Cookies: Making Sense out of the New Developments
By Eliav Boaron and Dan Or-Hof.
Here are three tips you must consider while preparing for cookie compliance:
- Avoid placing cookies in EU users’ electronic devices before receiving GDPR-like consent (opt-in).
- Appoint a cookie champion that will handle the updates of the cookie list, address users’ requests and ensure that all EU users have an option to opt-out in a clear, accessible and proper way.
These three tips are based on recent guidelines of EU regulators about cookies and other tracking technologies, as further described below.
However, let’s begin with a short introduction. To do so, we need to go back to 2002. More specifically, the 2002 e-Privacy Directive (ePD), which is an important EU legal instrument for privacy in the digital age.
Among others, the ePD covers confidentiality of communications and the rules about tracking and monitoring.
The ePD, as amended in 2009 (known as the ‘Cookie Directive’), has caused many websites to create cookie banners on their homepages and offer cookie notices.
Like the GDPR, that repealed Directive 95/46/EC, the EU is continuously working on a new e-Privacy regulation (ePR) which will harmonize rules for privacy in communications across the EU and serve as a modern substitute to the ePD.
The final version of ePR has yet to be published. However, the Council of the European Union (the Council), as well as specific EU member states regulators, have recently shed some light on this matter.
On 18 September 2019, the Council released proposed amendments to the existing draft ePR. The amendments have pointed out that (the text between square brackets are our explanatory notes) –
“the responsibility for obtaining consent for the storage of a cookie or a similar identifier lies on the entity that makes use of processing and storage capabilities of terminal equipment [such as a laptop or cellphone], or collects information from end-users’ terminal equipment, such as an information society service provider [a website owner] or ad network provider. Such entities may request another party to obtain consent on their behalf”.
The German Data Protection Authority (“DSK”)
On April 5, 2019, the DSK published its Guideline for Telemedia Providers (in German). The DSK Guidance includes a specific requirement to obtain GDPR-like consent from users when web analytics tools are used to track the behavior of such users on the Internet.
As such, the collection of potential user data trough cookies must be blocked during the display of a cookie wall. A sole “Okay” button is not sufficient, and each user must have the option manage the user’s cookie preferences, including to reject cookies.
The United Kingdom Information Commissioner’s Office (“ICO”)
- What are cookies and similar technologies?
- What are the rules on cookies and similar technologies?
- How do the cookie rules relate to the GDPR?
- How does a company comply with the cookie rules?
In addition, the ICO Guidance instructs companies to provide their users with a proper choice to manage their cookie preferences.
Until a user does not provide her/his freely given, specific, informed and unambiguous GDPR-like consent – even with respect to cookies that do not collect personal data – a company is not allowed to use, send or store any cookie that is not essential.
In addition, after a company obtained a user’s consent, the company must still provide the user with an up-to-date list of cookies in use as well as the option to opt-out from some or all of such cookies.
For example, cookies that are used for analytics purposes, such as Google Analytics cookies, will be used only after a user provides her/his GDPR-like consent.
The French Data Protection Authority
The CNIL recently released its new guidelines (in French) about the right framework of using cookies (the CNIL Guidance). Although the CNIL Guidance contains only 7 articles, the requirements written in these articles are very similar to the requirements stated in the ICO Guidance, including that –
- scrolling down or swiping through a website or application can no longer be viewed as a valid expression of consent to the implementation of cookies.
- websites must be able to prove that they have obtained a GDPR-like consent (as such, pre-ticked boxes are not acceptable).
- a general acceptance of a website’s terms of service cannot be a valid method for obtaining proper consent. The website owner needs to provide users with the ability to separately opt-in for each cookie, based on its purpose, before the use.
- a mere cross-reference to the website’s terms of service is insufficient.
A Bird’s Eye View of the Pros and Cons
The purpose of these amendments and guidelines is to support and improve individuals’ right to privacy. The right to privacy is not limited to the collection of personal data, but also protects from an “invasion” of tracking technologies into an individual’s property (computers, smartphones, etc.).
However, the implementation of these requirements will likely affect website owners’ business models and users’ online experience, considering that –
- placing cookies requires consent. You must not place cookies before receiving it;
- online users have no incentive to agree to receive cookies; and,
- the new cookie guidelines prohibit a ‘take-it-or-leave-it’ approach. It means that website providers will need to provide access to users, without benefits to the website owner and associated with cookie-based tools.
For example, web analytics tools are extremely important for a website’s operations. They are an essential resource to understand how users interact with the website and help creating enhanced users’ experience and business benefits to the website owners.
Website owners will now need to either convince users that accepting analytics cookies will provide them with a better service (low likelihood of success) or create new incentives for users to agree to placing analytics cookies in their devices.
Last but not least, will the enhanced cookie notices make a difference to individuals’ privacy? We should wait and see forthcoming quantitative and qualitative researches about this matter.
Recent EU guidelines about cookies potentially further protect users’ right to privacy; however, at the same time, they harden companies’ websites, operations, and technologies, and these companies have yet to say the last word.
In the meanwhile, companies must reassess their cookie policies and provide relevant users with a much better cookie-consent platform, the earliest the better.
We will inform you of any developments