Much ink has been spilled over questions regarding cookies: what exactly are they and how are they regulated? Cookies are an inseparable and often necessary part of modern Internet. However, cookies are also regarded as a threat to the privacy of Internet users.
Indeed, with seemingly free Internet content often comes the price of decreased privacy through cookies that enable the monitoring of the user’s activities and preferences. Consequently, rules on cookies are at the core of ongoing and heatedly debated privacy law developments.
“Rules on cookies are at the core of ongoing and heatedly debated privacy law developments. Following these developments should be a high priority for any organisation using cookies.”
We at Dittmar & Indrenius have kept a close eye on the highly topical developments in legislation and interpretations concerning cookies. Following these developments should be a high priority for any organisation using cookies. As a starting point, it is vital to understand what cookies are and what the essential requirements for their use are. The following chapters provide an overview of the matter.
A cookie is a small piece of data or text file, which is sent by a website to an Internet user’s browser along with a request that the browser stores the file on the user’s device. Essentially, this small file allows the website or other service provider to identify users and remember their selections or preferences over time. Put simply, without cookies websites would not remember the user, which would be unsustainable for many online services such as online banks and stores. Imagine having to re-enter information every time you browse from one page to another or revisit a page. Not very practical, right?
Initially, the purpose of cookies was to enable the functional operation of websites. However, the broader potential of cookies has long been recognised: cookies enable targeted marketing and detailed web analytics. In this potential also lie the risks. For example, cookies that allow preference tracking over different websites are tantamount to monitoring a user’s browsing history.
In other words, cookies are not all the same. Cookies used solely for the purpose of enabling the functioning of a website often expire at the end of the browsing session and are usually set by the website provider itself. However, cookies can also be stored on the user’s device for longer periods of time, enabling the remembering and tracking of the user’s actions and preferences across different websites and in between browsing sessions. It is also important to note that not all cookies are set by the website the user is actually visiting. Especially where the visited site includes social media plugins, advertisements or other types of third-party elements, such third parties may set cookies on the user’s device as well.
Eye on Consent and Information
- it is indispensable for and only used for providing the service requested by the user, which may be the case, for example, with session cookies used to remember the items in the user’s shopping basket;
- their sole purpose is transmitting electronic communications; or
In addition to these requirements under ePrivacy legislation, it is equally important to note that the information collected as a result of placing the cookie may also constitute personal data. In such a case, provisions of the General Data Protection Regulation (“GDPR”) must also be taken into account. Compliance with the consent and information provision requirements under ePrivacy legislation will generally mean compliance with respective requirements in the GDPR. However, it is important to ensure that rules of the GDPR, which are not found in ePrivacy legislation, are met. These include, for example, rules on disclosures of personal data as well as the rights of data subjects.
Explaining Cookies to the User
In addition, where personal data is processed, the information requirements of the GDPR must also be fulfilled. Under the GDPR, the users must also be provided with information on, inter alia, the recipients of the data collected and the users’ rights with respect to the processing of personal data.
Obtaining Cookie Consent
Users must consent to the use of most cookies. But what is considered to be valid cookie consent? This is a highly debated question in privacy and data protection law and EU member states have taken different views in what constitutes valid consent to cookies.
The question of valid consent was at the core of the ECJ’s Planet49 case, which provides a useful example of non-compliant cookie practices. The case involved an online gaming company, which had organised a promotional lottery on a website. Upon participating in the lottery, the website user could consent to the operation of cookies. Participants were required to fill in certain input fields and press a selection button in order to participate and, below these, was a pre-selected checkbox, according to which the participant accepted the installation of cookies. Accepting cookies was not a precondition for participating in the lottery and participants could refuse consent by deselecting the checkbox.
The ECJ confirmed that the requirements for cookie consent correspond to the requirements set out under the former Data Protection Directive (95/46/EC), and consequently, the GDPR. In light of the GDPR, this ultimately means that cookie consent must meet the following requirements:
- Specific and informed: Consent must be specific in that it must relate to clearly defined cookie use. In order for consent to be specific there must be appropriate information on the types and purposes of the cookies as outlined above.
