Following a trail of crumbs – What are cookies and how may they be used?

D&I Quarterly Q4/2019

Posted on

9 Dec


D&I Quarterly

Welcome to our newest edition of
D&I Quarterly.

This article is part of a selection of our experts’ articles published here at D&I Insight, our platform for insight into all the latest in law and business.

Dittmar & Indrenius > Insight > Following a trail of crumbs – What are cookies and how may they be used?

Much ink has been spilled over questions regarding cookies: what exactly are they and how are they regulated? Cookies are an inseparable and often necessary part of modern Internet. However, cookies are also regarded as a threat to the privacy of Internet users.

Indeed, with seemingly free Internet content often comes the price of decreased privacy through cookies that enable the monitoring of the user’s activities and preferences. Consequently, rules on cookies are at the core of ongoing and heatedly debated privacy law developments.

“Rules on cookies are at the core of ongoing and heatedly debated privacy law developments. Following these developments should be a high priority for any organisation using cookies.”

It’s a safe bet that the average website or online service provider uses cookies. It’s less certain that such providers rigorously respect all the legal conditions for using them. Current legislation sets out various requirements for the use of cookies. Furthermore, the law of cookies is a moving target – relevant legal rules and their interpretations seem to be under constant reform, as we have noticed in the European Court of Justice’s (“ECJ”) recent ruling in the so-called Planet49[1] case. Despite legal boundaries, cookies are often essential for the functional operation of websites and can create significant commercial value, and benefit Internet users as well. It is not a question of whether cookies can be used but how.

We at Dittmar & Indrenius have kept a close eye on the highly topical developments in legislation and interpretations concerning cookies. Following these developments should be a high priority for any organisation using cookies. As a starting point, it is vital to understand what cookies are and what the essential requirements for their use are. The following chapters provide an overview of the matter.

Understanding Cookies

A cookie is a small piece of data or text file, which is sent by a website to an Internet user’s browser along with a request that the browser stores the file on the user’s device. Essentially, this small file allows the website or other service provider to identify users and remember their selections or preferences over time. Put simply, without cookies websites would not remember the user, which would be unsustainable for many online services such as online banks and stores. Imagine having to re-enter information every time you browse from one page to another or revisit a page. Not very practical, right?

Initially, the purpose of cookies was to enable the functional operation of websites. However, the broader potential of cookies has long been recognised: cookies enable targeted marketing and detailed web analytics. In this potential also lie the risks. For example, cookies that allow preference tracking over different websites are tantamount to monitoring a user’s browsing history.

In other words, cookies are not all the same. Cookies used solely for the purpose of enabling the functioning of a website often expire at the end of the browsing session and are usually set by the website provider itself. However, cookies can also be stored on the user’s device for longer periods of time, enabling the remembering and tracking of the user’s actions and preferences across different websites and in between browsing sessions. It is also important to note that not all cookies are set by the website the user is actually visiting. Especially where the visited site includes social media plugins, advertisements or other types of third-party elements, such third parties may set cookies on the user’s device as well.

Eye on Consent and Information

Cookies are regulated by the Finnish Act on Electronic Communications Services, according to which the use of cookies is only allowed if one of the following main conditions apply:

  1. it is indispensable for and only used for providing the service requested by the user, which may be the case, for example, with session cookies used to remember the items in the user’s shopping basket;
  2. their sole purpose is transmitting electronic communications; or
  3. the user has been informed of the use of cookies and has given their consent to it.

In brief, if the use of the cookie is important to an online service provider, but not essential for providing the service, consent must be requested and the relevant information provided to the user. This basically means that, for example, the use of cookies for analytics purposes requires user consent.

In addition to these requirements under ePrivacy legislation, it is equally important to note that the information collected as a result of placing the cookie may also constitute personal data. In such a case, provisions of the General Data Protection Regulation[2] (“GDPR”) must also be taken into account. Compliance with the consent and information provision requirements under ePrivacy legislation will generally mean compliance with respective requirements in the GDPR. However, it is important to ensure that rules of the GDPR, which are not found in ePrivacy legislation, are met. These include, for example, rules on disclosures of personal data as well as the rights of data subjects.

Explaining Cookies to the User

Irrespective of whether the use of cookies entails the processing of personal data, the website users must be provided with clear and comprehensive information about cookies used and the purposes of saving or using user data. Based on the ECJ’s judgment in the recent Planet49 case, this should include at least information on the duration of the cookies, and whether third parties receive data collected with the cookies. The provision of information must be done in the most user-friendly way possible.

In addition, where personal data is processed, the information requirements of the GDPR must also be fulfilled. Under the GDPR, the users must also be provided with information on, inter alia, the recipients of the data collected and the users’ rights with respect to the processing of personal data.

Obtaining Cookie Consent

Users must consent to the use of most cookies. But what is considered to be valid cookie consent? This is a highly debated question in privacy and data protection law and EU member states have taken different views in what constitutes valid consent to cookies.

The question of valid consent was at the core of the ECJ’s Planet49 case, which provides a useful example of non-compliant cookie practices. The case involved an online gaming company, which had organised a promotional lottery on a website. Upon participating in the lottery, the website user could consent to the operation of cookies. Participants were required to fill in certain input fields and press a selection button in order to participate and, below these, was a pre-selected checkbox, according to which the participant accepted the installation of cookies. Accepting cookies was not a precondition for participating in the lottery and participants could refuse consent by deselecting the checkbox.

