The Advertising Standards Council of India (ASCI) Academy, in collaboration with PSA Legal and Tsaaro Consulting, has released a comprehensive white paper titled Navigating Cookies: Recalibrating your cookie strategy in light of the DPDPA to commemorate Data Privacy Day.
The paper explores cases and examples in other jurisdictions and sheds light on how the issue of cookie consent has been addressed in different countries. Here’s a roundup of the cases and their key judgments.
1. Finland DPA, 2019: A complaint was filed against a website’s cookie banner. The banner provided only two options: “OK” and “Additional Information”, with no option to refuse cookies. The Finnish DPA ruled that consent is not voluntary if users cannot refuse cookie storage. Under the ePrivacy Directive (EPD), users must have an easy mechanism to withdraw consent, which this banner lacked. The website was ordered to explicitly include a refusal option and simplify the process for withdrawing consent.
2. DSB Austria (Der Standard), 2023: Austrian newspaper “Der Standard” had two choices on its cookie banner: “Ok” or “Pay.” Clicking “Ok” meant sharing data with 125 third parties; the only way to avoid this was to pay for a subscription. The Data Protection Authority (DPA) underscored that consent must be granular and withdrawable. A single blanket acceptance for multiple data-sharing processes was unlawful, especially when the only alternative was a paid subscription.
3. Christian Schmidt vs. Danish Meteorological Institute (Denmark DPA), 2020: Complaint alleged that the Danish Meteorological Institute (DMI) collected personal data jointly with Google for targeted advertising without proper consent. The initial banner offered only an “Ok” button; the revised banner added “Show Details” with pre-checked boxes for different purposes. The DPA found that consent must be granular and informed. The modified version still failed because there was no immediate option to reject cookies at first interaction and it lacked transparency about Google’s joint controller role.
4. Amazon France Logistique Case, 2023: Amazon France installed a large number of advertising cookies without users’ informed consent. The banner failed to tell users about the deposit of these cookies, the purpose, or how to reject them. Cookies were also automatically placed if a user clicked on an Amazon ad on another website. The authority held that the cookie banner must fully inform users of both the purpose of cookies and their right to refuse. Amazon was fined €35 million for non-compliance, particularly because the small “opt-out” button on third-party ads did not truly reject cookies.
5. Spanish DPA, 2023: A complaint showed non-essential cookies were installed before any user action on the banner. Performance and targeting cookies (belonging to a third party) were installed by default, and there was no withdrawal mechanism. The Spanish DPA confirmed that cookies were placed without valid consent, fined the company €2,000, and reiterated the need to offer a clear refusal or withdrawal mechanism for non-essential cookies.
6. Federation of German Consumer Organisations vs. Planet49, 2019: Planet49 ran an online lottery requiring users to consent to two checkboxes—one for promotional offers (not pre-ticked) and another for installing cookies (pre-ticked by default). It explicitly mentioned that cookies would enable interest-based advertising. The court held that consent requires a clear affirmative act and cannot be obtained via pre-ticked boxes. Consent must be fully informed, detailing cookie duration and any third-party data sharing.
7. Denmark, Decision Against Meta, October 30, 2023: Meta provided one blanket consent for multiple data uses and failed to offer granular consent. For unregistered users, the banner offered only “Allow necessary cookies” or “Allow necessary and optional cookies.” The Danish authority ruled that Meta must:
– Allow granular consent for different processing purposes.
– Provide a permanent and easily accessible withdrawal option.
– Offer clear and detailed information on each cookie’s purpose.
8. Plaintiff vs. LinkedIn & Microsoft Entities (Amsterdam), 2024: Despite users explicitly rejecting cookies on multiple websites, tracking cookies still appeared on their devices. An independent analyst discovered that 27 out of 30 visited websites deposited cookies without consent. The court found a breach of the GDPR and Dutch Telecommunications Act. It prohibited these controllers from placing or reading tracking cookies without consent and imposed a penalty of €500 per violation (up to €25,000 per company).
9. United States of America, Plaintiff vs. Google Inc., 2012: The Federal Trade Commission (FTC) alleged Google had been circumventing Safari’s default cookie-blocking settings, placing advertising tracking cookies without user knowledge or consent. Google’s actions violated user privacy assurances and FTC regulations. The company ultimately faced substantial penalties and was required to ensure transparent and compliant cookie practices going forward.
10. In the Matter of ScanScout, Inc. (FTC), 2011: ScanScout’s privacy policy stated that users could opt out of cookies by adjusting their browser settings. In reality, ScanScout used Flash cookies, which could not be removed or blocked via normal browser settings. The FTC found ScanScout’s claims deceptive and ordered it to provide a clear, prominent opt-out mechanism lasting at least five years. Targeted ads needed a hyperlink directing users to the opt-out tool on each ad.
11. In re: Nickelodeon Consumer Privacy Litigation (Third Circuit), 2016: Viacom’s Nick.com (for children) claimed it did not collect personal data; however, first-party cookies from Viacom and third-party cookies from Google DoubleClick tracked children’s browsing. The court found that Viacom likely violated privacy expectations by promising not to collect children’s personal data and then doing so anyway. While Google’s ad practices were not deemed unusual, Viacom’s contradictory messaging to parents was the core issue.
12. Facebook Inc. vs. Australian Information Commissioner, 2022: An app used the Facebook login and harvested not just the user’s data but also the user’s friends’ data—allegedly for improper political campaign purposes. Facebook Inc. challenged Australian jurisdiction. The Australian court confirmed that the Privacy Act applies to companies with an “Australian link,” including those installing cookies on Australian users’ devices. Facebook’s cookie use established its Australian link, subjecting it to Australian privacy regulations.