On 26 October 2021, the National Commission for Data Protection (‘CNPD’) in Luxembourg published cookies guidelines on cookies and other technology trackers. These new guidelines aim to help website or application operators continuously comply with applicable rules, as outlined in existing legislation and as they emerge from case law. Additionally, the CNPD’s new cookies guidelines outlined the distinction between essential cookies (those which require no obligation of consent) and non-essential cookies (those which do require obligation of consent), providing specific examples supporting such analysis between the two. Furthermore, the guidelines introduce the notion of dark patterns in the context of collecting user consent, along with many examples of good practice. 

Notably, the CNPD clarifies in the new guidelines some important distinctions about cookies regarding their types, purposes, and uses.  

Essential Cookies

With respect to essential cookies, the CNPD clarified that cookies with the purposes do not require user consent: 

  • Recording user choices regarding cookies 
  • User authentication, provided that the cookie is only used for this purpose
  • Saving shopping carts 
  • Saving responses to contact forms 
  • Streaming content 
  • Service customization, e.g., to save display or language settings 
  • Security, again provided that the cookie is used exclusively for this purpose 
  • Analytics, subject to the below clarifications 

Analytical Cookies

With respect to analytical cookies, the guidelines differentiated between purposes of use for analytical cookies:  

  1. Used for audience measurement purposes  
  2. Necessary to use for the provision of a service 

The CNPD specifically outlined that, although audience measurement cookies do not pose significant risks to privacy when placed directly (aka, not placed by a third party) to the visited website for statistical purposes, it is still necessary for the site operator to obtain user consent before placing this type of analytical cookie. However, where the website operator is able to demonstrate that the use of analytical cookies is necessary for the provision of service (for example, to evaluate server capabilities), these types of analytical cookies may be exempted from the consent requirement, provided that such cookies:  

  • Are not passed on to third parties, nor cross-referenced with other data 
  • Do not allow global monitoring of the navigation of a person using different applications or browsing on several websites 
  • Are collected exclusively by and for the website operator and are used to produce anonymous statistics only 

Are you sure you are cookie complaint?

Our technology can help reduce risk

OneTrust’s market-leading Consent Management Platform: 

  • Is the most widely used solution for capturing and managing consent on web, mobile, and CTV applications 
  • Enables you to uncover hidden trackers and cookies on websites and configure branded banners using unique consent approaches based on location
  • Supports you to measure and optimize consent rates for maximum opt-ins 

Check out this page for more information. 

Read the CNPD press release here and the new cookies guidelines here, both only available in French. 

Further Resources:

Follow OneTrust on LinkedInTwitter, or YouTube for the latest on consent management.