Crumbs: European Cookie Law developments for 2014


This post is given over to some bite-sized European cookie law updates.


Belgium held a public consultation into their revised cookie guidance.

The Netherlands

The Netherlands revised their cookie law. This is important: the Netherlands had what was essentially the strictest cookie law implementation across Europe. It has now been simplified to apply only to cookies which have an actual impact on privacy. Common sense at last. Details


France’s data protection authority held a national “cookie sweep” day. They appear to be moving towards a stricter implementation, just as other countries are loosening theirs.


Spain surprised us by being the first and only country to issue a cookie law fine. It followed the dreadfully late release of their national cookie law guidance. It is important to remember that in the Spanish cookie law case, the fine was issued due to noncompliance with Spain’s very strict data protection laws. Even the judge admitted that the cookies in question were benign.


Italy published its cookie law guidance in June. The guidance is very clear and specific, which suggests that lessons have been learned from the first round of European cookie guidance which was so ambiguous as to be useless. Unfortunately it requests the use of obtrusive and inaccessible overlays.

While not a cookie law case, a recent Supreme Court ruling set a precedent for use in Italian case law. In a case concerning a data protection breach, the Court found that the mere fact that the breach took place was not sufficient to cause damages to be due to the plaintiff. The plaintiff has to prove that they suffered actual damage as a result of the data breach, and that the damage was a consequence of the defendant’s wilful negligence or misconduct.

This case may have implications for any future cookie law cases. After all, how do you prove that you suffered real and substantial damage from a cookie? As the other country bites have shown, Europe is thankfully moving past the initial formulation of the law which saw the mere presence of a cookie as evidence of wrongdoing. This misunderstanding threatened to create an environment where fines could be handed out left and right for innocuous and functional cookies. The Italian case continues this sensible shift to an evidence-based system.


Because Google is essentially a sovereign actor – their tax system is certainly as complicated as a political one – I include them here. This year Google released a suite of consent mechanisms. Your choices are a pop-up, a notification bar, or a splash screen. In other words, awful, worse, and absolutely horrible.