA (CNIL)) have previously taken the position that it does not. Nevertheless, the EDPB's broad interpretation means that customers should treat any non-essential tracking technology with caution and ensure transparency at a minimum.

Legacy approach - simple banner that cookies are used

A legacy approach (as seen below) still seen on some websites is to set cookies immediately when a user arrives and merely show a notice stating that "cookies are used."

This approach is problematic and not compliant with EU applicable law for the following reasons:

1. Cookies and comparable identifiers may be set before the user has any meaningful choice, without the user understanding who will set them, for what purposes, and with which consequences. The cookie notice only informs the user about the use of cookies, and there is no way of rejecting the cookies if continuing to use the site apart from disabling cookies altogether, which is not a very viable option from user experience perspective. In other words, consent is practically enforced.

2. Users may have no realistic way to refuse except by leaving the website or disabling cookies entirely — meaning any "consent" is unlikely to be considered freely given.

Under both the ePrivacy Directive recitals and the EDPB's 2023 Cookie Banner Taskforce findings, users must be able to refuse non-essential cookies in a user-friendly manner, with a "Reject" option available on the same layer as the "Accept" option and displayed in the same manner as the latter.

EU case law on cookie-consent

The foundational EU case law on cookie consent is the Court of Justice of the European Union Judgment Case C-673/17, which clearly stated; The consent referred to in those provisions is not validly constituted if, in the form of cookies, the storage of information or access to information already stored in a website user’s terminal equipment is permitted by way of a pre-checked checkbox which the user must deselect to refuse his or her consent. This decision means that consent can’t be implied, enforced, or assumed based on the behavior of the user (e.g. visiting the site), but the user must be informed about the use of cookies, terms associated to this use and actively accept the use of cookies by checking a box or pressing an accept button, for example.

This principle has been reinforced by subsequent regulatory action. The EDPB's Cookie Banner Taskforce (January 2023) established that where a cookie banner includes an "Accept" button, a "Reject" button must also be available on the same layer. The EDPB also clarified that withdrawing consent must be as easy as giving it.

Implications to website owners

It is strongly recommended that if and when a website uses cookies or similar tracking technologies for analytics, marketing or advertising purposes, explicit and informed consent is acquired from the visitor before setting any cookies or activating non-essential trackers. In practice, this is often done by popping up a consent menu through which the visitor can either accept the cookies or change the cookie preferences. The consent interface shoudl present an "Accept all" and "Reject all" (or "Reject Non-Essential") options on the same layer, in line with the EDPB Cookie Banner Taskforce findings (January 2023), and allows an easy withdrawal of consent at any time (e.g. via a floating icon or a persistent link). Consent signal should be recorded, stored and auditable. N.Rich does not recommend using a consent management platform but recommends that customers verify that their chosen Consent Management Platform meets the compliance requirements in a simple and user-friendly way.

Hereunder you may find a valid example of a Cookie Management Platform (CMP) end-user facing functionality.

Implications to N.Rich setup

When using the “legacy” implied consent model, there is no possibility of verifying that an active informed and valid consent was actually given by the user. This leads to a possible risk of cookies being set illegally without consent, which could result in disruptions in the use of the data and in the worst case to being found guilty of violating the GDPR and/or the ePrivacy Directive and getting fined a maximum amount of 20 Million Euros or 4% of your company's total global annual turnover of the preceding financial year, whichever is higher. In order to avoid such risks, N.Rich recommends the following actions:

1. Implement a CMP / explicit consent model. Customers should move to an explicit consent flow so that consent signals can control N.Rich Tag behaviour. The CMP should meet the criteria described in the "Implications for website owners" section above.

2. Default to Cookieless mode until a valid legal consent signal exists. N.Rich's Website Tag supports two modes, which form the foundation of the consent-gated setup:

   1. N.Rich Cookieless Tag — designed not to set or access cookies on the end-user's browser. It supports account-level analytics by using signals such as IP address to associate browsing behaviour at company level, without identifying individual users. Even with some downsides of using the Cookieless mode, the benefits of ABM are far greater than delaying the launch because of a missing explicit consent process. The downside of using only the Cookieless mode is that analytics and optimization functionalities of N.Rich won’t be able to identify a specific user, but all data is aggregated to account level.

   2. N.Rich Standard Tag — sets and accesses cookies (including a unique user identifier with a 540-day expiration, refreshed on each visit) to enable enhanced measurement, attribution, optimization, and person-level analytics.

Important note on the Cookieless Tag and Article 5(3): Whether "cookieless" operation itself requires consent under Article 5(3) depends on the actual technical operations and the applicable national implementation. The EDPB's broad interpretation of "gaining access" in its Guidelines 2/2023 could, at its widest, encompass the collection of browser-generated information (user agent, screen resolution, IP address) even without cookies. However, as set out in N.Rich's analysis of these guidelines, key national regulators have taken more measured positions — the German DPA stated that processing information transmitted inevitably when a service is accessed (such as IP address, URL, user agent string) does not constitute "access to information already stored in the end device." The CNIL has similarly confirmed that receiving an IP address through normal TCP/IP communication is not "gaining access." The Finnish regulator Traficom has also taken a practical approach, recognizing exemptions for non-personalized distribution cookies. N.Rich recommends a conservative approach: use Cookieless mode by default, ensure transparency in the website privacy notice (and where relevant within CMP vendor lists / IAB TCF), and monitor evolving national enforcement positions.

3. After upgrading to a CMP that supports receiving an explicit cookie-consent, N.Rich Cookieless mode should still be used until the user explicitly accepts the cookies, and after the consent has been granted, N.Rich Standard mode should be used, which will be taking advantage of cookies and enabling optimisation and analytics as configured in the Client's CMP and subject to the user's consent choices.