Cookies have been around for a very long time, first being used by Netscape to identify repeat visitors to their website. They have since become prolific, with few website users giving any thought to what they do, or their impact.
Essentially small lookup tables deployed on website user’s browsers or equipment to capture information such as session histories, website user details, or equipment utilisation, cookies may seem innocuous. However, as early as the 1990’s concerns were being expressed about their impact on privacy.
So, it’s no surprise that cookies (and any other technology that stores or accesses information on a user’s device) have been directly regulated in the EU since 2003 by the ePrivacy Directive (2002/58/EC), augmented by data protection law – first by the pre-existing Data Protection Directive (95/46/EC) and most lately by the General Data Protection Regulation (2016/679).
Cookie enforcement has arrived
Despite this regulation, the use of cookies and similar technologies have become more prolific, more invasive, and far more impactful. Tracking our activities across the web, cookies now disclose huge amounts of our information, influencing far more than our experience on a website. Yet, enforcement of cookie regulation has not matched this increasing proliferation.
This is now changing. EU supervisory authorities seem to be now actively engaged in ensuring businesses are aware of their responsibilities in respect of cookies, and enforcement action is on the up. This week, the stakes have been raised further. On October 1, the European Court of Justice made very clear the legal requirements to be met before any cookies can be dropped on a website user’s equipment:
- consent must be sought from the user before the storage of information or access to information already stored in a website user’s equipment, whether or not by way of cookies;
- consent is required regardless of whether the information stored or accessed is personal information;
- consent cannot be provided by way of de-selection, opt-out or refusal; and
- sufficient information must be given to ensure the user is aware of how the cookies will be used. This includes providing the duration of the operation of the cookies and whether or not third parties may have access to those cookies.
The way is now clear for supervisory authorities to make unequivocal determinations on cookie use, and for enforcement of unlawful use.
The impact of enforcement for website owners
In the same way as unlawful SMS messaging and email messaging is a high-risk activity, unlawful cookie use is now much more likely to attract costly enforcement action in local forums – action that can be taken against the website owners and their directors, and which can be accompanied by the use of wide-ranging enforcement powers.
These actions will likely be prompted by user complaints. Increasingly, consumers are more aware of their privacy rights and so will see unlawful cookie use as a means of leverage in disputes with website owners. Individuals who suffer loss or damage as a result of unlawful cookie use can also claim damages – an extra incentive for complaint.
In short, website owners can no longer consider unlawful cookie use as being low risk and so should take immediate action to ensure their websites are compliant.
Making website cookie use compliant
There are 3 simple ways to ensure cookie use is compliant:
Don’t drop cookies immediately
Cookies must not be dropped onto user equipment:
- unless it is strictly necessary for the operation of the website; or
- for cookies that are not strictly necessary, until the website user’s consent for the use of the cookie has been given.
For the avoidance of doubt, it is not lawful to drop cookies pending consent
Get proper consent
Website user consent is required for any cookies that are not strictly necessary for the operation of the website. It does not matter that the cookie does not collect personal data.
Consent to cookie use must meet the standards of the GDPR, so it must be freely given, specific, informed, and unambiguous:
- The consent must amount to a clear affirmative action (such as an opt-in through checking a tick-box). Consent will not be valid if no affirmative action is required to demonstrate consent. Pre-ticked consent boxes, consent through inference (such as continuing to use the website), or simply clicking “accept” to a general statement will not fulfil the conditions of consent. From a user perspective, the default must always be that cookies are not utilised unless the user has completed a positive action to specifically permit the cookies. Doing nothing, closing a dialogue box, or just using the website, will not amount to consent.
- Separate consent must be provided for separate cookie functions. A bundled single consent (even if it meets the requirements above) will not be valid. Consent options should clearly separate different functions (such as ad re-targeting, analytics, Facebook etc), with only the consented cookies operating once selected.
- Utilisation of the website and its functions cannot be made conditional on the consent of the website-user to the use of cookies (and remember, cookies that are strictly necessary for the use of the website do not need consent).
Wherever consent is sought, you must also provide a means both for consent to be withdrawn, and the use of the relevant cookies to cease on withdrawal of consent. Withdrawal of consent should be without detriment to the website user.
Provide sufficient information
Website-users must be provided with clear information on each cookie. This will include its identification, what it does, what information it will collect, where the information it collects will be used and for what purpose, and for how long the cookie will persist, together with any other information required to meet the GDPR’s transparency principle.
What to do next
There are some immediate things you should do immediately as a website owner.
Cookie audit
Complete an audit of your website to understand exactly what cookies are used, and why, when they are deployed, for how long, and what the information they collect is actually used for and who it is shared with.
Get rid of unused cookies
If the purpose of any cookie(s) is not clear, or they are not used, then remove them.
Identify necessary cookies
Establish which cookies are essential for the operation of the website from the perspective of the user – those that if no longer deployed will stop the website from working or will disrupt the user’s experience.
Attain cookie compliance
For all other cookies, put in place a means to ensure their deployment is compliant, in line with the guidelines set out above. This must include ensuring valid consent is obtained. Consider also what additional data protection compliance may be needed in respect of the particular cookie where it is collecting, storing and processing personal data.
Establish an internal cookie procedure
Develop and implement a procedure to ensure that the use of cookies on your website is actively managed, and compliance is maintained. This should include a review process that is signed-off before cookies are installed.
Need help?
If you need help evaluating your website for cookie use, or its deployment of technology that accesses the information of website-users, enters their terminal equipment or browser, or traces their activities, we will be very happy to assist.
Further reading – C-673/17 Judgement: http://curia.europa.eu/juris/document/document.jsf?text=&docid=218462&pageIndex=0&doclang=en&mode=req&dir=&occ=first&part=1&cid=2163863
