The delay in updating the legislation governing cookies in line with the General Data Protection Regulation has caused considerable uncertainty regarding how to obtain cookie consent lawfully. This article explores the current law and recent guidance issued at a European level and also by the Irish and UK supervisory authorities on the subject.
What are cookies?
Cookies are small files that are placed on users’ devices to track their browsing activities. They are stored for various reasons, such as to remember users’ preferences to make their experience on subsequent visits to websites more efficient; to tailor ads that are served to users based on their browsing history; and to enable website operators to analyse traffic passing through their services.
Consent under the ePrivacy Laws
European and national guidance
The EDPB stated in its opinion that, pursuant to Article 94 of the GDPR, any references to the data protection laws that preceded the GDPR will now be construed as references to the GDPR. Although not specifically addressed in the EDPB’s opinion, this interpretation suggests that all references to “consent” in the ePrivacy Laws now mean consent as defined by the GDPR, which must be freely given, specific, informed and unambiguous, and must result from a clear affirmative action by the user to be valid.
In its guidance note issued in July 2019, the data protection supervisory authority in the UK (the Information Commissioner’s Office (“ICO”)) took a similar view by stating that the UK’s ePrivacy legislation does not define “consent” and it is the GDPR standard of consent that must be obtained before placing cookies on users’ devices. The ICO also went on to state that users must take clear and positive action to give their consent to cookies, and continuing to use the website does not constitute valid consent.
Similar guidance has also been recently published by the data protection supervisory authority in France.
While the emphases of the guidance documents differ in certain respects, the views expressed in them clearly converge on one point: it is the GDPR standard of consent that must be obtained from users before placing cookies on their devices. Creative technical solutions would likely be needed to obtain GDPR-compliant consent from users given that their consent is required before, and not after, cookies are placed on users’ devices.
It is also interesting to note that the guidance documents go further than the current draft of the new ePrivacy Regulations that will replace the existing ePrivacy Laws in certain respects. For example, the current draft of the new regulations permits operators to place first party cookies on users’ devices without consent to analyse traffic passing through their websites for the purpose of optimising the service (termed “audience measuring”).
The developments referred to above have given rise to an unusual situation whereby the guidance documents consider cookie obligations to be somewhere between the requirements of the existing ePrivacy Laws and the draft of the new regulations that will replace them. The approach that website operators will take in this unique landscape remains to be seen, particularly in light of the balance that must be struck in delivering efficient and user-friendly services while also ensuring the effective protection of privacy and confidentiality.
The draft of the new ePrivacy Regulations is still working its way through the European legislative process. It is hoped that the recent change to the presidency of the Council of the European Union, which passed to Finland on 1 July 2019, will inject fresh energy into progressing the draft swiftly so that the current legal uncertainty can be closed off. However, even with renewed vigour, the new legislation is not expected to come into force until 2020 at the earliest.
Organisations should review their cookie practices in light of the recent developments outlined above, with a particular focus on the manner in which they obtain users’ consent and the information they provide to users about the nature and purposes of the cookies that are deployed.