We can see this trend in the actions of the Spanish and Dutch DPAs who have both started enforcing their national cookie laws. The French DPA has begun investigations, and the Italian DPA released new guidelines due to be enforced from 3 June 2015.
Spanish Data Protection Authority's clarifications of the cookies regime through guidelines and first sanctions
The Guide explains how companies can comply with the informed consent requirement imposed by Act 34/2002 on Information Society Services and Electronic Commerce (LSSI), and amended by Royal Decree Law 13/2012 in 2012, implementing the EU Directive on e-Privacy into national law. Three main points are highlighted:
- the collection of implied consent can be valid provided it does not result from silence or inaction by the web user;
- the information provided to users must be sufficiently visible (in the header or footer and then through the website terms or the Privacy and Cookies policy); and
- a layered system of information can be set up, with essential information in the first layer and a link to a second layer providing additional information (e.g. the Cookies policy).
It is worth noting that although neither website collected user consent to cookies, the AEPD was not able to issue a sanction for this infringement since Spanish law did not, at that time, authorise the AEPD to undertake enforcement on this issue. This was corrected by the Spanish Legislator on 9 May 2014, with the adoption of the General Telecommunications Act 9/2014, which states that placing cookies on a user's terminal without obtaining consent is an infringement that can be enforced by the AEPD. The amendment to the law also provided the AEPD with a larger range of enforcement powers, including issuing warnings for failure to comply with applicable cookie law, maximum fines of €30,000 for small infringements or up to €150,000 for serious infringement (including in cases where more than one violation occurs during a three year period).
Investigations on tracking cookies and potential relaxation of the cookie law in the Netherlands
The Netherlands took an unusually narrow view when implementing the Cookie Directive with the result that Dutch cookie law requirements have been the most restrictive in Europe, leading to complaints that the consumer browsing experience was being adversely affected and that the compliance burden on companies was too high. In particular, publishers have been required to collect explicit opt-in consent from the users for all types of cookies (except strictly necessary cookies). On 20 May 2013, the Dutch Minister of Economic Affairs proposed an amendment to the cookie law, Article 11.7(a) of the Telecommunications Act. The Bill is currently before the second Chamber of the Dutch Parliament and is expected to come into force by the end of the year.
This amendment aims to exempt publishers using some types of cookies from the necessity of collecting user consent. Cookies that are "absolutely necessary" to obtain information about the quality and the effectiveness of an information society service ("provided that this has no or little consequence for the privacy of the user") may benefit from this exemption. Analytic, affiliate and possibly testing cookies may fall within this definition. For cookies outside of scope, publishers will still need to collect the consent of the user. The amendment appears to be in favour of an implied consent inferred from the behaviour of users, meaning that a publisher could implement a banner mentioning information about cookies used and informing users that, by continuing using the website without a change in their privacy settings, they would be deemed to accept cookies being placed on their device.
Meanwhile, the Dutch DPA (the CBP) has conducted its first audit on the processing of cookies. On 27 March 2014, the CBP published its report on the activities of YD Display Advertising Benelux BV (YD). YD cooperates with advertisers to serve personalised advertisements to the user. YD was inserting cookies and pixels in user browsers to track their activities in order to see if they were visiting advertisers' websites, determine their interests and adapt the content of the advertisements accordingly. YD's partners were also able to place cookies and track users.
By using tracking cookies, YD violated Article 8 of the Dutch Data Protection Act, which requires the unambiguous consent of the user when processing personal data; and Article 11.7(a) of the Telecommunication Act, which presumes that tracking cookies storing personal data are not allowed unless they are covered by an exception. In particular, YD committed serious breaches by placing cookies before the webpage was loaded and, therefore, before users were informed and could opt-out, by not offering any opt-out option and enabling third parties to place cookies for advertising purposes. The CBP decided not to impose a fine on YD, but, with this first audit of cookie law compliance, sent a clear message to publishers using tracking cookies and the supporters of an implied consent.
The other Dutch DPA empowered to regulate the storage of cookies (the CMA) has also started enforcing cookie law, focusing initially on government websites. In July 2014, it sanctioned the Netherlands Public Broadcasting (NPO) for storing cookies on its users' devices without informing them and without having collected their consent. Following the pragmatic approach of the CBP, the CMA did not issue a fine, but obliged the NPO to make changes in order to become compliant. If the NPO does not remedy the lack of conformity to the rules on storing cookies, it will have to pay a fine of € 25,000 per week of delay up to a maximum of € 125,000.
Beginning of investigations in France and new guidelines in Italy
On 5 December 2013, the CNIL released new guidelines on cookies and tracking devices allowing publishers to collect implied consent from users. In addition, the implementation of Directive 2011/83/EU on Consumer Rights in the French Consumer Code on 17 March 2014, amended the Data Protection Act and granted new online investigatory powers to the CNIL.Under these new powers, the CNIL is be able "to consult any data that are freely accessible, or rendered accessible, including by imprudence, negligence or by a third party's action, if required, by accessing and by remaining within automatic data protection systems for as long as necessary to conduct its observations" and, therefore, verify the publishers' process for collecting informed consent.
These new investigatory powers were used for the first time in September 2014, for the European 'cookie sweep day' and have applied to national investigations since October 2014. The CNIL is focusing on:
- the types and purposes of the cookies used;
- the procedure for collecting users' consent if required;
- the visibility, quality and simplicity of the information provided; and
- the consequence of refusing and the possibility of withdrawing consent.
The CNIL can issue warnings, injunctions and monetary sanctions of up to € 150,000 to non-complying organisations.
Cookie regulation outside Europe: focus on the new Brazilian 'Internet Bill of Rights'
By approving the Marco Civil de Internet, law No 12,965/2014, on 23 April 2014, Brazil adopted its first legal framework for the internet. The law focuses mainly on privacy. Under Article 11, every company – search engines, online retailers and social media websites – providing services to Brazilian users is within the scope of the law, wherever its servers are located. It applies to all companies collecting, storing and processing personal data of consumers located in Brazil.
Various sanctions may be imposed on breach, including: warnings, injunctions, fines of up to 10% of the business income of the breaching company in Brazil, temporary suspension and prohibition of the exercise of activities related to data processing in Brazil. Brazilian subsidiaries, branches and offices of a company in breach will be jointly responsible for paying of the fine.
The Marco Civil da Internet entered into force on 23 June 2014, with real consequences for companies providing services to Brazilian users but European companies already used to complying with the EU Data Protection law won't see any radical changes. Even though this new law brings Brazilian law into the digital world, questions remain about the interaction of the law with international privacy laws.