Anyone with even a passing interest in EU privacy law will be familiar with an old conundrum: the international tech business thinks up ever more innovative ways of targeting internet users and commercializing their data (often without their knowledge), while the EU implements ever more stringent measures to prevent just that from happening. For example, while the EU was touting the enactment of the ground-breaking General Data Protection Regulation (GDPR) in 2016, the Cambridge Analytica scandal exposed the widespread misuse of EU citizens’ personal data by major tech companies.
It could be argued that this same dynamic pertains when it comes to the use of cookies, i.e. small packages of ostensibly anonymous data deposited on users’ devices for a variety of purposes, including to track which sites are visited and to provide targeted advertisements to that device. The famous EU Court of Justice (CJEU) decision in the Planet 49 case in 2019 (C-673/17), in which the CJEU set stringent requirements on how websites must inform visitors of cookies and seek their consent, has served more to highlight the problem than to solve it.
In terms of the five stages of grief, the users of cookies have arguably gotten over denial (we don’t need to do anything!) and anger (this is an anti-business measure! the internet cannot work without cookies!) and are at the bargaining stage. In other words, companies are mostly still doing the bare minimum to meet what they see as their e-privacy and data protection obligations when it comes to cookie use.
However, this is not enough. So long as “cookie consent” is seen simply as a routine procedure and companies do not otherwise change their practices, the use of cookies is and remains solidly in the risky grey zone of a potential breach of data privacy laws. This risk can be mitigated, but it requires (a) taking data protection seriously when it comes to cookies, and (b) taking corrective measures.
The three steps presented below provide a roadmap you can follow so that you can be well on your way towards compliance with personal data and cookie-related EU provisions.
Three Steps Towards Better Compliance
1. Do our cookies collect personal data?
The first and most important step is to recognize that cookies are often more than they appear. The key question is whether a cookie, alone or together with other information, allows individual users to be identified. If the answer is yes, then the information gathered by the cookie needs to be treated as personal data. This means that such information cannot be freely transferred to third parties, utilized for other purposes, stored indefinitely, or in some cases used at all.
Examples of such problematic cookies include the collection or processing of IP addresses (e.g. by some Google Analytics cookies), and the use of cookies on webshops in such a way that the cookie can be connected to the name or email address of a shopper entered on a registration or sales form.
What this means is that organizations need to find out what cookies they (or their partners) are setting and analyze whether these cookies are collecting or processing personal data. If such cookies are found, then they should probably be removed, unless the organization wants to risk running afoul of the stringent data protection obligations set by the GDPR.
2. What cookies do we use? Which ones are “strictly necessary”?
Let’s assume that either you do not use personal data-gathering cookies, or the personal data risks relating to such cookies have been mitigated. Next, we need to look at the requirements for cookie compliance set by the E-Privacy Directive (2002/58/EC). The E-Privacy Directive, as interpreted in subsequent court decisions like Planet 49, requires that visitors be informed of cookies set on their devices, and that their consent is sought for setting the cookies. The one exception is ”strictly necessary” cookies, i.e., cookies that have the ”sole purpose of carrying out or facilitating the transmission of a communication” or that are ”strictly necessary in order to provide an information society service explicitly requested by the subscriber or user”. No consent, or indeed notification is required for such ”strictly necessary” cookies.
However, here we return to the bargaining stage of grief. Despite the loose wording of the ”strictly necessary” exception, the EU data protection authorities have emphasized that the provision is to be read narrowly. Website owners should not succumb to the temptation of treating, e.g., analytics or tracking cookies as strictly necessary.
3. We now know which cookies we need to notify to users and seek consent. How can we do that?
This question has been answered quite thoroughly in the Planet 49 case referred to above: The requirements for cookie consent are the same as for personal data under GDPR. In other words, consent must be: (a) freely given, (b) specific, (c) informed, and (d) given as an unambiguous, affirmative action. The request for consent must be in clear and easily accessible form, in plain language, and the visitor should have the right to withdraw his or her consent at any time. Furthermore, consent should be given before the cookie is set on the user’s device. If consent is not properly sought (or even sought at all), then the use of cookies is in breach of the law.
While the above might seem like a veritable shopping list of requirements, the most common pitfalls of ”flawed consent” regarding cookies are:
- Setting cookies before consent is given (no consent exists at the time cookies are set)
- Providing insufficient information about the cookies, i.e. what the user is consenting to (consent is not informed or specific)
- Forcing the user to consent to non-necessary cookies in order to use a service (consent is not freely given)
- Bundling cookie consent with accepting, e.g., terms of service (consent is not unambiguous)
- Stating that” by using this service you accept the use of cookies” (consent is not affirmative)
- Cookie policy is long, obtuse, or layered behind multiple clicks to open additional information (consent is not in clear and easily accessible form)
In contrast to the above, a good cookie policy/consent usually will be provided in a separate, clear notification at the time the user lands on the website, which gives information on all of the non-necessary cookies used by the website and gives the user the opportunity to select which cookies they wish to allow before setting such cookies. The notification also should inform users on the expiry date of the cookies, and which party has set the cookie (in case the cookie was set by a third party).
The Upcoming E-Privacy Regulation
As a final point, website owners who follow the above steps should be OK – at least for now. However, the EU rules on cookie use are soon to be further complicated by the long-awaited EU E-Privacy Regulation, which governs e.g., the use of cookies. The Regulation was supposed to have been implemented in 2018, but has been repeatedly delayed. That said, it is likely that it will be enacted within the next year or two, which will require companies to review once again their data privacy and cookie policies. Stay tuned for further developments in this area!