On 26 October 2021, the National Commission for Data Protection (‘CNPD’) in Luxembourg published cookies guidelines on cookies and other technology trackers. These new guidelines aim to help website or application operators continuously comply with applicable rules, as outlined in existing legislation and as they emerge from case law. Additionally, the CNPD’s new cookies guidelines outlined the distinction between essential cookies (those which require no obligation of consent) and non-essential cookies (those which do require obligation of consent), providing specific examples supporting such analysis between the two. Furthermore, the guidelines introduce the notion of dark patterns in the context of collecting user consent, along with many examples of good practice.
Notably, the CNPD clarifies in the new guidelines some important distinctions about cookies regarding their types, purposes, and uses.
With respect to essential cookies, the CNPD clarified that cookies with the purposes do not require user consent:
With respect to analytical cookies, the guidelines differentiated between purposes of use for analytical cookies:
The CNPD specifically outlined that, although audience measurement cookies do not pose significant risks to privacy when placed directly (aka, not placed by a third party) to the visited website for statistical purposes, it is still necessary for the site operator to obtain user consent before placing this type of analytical cookie. However, where the website operator is able to demonstrate that the use of analytical cookies is necessary for the provision of service (for example, to evaluate server capabilities), these types of analytical cookies may be exempted from the consent requirement, provided that such cookies:
Our technology can help reduce risk.
OneTrust’s market-leading Consent Management Platform:
Check out this page for more information.