For most internet users, cookie pop-ups or banners on websites are an annoying and all too frequent distraction.
For website owners, cookies are a valuable tool mainly used to retrieve the personal data and track the browsing patterns of visitors. But the fact that cookies can be used to identify an individual via their device means they also fall under the ‘personal data’ focus of the GDPR introduced earlier this year
The regulation recognises cookie and device IDs and IP addresses as personal data and only allows them to be processed provided they fall under one of the permitted reasons – either a legitimate interest or a freely given, specific, informed and unambiguous consent. But most online service providers tracking users for advertising purposes have still not changed their internal data processing practices or updated their cookie notifications and policies to reflect this.
There are many misconceptions around the area of data privacy and cookies, mainly related to varying interpretations of the E-Privacy Directive in different EU countries. In France, some clarity was provided by the French Council of State (the highest court for administrative cases) in a case between website publisher Editions Croque Futur (challenger.fr) and the French data protection authority (the CNIL). In that case the court decided that the publisher had infringed French data protection laws because it illegally processed users’ personal data retrieved from cookies.
The case highlighted how cookies used for advertising purposes to support a website publisher’s business model cannot be used under the ‘legitimate interest’ requirement and therefore require users’ consent.
Moreover, the third parties which were allowed to enable cookies on the website were recognised as data controllers. The website publisher had to take reasonable measures to ensure the data processing of third parties was carried out in a compliant manner and in particular, that they did not enable non-compliant cookies.
Most importantly, the Council of State said that in this instance the website publisher was expected to ask for users’ consent and could not just rely on internet browser settings to control the cookies. Users had to be given the option to express their consent based on clear information describing different categories of cookies, allowing them to object to their use and explaining the consequences on their browsing experience if they did object.
Negotiations over the new E-Privacy Regulation are currently taking place in the Council of the EU which has put forward a new proposal for amendments on provisions relevant to cookies and other online trackers. The ruling of the French Council of State appears to have been taken into consideration as the proposed provisions allow cookies to be enabled if a user consents, or when it is necessary to ensure the security of a website or to detect technical faults.
In order to gain the consent of a user, a website must clearly state how cookies collect personal data, what the purposes are, who the data controller is, and how to stop or minimise the data collection.
Some other relevant information defined in Article 13 of GDPR, including information about the recipients of data, should also be provided. The Council suggests deleting the option to express consent within the internet browser settings as highlighted by the French Council of State decision.
We have a suite of information around the GDPR and what it might mean for your business and if you would like to find out more, you can do so by using the link below or contacting us on +44 20 7090 1091.