End January 2020, the Belgian supervisory authority, i.e. the Data Protection Authority (“DPA”), published the final version of its Strategic Plan 2019-2020. The DPA listed “online privacy” among the priority topics at the social and societal level. According to the DPA, “The collection of data relating to Internet users, for example through ‘cookies’, is the basis for the formation of colossal databases containing behavioral data relating to all these Internet users”. The DPA recently updated the “Cookie” page of the “Professional” section of its website. More precisely, any visitor can, in the “FAQ” sub-section, find the DPA consolidated guidelines and specifications with respect to the cookie rules and practices to adopt.
From a reminder of the established principles to the recent requirements of the DPA, we take stock of the situation hereinafter.
- free: the data subject must be able to exercise his/her choice validly, without being exposed to negative consequences if he/she refuses to give consent. Therefore, the implementation of cookie walls – i.e. blocking access to a website or application if the user objects to the placement of cookies – is not in compliance with the GDPR. Consent may also not be sought in exchange for an advantage or reward.
Regarding the specific character of consent, the DPA introduces an new requirement: the gradual choice per cookie. Through a first information layer, the operator of cookies must enable a choice per cookie type (e.g. cookies for audience measurement, for marketing targeting, etc.). Through a second information layer, once the user has been able to consent per type of cookie, the latter should have the possibility, if he/she wishes, to express his/her consent individually per cookie.
Accordingly, the DPA is of the opinion that the mere setting of the browser by the user does not, as such, constitute valid consent since it is not possible for the user to express his/her choice per type of cookie.
The question is therefore to identify how, in practice, enabling this gradual choice in two phases. The DPA does not provide any guidance in this respect. Cookies (and other similar technologies) are technological tools of varying degrees of complexity, both in their own functioning and in their interconnections with other elements of electronic communications networks. In addition, some cookies operate on a group basis (e.g. Google Analytics cookies). What if a user consents to the placement of a cookie and not to the placement of the other cookie(s) with which such cookie must necessarily interact for the intended purpose? More fundamentally, the owners of websites/applications – who generally subcontract the management thereof to third party companies – must eventually allow each user to individually select the cookies for which they consent, potentially for each new visit. For websites and other applications that count tens of thousands of visits per hour, implementing “à la carte” consent will undoubtedly raise serious technical and practical questions that the DPA will have to answer.
- informed: prior to expressing his/her consent, the user must be informed in a clear and precise manner of (i) the processing carried out via the relevant cookies (identification of the data controller, purposes of the cookies placement and reading, personal data processed by the cookies and validity duration); and (ii) the user’s rights pursuant to the GDPR, such as the right for the user to withdraw his/her consent afterwards.
- withdrawable: the user must be able to withdraw his/her consent at any time, as easily as he/she gave it.
In any case, it is up to the operator of the cookies to demonstrate that consent has been validly collected, for example by means of logs or other files that keep track of transactions.
Active consent. In addition to being free, informed, specific and withdrawable, the consent must be the result of the data subject’s positive action. Following the example of the CNIL (the French supervisory authority), the DPA specifies that further browsing by the user is not sufficient to obtain valid consent within the meaning of the GDPR. An action by the data subject is required, such as a check box (pre-ticked boxes are not sufficient), clicking a button or making the cursor slide.
Exception to consent. The exception remains unchanged: only so-called functional cookies do not require the data subject’s prior consent. These are cookies that are necessary for sending a communication via an electronic communications network or for providing the service expressly requested by the user of the website or application. Furthermore, the DPA guidelines state that functional cookies must be valid for a limited period of time, either per session or for a “slightly” longer period of time.
Examples of functional cookies listed by the DPA include: session cookies (or persistent cookies limited to a few hours) used to store information entered by the user when completing online forms on multiple pages or to save items that the user selected in his/her shopping cart; authentication cookies used, for the duration of a session, for authenticated services such as e-payment or e-banking services; session cookies installed by media players (e.g. flash player cookies) for the duration of a session; or persistent user interface customization cookies, for the duration of a session (or slightly longer), such as language preference or result display cookies. If such personalization cookies are intended to last (much) longer than the user’s session, prior consent is required.
WARNING: if prior consent is not required for the placement and reading of functional cookies, the obligation to provide the user with clear and precise information about such cookies and their purposes remains.
Social network plug-ins. The user’s prior consent must be validly collected before activating any social network plug-in on the website or mobile application. Indeed, such plug-ins (the “Like” or “Share” button on Facebook, Instagram, Twitter, LinkedIn, etc.) allow the collection of data even when the user does not have an account on the social networks associated with these plug-ins.
Regulation on cookie use is a good example of confrontation between law and technology and the practical difficulties that arise therefrom. Putting in place cookie practices that are conform to the GDPR and related provisions is not easy and can be cumbersome. We would of course be pleased to answer any questions you may have.