Don't get caught with your hand in the EU cookie jar

Regulators are becoming increasingly attentive to compliance with the e-Privacy Directive.

In March 2019, The Dutch Data Protection Authority issued a guidance document concerning the use of cookie walls on websites. It stated that the use of cookie walls – which make access to websites conditional upon the provision of cookie consent – is prohibited with respect to tracking cookies. Around the same time, the German Conference of Data Protection Authorities published guidelines on internet tracking.

In July 2019, the UK Information Commissioner’s Office (ICO) and the French Data Protection Authority (CNIL) followed by publishing more general guidelines on the use of cookies. The latter confirms that access to websites must not be made conditional upon an individual being ‘forced to consent’ to being tracked across websites. The ICO adopted a more nuanced approach towards the use of cookie walls. It notes that not all cookies are necessarily intrusive or pose a high risk, and that the right to personal data protection is not absolute and must be balanced against other fundamental rights, including freedom of expression and the freedom to conduct a business.

Finally, in October 2019, the Spanish Data Protection Authority fined Vueling with EUR 30,000 because visitors of its website were not able to configure the cookies that were installed on their computers. The Spanish DPA also published an updated guidance note on cookies in November 2019.

Key takeaways from the Belgian DPA’s decision

The Belgian Data Protection Authority followed this EU trend by imposing a fine of EUR 15,000 on a legal news website for lack of transparency in its cookies policy and for obtaining inadequate cookie consent.

The key takeaways from the (43-pages long) decision are the following:

  • Privacy Statements and Cookies Policies should be made available in all languages in which the website is accessible and should be easily accessible from the home page;
  • In these documents, IP addresses have to be qualified as personal data and the data controller should be expressly identified;
  • Inadequate cookie mapping can be qualified as negligence;
  • The consent exemption for ‘necessary cookies’ should be interpreted in a restrictive manner, meaning that also the use of analytical and statistical cookies (including the use of Google Analytics) in principle (limited exceptions could apply in exceptional cases) requires cookie consent in Belgium;
  • Valid cookie consent cannot be obtained by using pre-ticked boxes (or “by further browsing”?); and
  • The right to withdraw consent in an easy manner (and preferably in a granular manner) should be made explicit.

The fine of EUR 15,000 was calculated by taking into account the most recent annual accounts of the defendant, the fact that the DPA had to send several warning letters before adequate action was taken, and the negligence of the defendant in accurately mapping the use of cookies on its website.

Legal uncertainty due to fragmented regulation

In October 2019, also the EU Court of Justice got involved in the cookie debate. In its judgement in the “Planet 49” case, the Court stated that “the consent which a web user must give to the storage of and access to cookies on his or her equipment is not validly constituted by way of a pre-checked checkbox which that user must de-select to refuse his or her consent”.

In other words, the EU standard for cookie consent is the users’ active consent and – contrary to what has been common practice in several EU Member States since many years – pre-ticked boxes do not amount to a valid consent under the GDPR or the e-Privacy Directive.

Following this judgement, many companies have engaged providers of cookie management software to provide users with clear, granular consent options. It remains however unclear – as this topic is still regulated on a country-by-country basis – which types of cookies (e.g. statistical or analytical cookies) are subject to (or exempt from) the consent requirement.

Still waiting for further harmonisation at EU level

On 10 January 2017, the European Commission presented its proposal for a Regulation on Privacy and Electronic Communications (“e-Privacy Regulation”) to replace the e-Privacy Directive.

The proposal contained new, harmonised rules on (1) the use of cookies, and (2) electronic direct marketing and telemarketing, which would be directly applicable in all EU Member States. The overall intention was to replace cookie consent banners by pre-set browser cookie settings.

Although there is a general consensus that further harmonisation of the cookie rules at EU level is indeed required, the draft e-Privacy Regulation has been subject to extensive lobbying. In September 2019, an updated draft proposal was presented. On 22 November 2019, the Council of the EU rejected this proposal. It is therefore (unfortunately) rather unlikely that a final text will still be adopted in 2020. In the meanwhile, national cookie laws will continue to apply (and to be applied and interpreted by the national Data Protection Authorities).