Cookies are already a very common part of web browsing and the architecture of most modern websites. This is perhaps why the area of cookies and their legal regulation is still evolving, especially about the processing of personal data through them.
What are cookies and why are they important for the providers
Cookies are short text files (user traces) stored on any supported user device when visiting a website. These files generally contain information about the user and their activity on the website, such as language preferences, login details or records of the visitor’s activity and behaviour on the website – but this information must be viewed in the light of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data as personal data (hereinafter as the “GDPR”).
The Cookies Policy is an information document that serves to inform users about what data is processed using cookies and how this data is used. This document should be accessible on the website of the provider (usually in the footer of the website) and should be easily accessible to users.
The main objective of the Cookies Policy is to provide users with transparent information about what data is processed by cookies, thus enabling them to make decisions about their privacy and whether or not they want to be tracked, or to what extent.
In addition to providing information about the processing of personal data using cookies, the Cookies Policy should also include information on how users can exercise their rights in relation to the processing of their personal data under the GDPR. This means that users should be informed that they have the right to access their personal data, the right to rectification of that data, the right to erasure of personal data and other rights in relation to the processing of personal data.
It is important that the provider complies with the established data protection rules and that the information provided in the Cookies Policy is up-to-date and accurate. If the provider decides to make changes to the Cookies Policy, it should inform users of these changes and ensure that users are informed of the new conditions for processing personal data using cookies.
The cookie bar is important for GDPR compliance and must be properly implemented to be effective.
Basically, cookie bars consist of a few basic elements:
The cookie bar should always refer to the Cookies Policy in a simple and accessible way.
How to implement the cookie bar correctly?
Proper implementation of the cookie bar includes adherence to the principles of transparency, user choice and privacy. The provider should ensure that users have the ability to easily close or ignore the cookie bar and have a clear and understandable description of what happens if they do or do not allow cookies.
Conversely, the provider should avoid any unethical practices (Dark Patterns) that involve making it purposely difficult to close the cookie bar or using tricks to get users to allow cookies without their knowledge – e.g., covertly setting a consent cookie or requiring users to accept cookies to access a website are contrary to the GDPR and may lead to penalties.
Another example of unethical practice may be the use of confusing language or incorrect placement of the cookie bar, for example in a place where users can easily miss it or mistake it for part of a banner or advertisement. The provider should avoid such practices and ensure that users have real choice and access to important information about cookies and their use.
The most common cookie bar defects and selection decisions
In 2022, the Data Protection Authority (hereinafter as the “DPA”), which oversees compliance with the principles contained in the GDPR, issued a press release stating that the main deficiencies that have been identified historically include the use of non-technical cookies without consent, cookies that are too long, lack of an option to opt-out of non-technical cookies, incorrect categorisation of cookies, lack of specific information about the cookies used, different visibility of buttons to opt-in and opt-out of non-technical cookies, incorrect classification of cookies, information about cookies in a foreign language, and a cookie bar that can make websites difficult to read.
It is the DPA that oversees compliance with the rules on the processing of personal data and compliance with all obligations under the GDPR, including in relation to providers.
For illustration purposes, we attach below a selection of interesting decisions of the DPA, which illustrate that the DPA deals with compliance with the principles of processing personal data obtained through cookies in detail. The DPA carries out inspections on its own initiative or, where appropriate, on the basis of complaints from the public. If a violation is found, the natural or legal person is informed of the result of the inspection by the DPA and is given time to remedy the situation; in the event of non-compliance, a sanction is imposed, the amount of which depends on the severity of the violation.
The European Data Protection Board, the highest supervisory authority in the field of the GDPR (hereinafter as the “EDPB”), has adopted guidelines on data subject rights, which focus on the right of access. The aim of these guidelines is to analyse the different aspects of the right of access and to clarify how the right of access should be applied in different situations. The guidelines also clarify the scope of the right of access, the information to be provided by the provider, the format of the access request, the main procedure for granting access and explain the concept of manifestly unfounded and unreasonable requests. These guidelines form the basis for enforcement by national data protection authorities in each EU member state.
In the European legal environment, the case law of the Court of Justice of the European Union (hereinafter as the “CJEU”) is richer and its decisions are crucial for the interpretation of the applicable law.
In its decision C-592/19 (“Orange Romania”), the CJEU provides, beyond the need for active consent, the possibility to freely refuse collection and storage in an easy way, which is not considered as filling in an additional form declaring the refusal;
In its decision C-311/19 (“Schrems II”) concerning the transfer of personal data from the European Union to the US, which the Court found to have an inadequate level of data protection, as well as mechanisms such as Privacy Shield. The impact in the area of cookies is noticeable in the case of device identifiers or IP addresses transferred to third countries. In general, sufficient protection of such data must be ensured in accordance with the standards set out in the GDPR, which also applies to the use of services such as Google Analytics. As a result of this decision, website providers using services such as Google Analytics must ensure that a sufficient level of protection is provided when personal data is transferred. If this is not possible, they may have to eliminate the use of such services on their websites altogether.
Recommendations and conclusion
The topic of cookies and data protection are important issues that concern both website providers and their users.
To ensure compliance with data protection regulations, it is essential to keep up to date with current legislation and regularly update the Cookies Policy in line with the latest GDPR requirements and standards, and to have a properly implemented cookie bar, not only technically but also textually.
For more general information on the topic of cookies, please refer to our previously published articles available here: https://www.peytonlegal.cz/en/?s=cookies.
Mgr. Tomáš Maux, junior lawyer – firstname.lastname@example.org
Mgr. Jakub Málek, managing partner – email@example.com
Tereza Benešová, legal assistant – firstname.lastname@example.org
30. 03. 2023