General Data Protection Regulation (GDPR) came into force nearly four years ago, but the ways it is understood and applied in practice are still evolving. It’s been on the news that not everyone succeeded in making themselves compliant – in January, the French regulatory authority fined Google and Facebook (in the sum of €150 million and €60 million, respectively) for violating cookie laws. It is worth noting that Google has already been fined once for failing to follow cookie regulations (the earlier fine was in the sum of €100 million). The topic of cookie use draws more and more attention, from activists as well as regulators – for example, last summer noyb (None Of Your Business) enforcement platform sending over 500 GDPR complaints to companies violating various cookie laws caused quite a stir.
Regulations
The rules governing the use of cookies stem in part from GDPR, and in part from ePrivacy Directive (ePrivacy Regulation that is supposed to replace it so far has not progressed past the draft stage). In this article we sum up our current understanding of rules and regulations dealing with cookie use and the way they are applied in practice.
- Under GDPR, only certain types of cookies are treated as possibly containing personal data. However, under ePrivacy Directive, all cookies except those that are strictly necessary must be treated as if they can be used to create profiles of natural persons and identify those persons. Consent is treated as the only legal basis for saving cookies on visitors’ devices except for the strictly necessary ones.
- Obligation to obtain consent before saving cookies on visitors’ devices implies the obligation to comply with all requirements regarding consent stipulated by GDPR. Among other things, it means that it must be equally easy to grant or deny consent, and also to withdraw consent at any time.
Implementation
If your site uses cookies, then a cookie consent banner must be implemented with the following considerations:
- The “Accept only necessary cookies” is a must (it is permissible to use the “Accept selected” option with only the necessary cookies selected by default).
- No pre-checked boxes for optional cookies.
- Having an “Accept all cookies” option is allowed, but making it more prominent than the “Accept only necessary cookies” option is not.
- The “Necessary” cookies must only include those cookies that are strictly necessary to provide the visitor with the requested service or to comply with regulations (for example, those related to security).
- All cookies must be described in clear and plain language.
- All cookies must be categorized in a reasonable and fair way.
- The cookie consent banner must be easily accessible from anywhere.
- All instances of consent being given must be logged. Every individual visitor must be assigned an identifier (that is, you’re not storing information about “John Doe”, you’re storing information about “user with id=7284b9a2-6b16-4d07-8fd9-a38452d0916d”), and every time the visitor gives consent, you must record the date and time consent was given and what, specifically, the visitor in question consented to.
It is important to understand that any consent gathered using a cookie banner that does not comply with one or more of these requirements may be declared null and void, with all the legal consequences that this entails.
Territorial scope
Now comes the tricky part. Do the laws governing the use of cookies apply to all visitors, regardless of their geographical location? Can you only gather consent from visitors residing in the EU? If you or your organization are not located in Europe, the answer is clear – neither GDPR nor ePrivacy Directive governs entities outside the EU, provided that their site visitors also reside outside of the EU. However, residents of the EU are protected by GDPR regardless of the location of the entity.Â
As for EU sites, it looks like in this case there is a discrepancy in the requirements between GDPR and ePrivacy:
- European websites must always comply with GDPR, but only in regard to cookies that are related to an identified or identifiable natural person.
- ePrivacy Directive applies to all cookies, but only for end users and terminal equipment of end users located in the EU.
It looks like it is not necessary to gather consent for cookies that are not related to an identified or identifiable natural person or their terminal equipment located outside of the EU. In practice, though, the only way to profit from this loophole is to create one’s own mechanism for tracking users’ behavior, as all 3rd party tracking cookies absolutely do fall under GDPR.
Checking a website for privacy compliance
As far as we know, there is not a satisfactory tool or service that can be used to check whether a website is compliant with cookie-related regulations. We recommend that you check your website’s compliance by hand – here’s how:
Browser preparation
- You will need to dial the privacy settings down for this test, so unless you fancy changing them back again by hand, we recommend using a browser other than the one you usually use. The “Private Window” feature is, unfortunately, not going to help in this case.
- Disable or remove any ad blocker software and anything else having a similar function.
- Make sure that the most permissive settings related to cookies, privacy, security, safety, protection, tracking, etc. are in effect.
- Add the domain name of the website being tested to the white list.
- Allow all cookies, including third-party ones.
- Finally, delete all saved cookies.
Checking the website
- Open the website:
- If the cookie banner does not appear but the website uses cookies (make sure that cookies are actually saved on your device) – it’s a problem. A cookie banner must be implemented.
- If the cookie banner does appear:
- Check the saved cookies – only strictly necessary ones should be saved until the user consents otherwise (i.e. if the user clicks nothing and closes the tab, no cookies should be saved).
- Make sure that the checkboxes allowing to save optional cookies are not pre-checked by default.
- Make sure that the “Accept only necessary cookies” (or the “Accept selected” with optional cookies not saved by default) option is present.
- Make sure that the “Accept all cookies” option is present (this is not required by regulations, but is not prohibited either, and it is a very useful option for you).
- Check the cookies’ categorization in cookie banner details:
- Make sure that the “necessary cookies” category contains only technically necessary cookies: session, must-have preferences, etc.
- Make sure that all other cookies’ categorization is reasonable.
- Check the description of the cookies:
- Make sure that all cookies have meaningful descriptions.
- Check the correct functioning of preferences:
- Make sure that applying the selection by default (the necessary cookies category only) doesn’t result in any other cookies being saved on your device.
- Make sure that selecting one or more additional categories of cookies only results in cookies from those categories being saved on your device.
- Make sure that you can easily change cookie settings at any time (i.e. the corresponding direct link or button is always there).
- Make sure that updating cookie settings results in cookies being saved on/removed from your device.
Conclusion
The importance of the proper use of cookies on websites targeting EU citizens cannot be overstated. A lot of website owners have not yet paid a fine only because the regulators haven’t gotten to them yet. And although meeting all requirements and satisfying all regulations is tricky (even the official website of the European Commission is not ideal in this regard), it makes a lot of sense to make sure that your website is “up to code”. How can you do that? We’ll tell you all about it in our next article. Stay tuned!
with
One comment
General data protection regulation is definitely a positive thing. Too much spam out there on FB and other social sites.