The delay in updating the legislation governing cookies in line with the General Data Protection Regulation has caused considerable uncertainty regarding how to obtain cookie consent lawfully. This article explores the current law and recent guidance issued at a European level and also by the Irish and UK supervisory authorities on the subject.

What are cookies?

Cookies are small files that are placed on users’ devices to track their browsing activities. They are stored for various reasons, such as to remember users’ preferences to make their experience on subsequent visits to websites more efficient; to tailor ads that are served to users based on their browsing history; and to enable website operators to analyse traffic passing through their services.

The ePrivacy Directive and the Irish ePrivacy Regulations of 2011 (which implement the ePrivacy Directive in Ireland) (the “ePrivacy Laws”) govern the use of cookies. The General Data Protection Regulation (“GDPR”) is also relevant to the extent that cookies often involve information that contains personal data.

The ePrivacy Laws were due to be updated in tandem with the introduction of the GDPR on 25 May 2018. This did not come to pass with the result that the laws do not sit comfortably with one another, particularly insofar as consent to the use of cookies is concerned.

Consent under the ePrivacy Laws

The ePrivacy Laws require users to consent before cookies can be placed on their devices. An exception to this requirement is that users’ consent is not required for cookies that are essential to delivering the service that users have requested (often termed “essential cookies”). Prior to the introduction of the GDPR, it was widely accepted that consent could be obtained through using the cookies banner, which simply refers users to the website’s cookie policy and advises users that by continuing to use the website, they are consenting to cookies.

European and national guidance

The main role of the European Data Protection Board (“EDPB”) is to ensure the consistent application of the GDPR across the European Union. Due to the potential uncertainty regarding the rules that apply to personal data processing activities that fall within the scope of both the ePrivacy Laws and the GDPR (such as the use of cookies), the EDPB issued a written opinion in March 2019 addressing the interplay between the two bodies of law.

The EDPB stated in its opinion that, pursuant to Article 94 of the GDPR, any references to the data protection laws that preceded the GDPR will now be construed as references to the GDPR. Although not specifically addressed in the EDPB’s opinion, this interpretation suggests that all references to “consent” in the ePrivacy Laws now mean consent as defined by the GDPR, which must be freely given, specific, informed and unambiguous, and must result from a clear affirmative action by the user to be valid.

In the wake of the EDPB’s opinion, the DPC published a guidance note in June 2019 addressing the rules on the use of cookies. The guidance note stated that, because the GDPR is read together with the ePrivacy Laws, the type of consent that must be obtained to place cookies on users’ devices is the GDPR standard of consent.

In its guidance note issued in July 2019, the data protection supervisory authority in the UK (the Information Commissioner’s Office (“ICO”)) took a similar view by stating that the UK’s ePrivacy legislation does not define “consent” and it is the GDPR standard of consent that must be obtained before placing cookies on users’ devices. The ICO also went on to state that users must take clear and positive action to give their consent to cookies, and continuing to use the website does not constitute valid consent.

Similar guidance has also been recently published by the data protection supervisory authority in France.

While the emphases of the guidance documents differ in certain respects, the views expressed in them clearly converge on one point: it is the GDPR standard of consent that must be obtained from users before placing cookies on their devices. Creative technical solutions would likely be needed to obtain GDPR-compliant consent from users given that their consent is required before, and not after, cookies are placed on users’ devices.

It is also interesting to note that the guidance documents go further than the current draft of the new ePrivacy Regulations that will replace the existing ePrivacy Laws in certain respects. For example, the current draft of the new regulations permits operators to place first party cookies on users’ devices without consent to analyse traffic passing through their websites for the purpose of optimising the service (termed “audience measuring”).

The developments referred to above have given rise to an unusual situation whereby the guidance documents consider cookie obligations to be somewhere between the requirements of the existing ePrivacy Laws and the draft of the new regulations that will replace them. The approach that website operators will take in this unique landscape remains to be seen, particularly in light of the balance that must be struck in delivering efficient and user-friendly services while also ensuring the effective protection of privacy and confidentiality.

Conclusion

It has been recently reported that the DPC has opened an investigation into the use of cookies by Verizon Media, which owns online outlets such as Yahoo, the Huffington Post and AOL, arising from complaints made against the company. The DPC’s investigation is set to centre on allegations of transparency issues regarding publications operated by the company, and complaints that the only option when cookie banners are offered seems to be to click “okay”. The DPC’s approach to the investigation will no doubt be the subject of interest for many website operators.

The draft of the new ePrivacy Regulations is still working its way through the European legislative process. It is hoped that the recent change to the presidency of the Council of the European Union, which passed to Finland on 1 July 2019, will inject fresh energy into progressing the draft swiftly so that the current legal uncertainty can be closed off. However, even with renewed vigour, the new legislation is not expected to come into force until 2020 at the earliest.

Organisations should review their cookie practices in light of the recent developments outlined above, with a particular focus on the manner in which they obtain users’ consent and the information they provide to users about the nature and purposes of the cookies that are deployed.