Anyone with even a passing interest in EU privacy law will be familiar with an old conundrum: the international tech business thinks up ever more innovative ways of targeting internet users and commercializing their data (often without their knowledge), while the EU implements ever more stringent measures to prevent just that from happening. For example, while the EU was touting the enactment of the ground-breaking General Data Protection Regulation (GDPR) in 2016, the Cambridge Analytica scandal exposed the widespread misuse of EU citizens’ personal data by major tech companies.
In terms of the five stages of grief, the users of cookies have arguably gotten over denial (we don’t need to do anything!) and anger (this is an anti-business measure! the internet cannot work without cookies!) and are at the bargaining stage. In other words, companies are mostly still doing the bare minimum to meet what they see as their e-privacy and data protection obligations when it comes to cookie use.
The three steps presented below provide a roadmap you can follow so that you can be well on your way towards compliance with personal data and cookie-related EU provisions.
Three Steps Towards Better Compliance
1. Do our cookies collect personal data?
The first and most important step is to recognize that cookies are often more than they appear. The key question is whether a cookie, alone or together with other information, allows individual users to be identified. If the answer is yes, then the information gathered by the cookie needs to be treated as personal data. This means that such information cannot be freely transferred to third parties, utilized for other purposes, stored indefinitely, or in some cases used at all.
What this means is that organizations need to find out what cookies they (or their partners) are setting and analyze whether these cookies are collecting or processing personal data. If such cookies are found, then they should probably be removed, unless the organization wants to risk running afoul of the stringent data protection obligations set by the GDPR.
2. What cookies do we use? Which ones are “strictly necessary”?
Let’s assume that either you do not use personal data-gathering cookies, or the personal data risks relating to such cookies have been mitigated. Next, we need to look at the requirements for cookie compliance set by the E-Privacy Directive (2002/58/EC). The E-Privacy Directive, as interpreted in subsequent court decisions like Planet 49, requires that visitors be informed of cookies set on their devices, and that their consent is sought for setting the cookies. The one exception is ”strictly necessary” cookies, i.e., cookies that have the ”sole purpose of carrying out or facilitating the transmission of a communication” or that are ”strictly necessary in order to provide an information society service explicitly requested by the subscriber or user”. No consent, or indeed notification is required for such ”strictly necessary” cookies.
However, here we return to the bargaining stage of grief. Despite the loose wording of the ”strictly necessary” exception, the EU data protection authorities have emphasized that the provision is to be read narrowly. Website owners should not succumb to the temptation of treating, e.g., analytics or tracking cookies as strictly necessary.
3. We now know which cookies we need to notify to users and seek consent. How can we do that?
While the above might seem like a veritable shopping list of requirements, the most common pitfalls of ”flawed consent” regarding cookies are:
- Setting cookies before consent is given (no consent exists at the time cookies are set)
- Providing insufficient information about the cookies, i.e. what the user is consenting to (consent is not informed or specific)
- Forcing the user to consent to non-necessary cookies in order to use a service (consent is not freely given)
- Bundling cookie consent with accepting, e.g., terms of service (consent is not unambiguous)
The Upcoming E-Privacy Regulation
The author, Arttu Ahava, is a European trade mark and design attorney and lawyer working with Berggren Oy, Finland’s leading IPR service provider. The author has been involved in the preparation of the revised Trademarks Act and assisted clients in connection with a similar revision process carried out with regards to EU trademarks.