The ECJ confirmed that the requirements for cookie consent correspond to the requirements set out under the former Data Protection Directive[3] (95/46/EC), and consequently, the GDPR. In light of the GDPR, this ultimately means that cookie consent must meet the following requirements:

  • Specific and informed: Consent must be specific in that it must relate to clearly defined cookie use. In order for consent to be specific there must be appropriate information on the types and purposes of the cookies as outlined above.
  • Active choice: Consent has to be an active choice, which means that consent must be unambiguous. Passive behaviour such as the failure to object cookies without certainty of the user’s intention will be in conflict with this requirement.
  • Freely given: Freely given consent entails real choice, which is not the case if the user is, for example, deceived into accepting cookies.

In the case at hand, ‘consent’ collected through a pre-ticked checkbox was not considered valid consent. The court especially stressed the active and unambiguous nature of valid consent. Failing to object cookies is not active behaviour. The judgement also underlines that website and online service providers should pay particular attention to the layout used when providing information on and seeking consent to cookies. The view taken in the judgement precludes the possibility to give consent to cookies at the same time as pressing a lottery participation button. These selections should be clearly separate. In addition, in order for consent to be clearly aimed at cookies, the button, link or box, which indicates the consent, must be close to where cookie information is presented.

Another particular problem with many website cookies relates to the timing of the consent. Practices where cookies are installed immediately when a user enters a website although the user has not yet selected to accept cookies cannot be considered acceptable. Some websites may try to circumvent this with cookie banners stating that using the website implies consent to cookies. This, in turn, does not comply with the requirement of active and unambiguous consent and does not exhibit real choice.

The Finnish Way – Consent Through Browser Settings

Despite seemingly strict restrictions, there is room to be creative in obtaining cookie consent. Possible tools to this end include splash screens, banners, modal dialog boxes and browser settings. In Finland, the position has been that obtaining consent through browser settings is a viable and user-friendly alternative. There are, however, clear differences in the EU in this respect and, in many member states, consent through browser settings is not deemed valid. As a result of the Planet49 case – which highlighted the unambiguous nature of consent – the Finnish Transport and Communications Agency reassessed its current cookie guidelines on 20 November 2019 in light of the judgment.

Although browser settings are deemed an acceptable method in Finland by the competent authority, the general cookie requirements apply. For example, websites must notify users of the used cookie practices and consent through browser settings should be ‘given’ meaning that default settings should not allow cookies but instead the user may change the settings to allow them. The Planet49 judgment relates to a broader development in EU data protection and privacy law where criteria for the consent of individuals are subjected to higher scrutiny. In an online world characterised by a predominance of default settings and website users who are unaware of the privacy implications of online activity, website and other service providers should be increasingly cautious when relying on individuals’ consent. Consent practices should be deployed and reassessed by genuinely considering whether a website user understands how his or her privacy is affected.

The ePrivacy Regulation (Still) Around the Corner

The Finnish rules on cookies are based on the EU ePrivacy Directive[4], which will be replaced by the ePrivacy Regulation in the future. The original (and ambitious) aim was that the regulation would be approved together with the entrance into application of the GDPR, on 25 May 2018, but current estimations predict approval in 2020 and application in 2022. Although the final contents remain uncertain, latest draft versions provide a certain sneak peek into the upcoming regulation.

In the latest version of the draft regulation published on 8 November 2019, there is a clear attempt to distinguish between harmful cookie practices and cookies which in themselves are not as depriving of end-users’ privacy. For example, the draft takes a critical view of cookie walls, i.e. practices where users are denied access to website content if they do not consent to all cookies. As users must have a genuine choice to consent or not, the draft regulation states that making website access dependent on cookie consent should include the possibility to choose between an offer to consent to all cookies and an offer with only necessary cookies. In other words, there should be alternative content for those not consenting to all cookies.

On the other hand, the draft recognises the benefits of non-harmful and legitimate cookies. Accordingly, under certain conditions, consent would not be required for the use of cookies for the purpose of audience measuring. Interestingly and in relation to the discussion on consent through browser settings, the draft regulation recognises the possibility and benefits of users granting cookie consent to specific service providers for specified purposes through software settings. Indeed, an overload of individual cookie pop-ups can easily lead to users dismissing their content and software settings provide a viable alternative in this respect.

“It is important to note that the use of cookies may have implications, which extend beyond strictly privacy-related concerns.”

Beyond Privacy Concerns?

Many of the contentious questions surrounding cookies relate to privacy and data protection. It is important to note that the use of cookies may have implications, which extend beyond strictly privacy-related concerns. For example, a common aim of cookies is the enabling of targeted marketing to Internet users. In carrying out marketing based on cookies, it is important to observe the general requirements for marketing under consumer protection legislation.

Even beyond strictly legal concerns, any entity using or enabling the operation of cookies should carefully consider why and how cookies are being used. It is clear that cookies can be an acceptable and useful tool enabling website providers to develop their websites further, providing a more user-friendly browsing experience and rewarding popular websites through advertising revenue. Conversely, intrusive and unnecessary functionalities – even where technically legal – should be avoided. Such considerations should be a high priority for website and service providers. Users may well be deterred from using websites and services, which they feel collect too much information or which provide confusing or overly technical information on cookies.

Looking Forward

With this article, we hope to encourage organisations to review their cookie practices and actively follow up on related developments. After a long wait, we are likely to know the final contents of the ePrivacy Regulation later next year, which will mean that organisations will have to review and reassess existing practices. We at Dittmar & Indrenius will be happy to assist in such projects.

[1] Judgment of the Court (Grand Chamber) of 1 October 2019 in the proceedings Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V. v Planet49 GmbH.
[2] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
[3] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (repealed)
[4] Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector.

Share this