Cookies: Making Sense out of the New Developments

By Eliav Boaron and Dan Or-Hof.

The use of cookies and other online tracking technologies have become a hot regulatory topic.

Here are three tips you must consider while preparing for cookie compliance:

  • Avoid placing cookies in EU users’ electronic devices before receiving GDPR-like consent (opt-in).
  • Provide EU users with a direct link to a cookie policy, in which the users can see all cookies in use and manage their preferences in a clear and effective manner.
  • Appoint a cookie champion that will handle the updates of the cookie list, address users’ requests and ensure that all EU users have an option to opt-out in a clear, accessible and proper way.

These three tips are based on recent guidelines of EU regulators about cookies and other tracking technologies, as further described below.

However, let’s begin with a short introduction. To do so, we need to go back to 2002. More specifically, the 2002 e-Privacy Directive (ePD), which is an important EU legal instrument for privacy in the digital age.

Among others, the ePD covers confidentiality of communications and the rules about tracking and monitoring.

The ePD, as amended in 2009 (known as the ‘Cookie Directive’), has caused many websites to create cookie banners on their homepages and offer cookie notices.

Like the GDPR, that repealed Directive 95/46/EC, the EU is continuously working on a new e-Privacy regulation (ePR) which will harmonize rules for privacy in communications across the EU and serve as a modern substitute to the ePD.

The final version of ePR has yet to be published. However, the Council of the European Union (the Council), as well as specific EU member states regulators, have recently shed some light on this matter.

 

On 18 September 2019, the Council released proposed amendments to the existing draft ePR. The amendments have pointed out that (the text between square brackets are our explanatory notes) –

“the responsibility for obtaining consent for the storage of a cookie or a similar identifier lies on the entity that makes use of processing and storage capabilities of terminal equipment [such as a laptop or cellphone], or collects information from end-users’ terminal equipment, such as an information society service provider [a website owner] or ad network provider. Such entities may request another party to obtain consent on their behalf”.

In addition, there are specific EU member states regulators that have published guidelines on the acceptable use of cookies and other tracking technologies, such as the German, the UK and French authorities.

.

The German Data Protection Authority (“DSK”)

On April 5, 2019, the DSK published its Guideline for Telemedia Providers (in German). The DSK Guidance includes a specific requirement to obtain GDPR-like consent from users when web analytics tools are used to track the behavior of such users on the Internet.

As such, the collection of potential user data trough cookies must be blocked during the display of a cookie wall. A sole “Okay” button is not sufficient, and each user must have the option manage the user’s cookie preferences, including to reject cookies.

The United Kingdom Information Commissioner’s Office (“ICO”)

On July 3, 2019, the ICO published its Guidance on the use of cookies and similar technologies (the ICO Guidance). The ICO Guidance includes requirements to hold and maintain an up-to-date cookie policy that covers relevant information, including –

  • What are cookies and similar technologies?
  • What are the rules on cookies and similar technologies?
  • How do the cookie rules relate to the GDPR?
  • How does a company comply with the cookie rules?

In addition, the ICO Guidance instructs companies to provide their users with a proper choice to manage their cookie preferences.

This means that users need to opt-in before a company may use cookies that are not “essential” to the services, while the word “essential” has been defined by the ICO very narrowly.

Until a user does not provide her/his freely given, specific, informed and unambiguous GDPR-like consent – even with respect to cookies that do not collect personal data – a company is not allowed to use, send or store any cookie that is not essential.

In addition, after a company obtained a user’s consent, the company must still provide the user with an up-to-date list of cookies in use as well as the option to opt-out from some or all of such cookies.

For example, cookies that are used for analytics purposes, such as Google Analytics cookies, will be used only after a user provides her/his GDPR-like consent.

The French Data Protection Authority 

The CNIL recently released its new guidelines (in French) about the right framework of using cookies (the CNIL Guidance). Although the CNIL Guidance contains only 7 articles, the requirements written in these articles are very similar to the requirements stated in the ICO Guidance, including that –

  • scrolling down or swiping through a website or application can no longer be viewed as a valid expression of consent to the implementation of cookies.
  • websites must be able to prove that they have obtained a GDPR-like consent (as such, pre-ticked boxes are not acceptable).
  • websites must provide the user with an option to withdraw consent (an opt-out mechanism) in an easily accessible and usable manner. This CNIL’s decision is in line with the recent Spanish data protection authority decision (in Spanish) to impose a 30,000-euro fine on a Spanish company – Vueling – for the cookie policy used on its website. Briefly, Vueling did not provide its users with a management system or cookie configuration panel that allowed each user to delete them in a granular way. A suitable opt-in mechanism must be in place as well as the option to opt-out thereafter in granular or selective form.
  • a general acceptance of a website’s terms of service cannot be a valid method for obtaining proper consent. The website owner needs to provide users with the ability to separately opt-in for each cookie, based on its purpose, before the use.
  • a mere cross-reference to the website’s terms of service is insufficient.

A Bird’s Eye View of the Pros and Cons

The purpose of these amendments and guidelines is to support and improve individuals’ right to privacy. The right to privacy is not limited to the collection of personal data, but also protects from an “invasion” of tracking technologies into an individual’s property (computers, smartphones, etc.).

However, the implementation of these requirements will likely affect website owners’ business models and users’ online experience, considering that –

  • placing cookies requires consent. You must not place cookies before receiving it;
  • online users have no incentive to agree to receive cookies; and,
  • the new cookie guidelines prohibit a ‘take-it-or-leave-it’ approach. It means that website providers will need to provide access to users, without benefits to the website owner and associated with cookie-based tools.

For example, web analytics tools are extremely important for a website’s operations. They are an essential resource to understand how users interact with the website and help creating enhanced users’ experience and business benefits to the website owners.

Website owners will now need to either convince users that accepting analytics cookies will provide them with a better service (low likelihood of success) or create new incentives for users to agree to placing analytics cookies in their devices.

In lack of new incentives for EU users to consent the use of cookies, some companies may not find the EU market as attractive as other markets around the world, and such companies may accordingly change their business models, including by reducing or even terminating their activities in the EU.

Last but not least, will the enhanced cookie notices make a difference to individuals’ privacy? We should wait and see forthcoming quantitative and qualitative researches about this matter.

Conclusion

Recent EU guidelines about cookies potentially further protect users’ right to privacy; however, at the same time, they harden companies’ websites, operations, and technologies, and these companies have yet to say the last word.

In the meanwhile, companies must reassess their cookie policies and provide relevant users with a much better cookie-consent platform, the earliest the better.

We will inform you of any developments

Read More