Of interest.

Cookies and GDPR: what do you need to know as a website provider?

Cookies are already a very common part of web browsing and the architecture of most modern websites. This is perhaps why the area of cookies and their legal regulation is still evolving, especially about the processing of personal data through them.

A fundamental change in this area was brought about by Act No. 374/2021 Coll., on Electronic Communications and Amendments to Certain Related Acts (Electronic Communications Act), as amended (hereinafter as the “Electronic Communications Act”), as of which its effectiveness a website provider may use cookies only with the consent of the visitor (the so-called opt-in principle), with the exceptions listed below.

The article summarizes the legal regulation of the use of cookies and practical tips, particularly for website providers, regardless of whether they are small businesses and/or large companies.

What are cookies and why are they important for the providers

Cookies are short text files (user traces) stored on any supported user device when visiting a website. These files generally contain information about the user and their activity on the website, such as language preferences, login details or records of the visitor’s activity and behaviour on the website – but this information must be viewed in the light of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data as personal data (hereinafter as the “GDPR”).

The mere use of cookies on a website can be useful for both the user and the provider. Cookies are used to store information about users and their interaction with the website, which enables the personalisation of content and thus improves the user experience. However, there are also disadvantages to using cookies, such as privacy risks.

The provider should be transparent about the use of cookies and allow users to choose whether they want to be tracked or not. This means that the provider must inform users about the use of cookies and obtain their consent or offer them the possibility to refuse the use of cookies. If the provider uses cookies to target advertisements, it must also ensure that users have the possibility to refuse such processing of their personal data.

If the provider chooses to use cookies, it must comply with the rules set out in the GDPR and ensure that users are informed about what data is being processed and how it is being used – this is achieved by a combination of two tools, namely an information document on the processing of personal data through cookies (Cookies Policy) and the correct functionality of cookies and related plugins, together with a properly implemented cookie bar or window.

Cookies Policy

The Cookies Policy is an information document that serves to inform users about what data is processed using cookies and how this data is used. This document should be accessible on the website of the provider (usually in the footer of the website) and should be easily accessible to users.

The main objective of the Cookies Policy is to provide users with transparent information about what data is processed by cookies, thus enabling them to make decisions about their privacy and whether or not they want to be tracked, or to what extent.

For example, the Cookie Policy should include information on what types of cookies are used, how long they are stored and what data is collected through them. Although this is effectively a legal document, it should be clear and simple so that it is easy for users to read.

In addition to providing information about the processing of personal data using cookies, the Cookies Policy should also include information on how users can exercise their rights in relation to the processing of their personal data under the GDPR. This means that users should be informed that they have the right to access their personal data, the right to rectification of that data, the right to erasure of personal data and other rights in relation to the processing of personal data.

It is important that the provider complies with the established data protection rules and that the information provided in the Cookies Policy is up-to-date and accurate. If the provider decides to make changes to the Cookies Policy, it should inform users of these changes and ensure that users are informed of the new conditions for processing personal data using cookies.

Cookie bar

A cookie bar is a tool used on a website to inform users about the use of cookies and provide options for managing them.

The cookie bar is important for GDPR compliance and must be properly implemented to be effective.

Basically, cookie bars consist of a few basic elements:

  • the first is usually a text message informing the user about the use of cookies on the website. This message must be easy to read and contain a clear description of the purpose of the cookies and how they are used;
  • the second element of the cookie bar is the interactive buttons, which allow the user to manage their cookie preferences. These buttons should allow users to refuse the use of optional cookies or allow users to modify their preferences regarding the use of cookies on a given website, or to accept all cookies at once.

In addition, the cookie bar must be easily visible and placed in a location where users can easily find information about the use of cookies. It should be placed on every page of the website and should remain in place until the user expresses his or her preferences regarding the use of cookies. When implementing a cookie bar, you should ensure that it is displayed on all pages of the site where cookies are used and that it contains relevant information about the use of cookies.

The cookie bar should always refer to the Cookies Policy in a simple and accessible way.

How to implement the cookie bar correctly?

Proper implementation of the cookie bar includes adherence to the principles of transparency, user choice and privacy. The provider should ensure that users have the ability to easily close or ignore the cookie bar and have a clear and understandable description of what happens if they do or do not allow cookies.

Conversely, the provider should avoid any unethical practices (Dark Patterns) that involve making it purposely difficult to close the cookie bar or using tricks to get users to allow cookies without their knowledge – e.g., covertly setting a consent cookie or requiring users to accept cookies to access a website are contrary to the GDPR and may lead to penalties.

Another example of unethical practice may be the use of confusing language or incorrect placement of the cookie bar, for example in a place where users can easily miss it or mistake it for part of a banner or advertisement. The provider should avoid such practices and ensure that users have real choice and access to important information about cookies and their use.

