Cookies – are you compliant?

In 2022, the Belgian Data Protection Authority (“GBA”) launched an investigation into the use of cookies on Belgium’s most popular press sites. This investigation resulted in eight settlement decisions and six decisions on the merits. Inspections regarding the correct use of cookies continued to be one of the GBA’s main action points in 2023. The focus on cookies is not limited to Belgium. The European Data Protection Board (“EDPB”) has not been sitting idle either, as it published a report on January 17th, 2023 with findings of the “Cookie Banner Taskforce” on online breaches of the regulatory framework regarding cookies.

Cookie Banner Taskforce

On August 9th, 2022, the privacy-NGO: None Of Your Business (“NOYB”) launched a total of 226 complaints with 18 different national data protection authorities. The subject of this large-scale action: misleading and non-compliant cookie banners.

These complaints were filed against the most unyielding website owners who, after an initial wave of more than 500 complaints in May 2021, were not aligning their banners with the relevant legislation: the national transpositions of the July 12th, 2002 Directive on Privacy and Electronic Communications (“e-Privacy Directive”) in conjunction with the April 27th, 2016 General Data Protection Regulation (“GDPR”).

In response to the complaints, the EDPB set up the so-called “Cookie Banner Taskforce” to support the legal analysis of the complaints, assist national data protection authorities and streamline communication about the pending complaints.

On January 17th, 2023, the EDPB released a report on the findings of the Task Force on online cookie violations. This report includes an overview of the most common practices in non-compliant cookie banners:

  • The absence of a button to reject cookies on the 1st “layer” of the cookie banner. In order to provide a rejection in this type of banner, one must click through to the next layer. Most supervisory authorities consider it a violation when the ability to accept and reject is not found on the same layer;
  • Pre-checking boxes cannot count as active consent, yet this is often done in practice;
  • Some cookie banners hide links in their text;
    1. The refusal link is sometimes hidden in text inside the cookie banner itself with no clear distinction from the rest of the text;
    2. The refusal link is also sometimes placed outside the cookie banner, on the web page itself and hidden in such a way that it is not obvious that refusal can occur in that way;
  • The buttons to accept, reject or get additional information respectively, are present, but are distinguished from one another by differences in color or contrast such that the person involved could possibly be confused;
  • The website implements a cookie banner that in the first layer only asks for confirmation of reading. It is only on the second layer that the actual acceptance or refusal of the cookies can take place.
  • The option for refusal is split between the refusing of placement and use of cookies based on consent and the refusing of placement and use based on the legitimate interest of the data controller, which is frequently wrongly qualified;
  • Cookies are often misclassified as “essential”; and
  • A button to revoke consent is often difficult to find on the website and sometimes even completely absent.

The rules in the e-Privacy Directive and the GDPR, as well as the issues related to non-compliant cookie banners, boil down to a seemingly simple rule with respect to the use and placement of cookies, namely that the data subject must almost always consent to their placement.

Yet it appears that in practice this is not always observed (correctly).

 

Consent

The GDPS formulates in plain language which conditions a valid consent must adhere to, in order for cookies to be placed on website-visitors’ devices. The legal provision sounds as follows:

Any freely given, specific, informed and unambiguous expression of will by which the data subject signifies, by means of a statement or an unambiguous active act, his or her consent to the processing of personal data relating to him or her.

This definition identifies four elements that, when all are met prior to the placement of cookies, lead to a full and valid consent:

  • Freely given consent can only exist when no adverse consequences are linked to a refusal. For example, it is not permissible to erect a so-called cookie wall and make access to a website dependent on the acceptance of cookies. Nor can a consent be free if it is not subsequently revocable at any time;
  • Specific consent requires that for each processing operation that will take place on the basis of that consent, the data subject must have been able to give a specific consent, that is solely applicable to that processing operation. Applied to cookies, it means that the data subject must be able to give a separate consent or refusal for at least each distinguishable category of cookies. In other words, it is not correct to obtain a general consent for the installation and use of “cookies”, while at least a distinction can be made between “essential” and “non-essential cookies” in the set of cookies used on the website;
  • Informed consent means that the data subject is sufficiently informed about what consent is being sought for. The website owner should inform the data subject about the types of cookies used, what they are for, the different purposes for which they are used, by whom they are placed, and how long they will remain present. Only then can the data subject make an informed decision;
  • Unambiguous active consent can only be given by the data subject when there is an opportunity to take an active action. The type example here is that the box to consent may not be checked in advance, but must be clicked on by the data subject in order for it to be considered a legally valid consent.

While the importance of consent is hard to overstate in the proper use of cookies, obtaining consent is not always necessary.

For example, no consent is required for:

  • Technical storage of information or access to information stored in a user’s terminal equipment for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
  • Cookies that are strictly necessary to provide a service expressly requested by the website visitor (e.g., cookies for temporarily storing the language choice, cookie preferences, or shopping cart contents).

 

Checklist for proper use of cookies

To further encourage businesses to properly use cookies, the GBA published a Cookie Checklist on October 20th, 2023. This checklist highlights the importance of capturing valid consent – prior to setting and using non-necessary cookies (and the resulting data).

In addition, the GBA reminds website owners that in addition to obtaining valid consent, they must also comply with the following obligations:

  • Provide a mechanism by which the data subject may at any time revoke a given consent. Indeed, an essential component of free consent is that it can also be withdrawn without any repercussions and in an equally simple a manner as it has initially been granted.
  • Accountability of the website owner. The website owner should maintain the necessary documentation to demonstrate that the processing of personal data by means of cookies is in compliance with the applicable regulations (e.g., a limited cookie retention period for remembering cookie preferences of the website visitor, documenting how the consent mechanism was modified over time, etc.). In this context, the GBA recommends that cookie policies that are in place be dated, version numbered and previous versions retained.

If you have any questions regarding cookies and their proper use on your website, please do not hesitate to contact our Privacy & Data Protection team.

This article is written by

Looking for advice on a specific topic?

We will guide you to the right person or team.