EU GDPR

Cookies: An evolving picture

Often website owners aren’t even aware that their websites are dropping cookies, especially those cookies which are used for behavioural advertising. Using these third party cookies advertisers can track a user across multiple websites. This helps build a profile for the user based on behaviours and habits, so advertisements can be targeted to their interests.

GDPR and the ePrivacy Directive (Directive 2002/58/EC) are both relevant when it comes to cookies. This is not straightforward as the plan was to replace the ePrivacy Directive with the ePrivacy regulation when GDPR was implemented but as this is being written in late 2019 that regulation hasn’t been finalised.

Roughly GDPR (Art 95) says if there is a specific rule in the ePrivacy Directive, that applies, otherwise the general principles in GDPR apply. For example the ePrivacy Directive (Art 25) requires consent to drop cookies, and GDPR defines what consent is (Art 7), and that interplay has been confirmed in the planet 49 judgment

Not all cookies are tasty

Highlights of that planet 49 judgement

It is worth looking at the language of the judgement to understand how the court viewed cookies when they issued the judgement. It is difficult to see how tracking cookies and the existing online behavioural advertising ecosystem will survive in Europe as this judgement trickles down to national regulators and courts. .

Cookies need consent regardless of if it personal data or not.

Cookies don’t have to be to personal information, for the directive’s requirement of consent to apply “… not to be interpreted differently according to whether or not the information stored or accessed on a website user’s terminal equipment is personal data….”

People need to be informed about what the cookies do and who gets access to them

That information includes, inter alia, under Article 10 of Directive 95/46, in addition to the identity of the controller and the purposes of the processing for which the data are intended, any further information such as the recipients or categories of recipients of the data in so far as such further information is necessary, having regard to the specific circumstances in which the data are processed, to guarantee fair processing in respect of the data subject.

People should be alerted to the duration of the cookies

the service provider must give to a website user includes the duration of the operation of cookies and whether or not third parties may have access to those cookies.

Current cookie compliance rules

The various European Supervisory Authorities are only slowly coming to terms with this. The 31 supervisory authorities across the EEA are bound by a consistency mechanism (Art 63) to apply the GDPR in a similar way.

For example these four European Supervisory Authorities issued new guidance in 2019:

CountrySupervisory AuthorityGuidance
UKInformation Commissioner’s OfficeCookies and similar technologies
FranceCommission nationale de l’informatique et des libertésCNIL’s guidelines on cookies and tracking devices
SpainAgencia Española de Protección de Datos Guía sobre el uso de las cookies
NetherlandsAutoriteit PersoonsgegevensHoe legt de AP de juridische normen rond cookiewalls uit?

While there are subtle differences between each set of guidance all of them are looking for more transparency and accountability in the use of cookies. The UK’s Information Commissioner’s offce (ICO) pushes responsibility back onto the website owner saying. “You must explain the way the cookies (or other similar technologies) work and what you use them for, and the explanation must be clear and easily available. Users must be able to understand the potential consequences of allowing the cookies. You may need to make sure the language and level of detail are appropriate for your intended audience.”

The French Commission nationale de l’informatique et des libertés (CNIL) is a little bit more explicit and summarises their updated guidance with two main points. Point One:  the scrolling down or swiping through a website or application can no longer be viewed as a valid expression of consent to the implementation of cookies. Point two: website owners who operate tracking devices must be able to prove that they have obtained the consent.

The Spanish Agencia Española de Protección de Datos (AEDP) is  even more explicit and detailed and lays out quite detailed directions for what information should be provided and reminds us valid consent (Art 4) can only be for a single specific purpose, with a clear affirmative action, by a data subject who is aware of the consequences. Plus, consent must be as easy to withdraw as to give.

Finally the key message from Dutch Autoriteit Persoonsgegevens (AP), is that “Cookie walls are non-compliant with the principles of consent of the GDPR,”

Any website which targets users across these four countries has to comply with these subtly different interpretations. The really difficult bit is that the remaining 27 National Supervisory Authorities haven’t stated explicitly how they will enforce data protection law when it comes to cookies. Leaving website owners open to enforcement actions.

If you need do discuss cookie compliance or any other data protection issue, please contact us.

Leave a Reply