A Baker Tilly network member
Only few websites and mobile applications do not make use of cookies or other tracking tools. Cookies are ubiquitous, regardless of the content of the websites or applications, or the sector in which their owners or operators are active.
Since de publication of the General Data Protection Regulation (“GDPR”) in 2016 and even more since its entry into force on 25 May 2018, the application to the cookies of the (new) principles of privacy protection and processing of personal data has been the subject of much discussion in Europe. Between guidelines and recommendations, the national supervisory authorities in the various Member States have endeavored to “regulate” the use of cookies by the digital economy’s actors, with the common denominator of limiting interference in the citizens’ privacy.
End January 2020, the Belgian supervisory authority, i.e. the Data Protection Authority (“DPA”), published the final version of its Strategic Plan 2019-2020. The DPA listed “online privacy” among the priority topics at the social and societal level. According to the DPA, “The collection of data relating to Internet users, for example through ‘cookies’, is the basis for the formation of colossal databases containing behavioral data relating to all these Internet users”. The DPA recently updated the “Cookie” page of the “Professional” section of its website. More precisely, any visitor can, in the “FAQ” sub-section, find the DPA consolidated guidelines and specifications with respect to the cookie rules and practices to adopt.
From a reminder of the established principles to the recent requirements of the DPA, we take stock of the situation hereinafter.
Consent. This is nothing new. Under both national and European legislation, the installation of cookies (or other tracking tools) on a user’s computer (or any other device) requires said user’s prior consent. In its “Planet49” decision of 1 October 2019, the Court of Justice of the European Union confirmed that consent as defined in the GDPR is required, even when the data processed by the cookies do not constitute personal data. Specifically, the installation and use of cookies require consent under the following conditions:
- free: the data subject must be able to exercise his/her choice validly, without being exposed to negative consequences if he/she refuses to give consent. Therefore, the implementation of cookie walls – i.e. blocking access to a website or application if the user objects to the placement of cookies – is not in compliance with the GDPR. Consent may also not be sought in exchange for an advantage or reward.
- specific: general consent for the use of cookies, without further specification, is not valid. Indeed, consent must be given in relation to the specific purposes of the cookies for which the consent is asked. In this respect, the DPA now specifies that “all or nothing” choices are not valid.
Regarding the specific character of consent, the DPA introduces an new requirement: the gradual choice per cookie. Through a first information layer, the operator of cookies must enable a choice per cookie type (e.g. cookies for audience measurement, for marketing targeting, etc.). Through a second information layer, once the user has been able to consent per type of cookie, the latter should have the possibility, if he/she wishes, to express his/her consent individually per cookie.
Accordingly, the DPA is of the opinion that the mere setting of the browser by the user does not, as such, constitute valid consent since it is not possible for the user to express his/her choice per type of cookie.
The question is therefore to identify how, in practice, enabling this gradual choice in two phases. The DPA does not provide any guidance in this respect. Cookies (and other similar technologies) are technological tools of varying degrees of complexity, both in their own functioning and in their interconnections with other elements of electronic communications networks. In addition, some cookies operate on a group basis (e.g. Google Analytics cookies). What if a user consents to the placement of a cookie and not to the placement of the other cookie(s) with which such cookie must necessarily interact for the intended purpose? More fundamentally, the owners of websites/applications – who generally subcontract the management thereof to third party companies – must eventually allow each user to individually select the cookies for which they consent, potentially for each new visit. For websites and other applications that count tens of thousands of visits per hour, implementing “à la carte” consent will undoubtedly raise serious technical and practical questions that the DPA will have to answer.
- informed: prior to expressing his/her consent, the user must be informed in a clear and precise manner of (i) the processing carried out via the relevant cookies (identification of the data controller, purposes of the cookies placement and reading, personal data processed by the cookies and validity duration); and (ii) the user’s rights pursuant to the GDPR, such as the right for the user to withdraw his/her consent afterwards.
- withdrawable: the user must be able to withdraw his/her consent at any time, as easily as he/she gave it.
In any case, it is up to the operator of the cookies to demonstrate that consent has been validly collected, for example by means of logs or other files that keep track of transactions.
