Said notice must indicate:
- the name of each relevant cookie, enabling identification of the website operator’s and each third party’s cookies;
- the data types for each relevant cookie and their expiry date; and
- the explanation in plain language of each cookies’ function.
The DPA recommends that website operators should provide general information about cookies and practical information about how the user may find and control cookie settings in his/her browser.
The website operator must provide a cookie notice to users when they first visit the site. Said notice must be repeated if there is a change in the notice. A multilayered notice - i.e. a condensed notice in a pop-up window with a link providing access to the full cookie information - is generally acceptable.
The guidance says that the website operator must implement a mechanism for the deactivation of the notice (pop-up / layer) with active user behavior acknowledging the receipt of the information. This requirement also applies to cookies covered by the cookie consent exemption.
The operator must provide easy access to the relevant cookie notice also following the deactivation of the pop-up or layer. If the use of the cookie requires consent and said requirement relates to a particular functionality, then the operator may provide the relevant cookie notice when the user uses said functionality.
The guidance says that the use of user-input cookies, authentication cookies, user centric security cookies, multimedia player session cookies, load balancing session cookies and user interface customization cookies does not require any consent.
However, if the cookie consent exemption does not apply - such as in connection with the use of third party cookies or tracking cookies - then the website operator must secure the user’s voluntary consent to the use of such cookies and must obtain separate consent relative to the use of each relevant cookie for the use of which consent is required. In such cases, the DPA will not accept the website operator’s bundling of consent, covering several cookies at the same time, because the DPA considers that consent bundling does not enable voluntary consent. Instead, the DPA suggests that the website operator should implement a consent mechanism providing separate checkboxes for each relevant cookie. The DPA guidance also underlines that the operator must obtain prior consent before placing each relevant cookie on the user’s end device. This means that the user may not have access to the relevant functionality before he/she has granted consent to the cookie used on that functionality.
The guidance says that the website operator must use inactive social media plug-ins and implement steps that restrict data transfers to social networks, unless the user explicitly consents to the transmission of the information to the social network, e.g. by sharing an article on a social media plug-in. This means that the user must activate the relevant plug-in after having received from the operator a notice about the scope of data collections and transfers, including whether behavioral information is collected and transmitted to third persons.