Cookies Can Kill You!

Website owners targeting EU and EEA EFTA residents must take steps to protect themselves following yet another court ruling. Websites that drop third-party cookies and other trackers without proper end-user consent, will find themselves in legal jeopardy as they are now deemed responsible for personal data collected using cookies that is shared with other organisations.

Since the Privacy and Electronic Communications Directive 2002/58/EC (ePrivacy) came into force in the EU, all websites have needed an individual’s consent before dropping non-essential cookies on the end-user’s browser. It also requires that ‘clear and comprehensive information’ must be provided which is ‘prominently displayed and easily accessible’ and must include information on the purposes of the cookies set. Note the term Cookie in this article also refers to ETags, Flash “cookies”, HTML5 local storage, Evercookies and any other similar technologies.

There is an exception from this express consent requirement for any cookies which are set on the user’s equipment for the ‘sole purpose of carrying out the transmission’ or which are ‘strictly necessary in order to receive an information society service’ requested by the user (i.e. from the user’s and not the operator’s perspective).

Don’t forget that GDPR also applies in Norway, Liechtenstein and Iceland three countries which are not in the EU, but are have certain rights and responsibilities under the EEA agreement.

Map of Europe showing both GDPR and EEA EFTA countries. These are the 31 countries where GDPR is automatically applied.
GDPR and EEA EFTA countries

In the past it was considered acceptable to imply that consent was given based purely on continued use of a web site’s services.  However, since GDPR became law, the standard for consent has been revised.  Consent can no longer be implied and is only deemed valid when it is given as a clear, explicit, affirmative and unambiguous act. It must be granular and not cover multiple or blanket conditions.

Post GDPR, consent needs to be collected in an easily accessible form and must be as easy to withdraw as it is to give. Consent is considered invalid if an imbalance of power exists between giver and taker, e.g. if there is detriment to the end-user should consent not be given.

Across Europe, Data Protection Authorities have been tightening up their guidance for cookie consent.

  • In February 2019, after carrying out a web-site survey in its jurisdiction, the Bavarian DPA warned that no websites in their sample met the revised guidelines.
  • In March 2019, the Dutch DPA warned websites that only allow access if end-users agree to accept cookies, are unlawful
  • In June 2019, the Irish DPA explicitly laid out cookie consent requirements
  • In July 2019, the French and British DPAs both issued new guidance, affirming that consent must meet the tougher GDPR standards.

In parallel to these changes the European Court of Justice (CJEU) has continued its extremely hard line on data protection.  Time and again, the CJEU takes an expansive view of what data protection is.

This piles cost and responsibilities on to website owners (see Wirtschaftsakademie Schleswig-Holstein & Jehovan Todistajat).  In the recent Fashion ID case, the German fashion retailer had included a Facebook “Like” button on their website. The court found this makes them a “joint controller” together with Facebook for the processing of vistors’ personal data.

With the Facebook Like button, the website operator embeds a short code into his website that starts an application on Facebook servers. Facebook can collect data from visitors to the website even if they do not click on the Like button or have a Facebook account. The data collected include the IP address and data about the device used. If a user has an account with Facebook, this information will be linked to his user account; however, even if the user is not registered with Facebook, his data will be processed by Facebook and may be linked with any other information Facebook has gathered elsewhere.

In this particular case the user had no possibility to prevent this data transmission.

The procedure had to be decided according to the law of the EU Data Protection Directive of 1995 (Directive 95/46/EC), not according to the EU General Data Protection Regulation (GDPR). Nonetheless, the judgment is also of considerable significance under the GDPR, since in particular the regulations on joint controllership and the legal bases for data processing have essentially remained unchanged in the GDPR.

This means that all website owners MUST check if they deploy cookies for third- parties and if they do either:

  • Ensure there are joint controller agreements in place,
  • Establish which lawful basis applies for the processing of end-user personal data,
  • Explain the data usage to website end-users, and
  • Be ready to vindicate end-users rights in all cases.

Or, alternatively, just remove the cookies!

If you have any questions or would like to discuss this further please contact us.

Leave a Reply