Active consent. In addition to being free, informed, specific and withdrawable, the consent must be the result of the data subject’s positive action. Following the example of the CNIL (the French supervisory authority), the DPA specifies that further browsing by the user is not sufficient to obtain valid consent within the meaning of the GDPR. An action by the data subject is required, such as a check box (pre-ticked boxes are not sufficient), clicking a button or making the cursor slide.
Exception to consent. The exception remains unchanged: only so-called functional cookies do not require the data subject’s prior consent. These are cookies that are necessary for sending a communication via an electronic communications network or for providing the service expressly requested by the user of the website or application. Furthermore, the DPA guidelines state that functional cookies must be valid for a limited period of time, either per session or for a “slightly” longer period of time.
Examples of functional cookies listed by the DPA include: session cookies (or persistent cookies limited to a few hours) used to store information entered by the user when completing online forms on multiple pages or to save items that the user selected in his/her shopping cart; authentication cookies used, for the duration of a session, for authenticated services such as e-payment or e-banking services; session cookies installed by media players (e.g. flash player cookies) for the duration of a session; or persistent user interface customization cookies, for the duration of a session (or slightly longer), such as language preference or result display cookies. If such personalization cookies are intended to last (much) longer than the user’s session, prior consent is required.
WARNING: if prior consent is not required for the placement and reading of functional cookies, the obligation to provide the user with clear and precise information about such cookies and their purposes remains.
Social network plug-ins. The user’s prior consent must be validly collected before activating any social network plug-in on the website or mobile application. Indeed, such plug-ins (the “Like” or “Share” button on Facebook, Instagram, Twitter, LinkedIn, etc.) allow the collection of data even when the user does not have an account on the social networks associated with these plug-ins.
Cookie policy. Whether or not cookies are functional, the placement and reading of cookies on the user’s device must be subject to a clear and precise information. The challenge for the cookie operator is to convey this information, which is partly (very) technical, in an easily accessible language.
Again, this is nothing new. The operator of a website or application that uses cookies must publish a cookie policy. Whether or not this cookie policy is part of the general privacy policy of the website or application as the case may be, it must include at least the following information: the identity and contact details of the data controller (and of the DPO if applicable); identification of the types of cookies used, their purposes and duration of operation; whether or not third parties have access to the cookies and the identification of such third parties if applicable; the manner in which the user can delete the cookies; the legal ground for the processing carried out via the cookies (this will necessarily be consent for all cookies other than functional ones); the duration of data retention (which in no case may be longer than is necessary for the fulfilment of the intended purpose); the user’s rights and how to exercise them, such as the right to withdraw consent at any time or to lodge a complaint with the DPA; and the existence of automated decision making (e.g. in the event of profiling).
In practice, the use of cookies is announced, during the first visit or after the user has deleted the cookies from the browser, in a cookie banner or a dedicated pop-up window, which refers to the cookie policy. In so far as further browsing is no longer sufficient for the collection of consent for the placement of non-functional cookies, it is at this stage that the cookie operator must allow the user to express his/her consent through an active process (cf. the two layers of information and the gradual choice per cookie, as described above). The method commonly applied is the display of table of the cookies used and classified by type, with, for each type, the option to accept or reject their placement by means of a tick box.
It is now well established that the following generic text on the home page is no longer sufficient to meet the requirement for consent under the GDPR: “By actively continuing your visit to this website, you consent to the use of cookies to enhance your browsing experience”. Any placement of cookies other than functional cookies relying exclusively on this formula will be illicit and therefore subject to sanctions. Those are no longer purely hypothetical as it was the case under the former Privacy Act of 8 December 1992. In a decision of 17 December 2019, the ADP imposed an administrative fine of EUR 15.000,00 on the operator of a website for cookies practice and use that did not comply with the GDPR.
Regulation on cookie use is a good example of confrontation between law and technology and the practical difficulties that arise therefrom. Putting in place cookie practices that are conform to the GDPR and related provisions is not easy and can be cumbersome. We would of course be pleased to answer any questions you may have.