- Active choice: Consent has to be an active choice, which means that consent must be unambiguous. Passive behaviour such as the failure to object cookies without certainty of the user’s intention will be in conflict with this requirement.
- Freely given: Freely given consent entails real choice, which is not the case if the user is, for example, deceived into accepting cookies.
In the case at hand, ‘consent’ collected through a pre-ticked checkbox was not considered valid consent. The court especially stressed the active and unambiguous nature of valid consent. Failing to object cookies is not active behaviour. The judgement also underlines that website and online service providers should pay particular attention to the layout used when providing information on and seeking consent to cookies. The view taken in the judgement precludes the possibility to give consent to cookies at the same time as pressing a lottery participation button. These selections should be clearly separate. In addition, in order for consent to be clearly aimed at cookies, the button, link or box, which indicates the consent, must be close to where cookie information is presented.
Another particular problem with many website cookies relates to the timing of the consent. Practices where cookies are installed immediately when a user enters a website although the user has not yet selected to accept cookies cannot be considered acceptable. Some websites may try to circumvent this with cookie banners stating that using the website implies consent to cookies. This, in turn, does not comply with the requirement of active and unambiguous consent and does not exhibit real choice.
The Finnish Way – Consent Through Browser Settings
Despite seemingly strict restrictions, there is room to be creative in obtaining cookie consent. Possible tools to this end include splash screens, banners, modal dialog boxes and browser settings. In Finland, the position has been that obtaining consent through browser settings is a viable and user-friendly alternative. There are, however, clear differences in the EU in this respect and, in many member states, consent through browser settings is not deemed valid. As a result of the Planet49 case – which highlighted the unambiguous nature of consent – the Finnish Transport and Communications Agency reassessed its current cookie guidelines on 20 November 2019 in light of the judgment.
Although browser settings are deemed an acceptable method in Finland by the competent authority, the general cookie requirements apply. For example, websites must notify users of the used cookie practices and consent through browser settings should be ‘given’ meaning that default settings should not allow cookies but instead the user may change the settings to allow them. The Planet49 judgment relates to a broader development in EU data protection and privacy law where criteria for the consent of individuals are subjected to higher scrutiny. In an online world characterised by a predominance of default settings and website users who are unaware of the privacy implications of online activity, website and other service providers should be increasingly cautious when relying on individuals’ consent. Consent practices should be deployed and reassessed by genuinely considering whether a website user understands how his or her privacy is affected.
The ePrivacy Regulation (Still) Around the Corner
The Finnish rules on cookies are based on the EU ePrivacy Directive, which will be replaced by the ePrivacy Regulation in the future. The original (and ambitious) aim was that the regulation would be approved together with the entrance into application of the GDPR, on 25 May 2018, but current estimations predict approval in 2020 and application in 2022. Although the final contents remain uncertain, latest draft versions provide a certain sneak peek into the upcoming regulation.
In the latest version of the draft regulation published on 8 November 2019, there is a clear attempt to distinguish between harmful cookie practices and cookies which in themselves are not as depriving of end-users’ privacy. For example, the draft takes a critical view of cookie walls, i.e. practices where users are denied access to website content if they do not consent to all cookies. As users must have a genuine choice to consent or not, the draft regulation states that making website access dependent on cookie consent should include the possibility to choose between an offer to consent to all cookies and an offer with only necessary cookies. In other words, there should be alternative content for those not consenting to all cookies.
Beyond Privacy Concerns?
Even beyond strictly legal concerns, any entity using or enabling the operation of cookies should carefully consider why and how cookies are being used. It is clear that cookies can be an acceptable and useful tool enabling website providers to develop their websites further, providing a more user-friendly browsing experience and rewarding popular websites through advertising revenue. Conversely, intrusive and unnecessary functionalities – even where technically legal – should be avoided. Such considerations should be a high priority for website and service providers. Users may well be deterred from using websites and services, which they feel collect too much information or which provide confusing or overly technical information on cookies.
With this article, we hope to encourage organisations to review their cookie practices and actively follow up on related developments. After a long wait, we are likely to know the final contents of the ePrivacy Regulation later next year, which will mean that organisations will have to review and reassess existing practices. We at Dittmar & Indrenius will be happy to assist in such projects.