The most common cookie bar defects and selection decisions

In 2022, the Data Protection Authority (hereinafter as the “DPA”), which oversees compliance with the principles contained in the GDPR, issued a press release stating that the main deficiencies that have been identified historically include the use of non-technical cookies without consent, cookies that are too long, lack of an option to opt-out of non-technical cookies, incorrect categorisation of cookies, lack of specific information about the cookies used, different visibility of buttons to opt-in and opt-out of non-technical cookies, incorrect classification of cookies, information about cookies in a foreign language, and a cookie bar that can make websites difficult to read.

It is the DPA that oversees compliance with the rules on the processing of personal data and compliance with all obligations under the GDPR, including in relation to providers.

For illustration purposes, we attach below a selection of interesting decisions of the DPA, which illustrate that the DPA deals with compliance with the principles of processing personal data obtained through cookies in detail. The DPA carries out inspections on its own initiative or, where appropriate, on the basis of complaints from the public. If a violation is found, the natural or legal person is informed of the result of the inspection by the DPA and is given time to remedy the situation; in the event of non-compliance, a sanction is imposed, the amount of which depends on the severity of the violation.

One of the examples where the DPA found a violation in relation to the use of cookies is the decision under file No. UOOU-03120/19. In this case, the website provider did not properly disclose to the website users the other recipients of their personal data (in the case of transfer of personal data to third parties) and did not specify the period of time for which the cookies were stored. At the same time, in this particular case, the provider failed to update the cookie policy since 2013, which the DPA also found to be a misconduct.

The DPA also carried out an inspection file No. UOOU-00374/20, during which it found a breach in the way the website provider fulfilled its information obligation – although the audited person had a personal data protection policy and a cookie policy, it had only stored them in the Contacts tab, without the website user being notified of this location. Thus, the information was not easily traceable for the website user, and the information documents were not up-to-date and contained references to legislation that was no longer in force.

At the end of the audit registered under file No. UOOU-00686/20, the DPA found that the possibility of free consent or non-consent to the use of statistical and marketing cookies and the subsequent processing of personal data had been violated by the fact that the audited entity considered the simple browsing of the website as consent to processing. In particular, the setting of the website in such a way that the user can only remain on the website if he or she consents to the use of cookies cannot be accepted. Such consent is not considered to be freely given consent in accordance with the GDPR.

European context

The European Data Protection Board, the highest supervisory authority in the field of the GDPR (hereinafter as the “EDPB”), has adopted guidelines on data subject rights, which focus on the right of access. The aim of these guidelines is to analyse the different aspects of the right of access and to clarify how the right of access should be applied in different situations. The guidelines also clarify the scope of the right of access, the information to be provided by the provider, the format of the access request, the main procedure for granting access and explain the concept of manifestly unfounded and unreasonable requests. These guidelines form the basis for enforcement by national data protection authorities in each EU member state.

Another relevant and important document is the cookie bar working group Report from January 2023, which presents the most common issues along with how web providers can avoid them. Among the points mentioned are: pre-ticked boxes, colour resolution of buttons, easy withdrawal of consent, the ability to refuse cookies, etc.

 In the European legal environment, the case law of the Court of Justice of the European Union (hereinafter as the “CJEU”) is richer and its decisions are crucial for the interpretation of the applicable law.

In its decision C-673/17 (“Planet 49”), the CJEU ruled in 2019, among other things, that consent provided via a pre-ticked box is invalid as it is not active consent, even if the user retains the option to refuse the use of cookies. The user’s passivity can only be considered as consent for necessary cookies. Furthermore, in the decision, the CJEU specified an information obligation, where the website user must also be informed of the functional time of the individual cookies used and other recipients, which is most often reflected in the Cookies Policy;

In its decision C-592/19 (“Orange Romania”), the CJEU provides, beyond the need for active consent, the possibility to freely refuse collection and storage in an easy way, which is not considered as filling in an additional form declaring the refusal;

In its decision C-311/19 (“Schrems II”) concerning the transfer of personal data from the European Union to the US, which the Court found to have an inadequate level of data protection, as well as mechanisms such as Privacy Shield. The impact in the area of cookies is noticeable in the case of device identifiers or IP addresses transferred to third countries. In general, sufficient protection of such data must be ensured in accordance with the standards set out in the GDPR, which also applies to the use of services such as Google Analytics. As a result of this decision, website providers using services such as Google Analytics must ensure that a sufficient level of protection is provided when personal data is transferred. If this is not possible, they may have to eliminate the use of such services on their websites altogether.

Recommendations and conclusion

The topic of cookies and data protection are important issues that concern both website providers and their users.

To ensure compliance with data protection regulations, it is essential to keep up to date with current legislation and regularly update the Cookies Policy in line with the latest GDPR requirements and standards, and to have a properly implemented cookie bar, not only technically but also textually.

For more general information on the topic of cookies, please refer to our previously published articles available here: https://www.peytonlegal.cz/en/?s=cookies.

 

Mgr. Tomáš Maux, junior lawyer – maux@plegal.cz

Mgr. Jakub Málek, managing partner – malek@plegal.cz

Tereza Benešová, legal assistant – benesova@plegal.cz

 

www.peytonlegal.cz/en

 

30. 03. 2023

Back