We can see this trend in the actions of the Spanish and Dutch DPAs who have both started enforcing the national cookie laws. The French DPA recently announced the beginning of investigations and the Italian DPA released new guidelines due to be enforced on 3 June 2015.
Spanish Data Protection Authority's clarification of the cookies regime through guidelines and first sanctions
The new Guide explains how companies can comply with the informed consent requirement imposed by Act 34/2002 on Information Society Services and Electronic Commerce (LSSI), and amended by Royal Decree Law 13/2012 in 2012, implementing the EU Directive on e-Privacy in national law. Three main points are highlighted:
- the collection of implied consent can be valid provided it does not result from silence or inaction by the web user;
- the information provided to users must be sufficiently visible (in the header or footer and then through the website terms or the Privacy and Cookies policy); and
- a layered system of information can be set up, with essential information in the first layer and a link to a second layer providing additional information (e.g. the Cookies policy).
It is worth noting that although neither website collected user consent to cookies, the AEPD was not able to issue a sanction for this infringement since Spanish law did not, at that time, authorise the AEPD to undertake enforcement on this issue. This was corrected by the Spanish Legislator on 9 May 2014, with the adoption of the General Telecommunications Act 9/2014, which states that placing cookies on a user's terminal without obtaining consent is an infringement that can be enforced by the AEPD. The amendment to the law also provided the AEPD with a wider range of enforcement powers, including issuing warnings for failure to comply with applicable cookie law, maximum fines of € 30,000 for small infringements or up to € 150,000 for serious infringement (including in cases where more than one violation occurs during a three year period).
Investigations on tracking cookies and potential relaxation of the cookie law in the Netherlands
The Netherlands took an unusually narrow view when implementing the Cookie Directive with the result that Dutch cookie law requirements have been the most restrictive in Europe, leading to complaints that the consumer browsing experience was being adversely affected and that the compliance burden on companies was too high. In particular, publishers have been required to collect explicit opt-in consent from the users for all types of cookies (except strictly necessary cookies). On 20 May 2013, the Dutch Minister of Economic Affairs proposed an amendment to the cookie law, Article 11.7(a) of the Telecommunications Act. The Bill is currently before the second Chamber of the Dutch Parliament.
This amendment aims to exempt publishers using some type of cookies from the necessity of collecting user consent. Cookies that are "absolutely necessary to obtain information about the quality and the effectiveness of an information society service ("provided that this has no or little consequences for the privacy of the user") may benefit from this exemption. Analytic, affiliate and possibly testing cookies may fall within this exception. For cookies outside of scope, publishers will still need to collect the consent of the user. The amendment appears to be in favour of an implied consent inferred from the behaviour of users, meaning that a publisher could implement a banner mentioning information about cookies used and informing users that, by continuing using the website without a change in their privacy settings, they would be deemed to accept cookies being placed on their device.
Meanwhile, the Dutch DPA (the CBP) has conducted its first audit on the processing of cookies. On 27 March 2014, the CBP published its report on the activities of YD Display Advertising Benelux BV (YD). YD cooperates with advertisers to serve personalised advertisements to the user. YD was inserting cookies and pixels in user browsers to track their activities in order to see if they were visiting advertisers' websites, determine their interests and adapt the content of the advertisements accordingly. YD's partners were also able to place cookies and track users.
By using tracking cookies, YD violated Article 8 of the Dutch Data Protection Act, which requires the unambiguous consent of the user when processing personal data; and Article 11.7(a) of the Telecommunications Act, which presumes that tracking cookies storing personal data are not allowed unless they are covered by an exception. In particular, YD committed serious breaches by placing cookies before the webpage was loaded and, therefore, before users were informed and could opt-out, by not offering any opt-out option and enabling third parties to place cookies for advertising purposes. The CBP has decided not to impose a fine on YD, but, with this first audit of cookie law compliance, has sent a clear message to publishers using tracking cookies and the supporters of an implied consent.
Beginning of investigations in France and new guidelines in Italy
On 11 July 2014, the French Data Protection authority (the CNIL) announced it will be launching a 'cookie sweep' in October 2014. This announcement follows various recent developments on cookie law in France. On 5 December 2013, the CNIL released new guidelines on cookies and tracking devices allowing publishers to collect implied consent from the users. In addition, the implementation of Directive 2011/83/EU on Consumer Rights in the French Consumer Code on 17 March 2014, amended the Data Protection Act and granted new online investigatory powers to the CNIL. Under these new powers, the CNIL will be able "to consult any data that are freely accessible, or rendered accessible, including by imprudence, negligence or by a third party's action, if required, by accessing and by remaining within automatic data protection systems for as long as necessary to conduct its observations" and, therefore, verify the publishers' process for collecting informed consent.
These new investigatory powers will be used for the first time in September 2014, for the European cookie sweep day' and from October 2014, for national investigations. The CNIL will focus on:
- the types and purposes of the cookies used;
- the procedure for collecting users' consent if required;
- the visibility, quality and simplicity of the information provided; and
- the consequence of refusing and the possibility of withdrawing consent.
The CNIL will be able to issue warnings, injunctions and monetary sanction up to € 150,000 to non-compliant organisations.