PART 1 - New Guidance on Data Privacy: Cracking Down on Cookies?

While we await the final draft of the new e-Privacy Regulation which will yet again tighten the rules on data privacy in an online context.

The new e-Privacy Regulation has not been without its own controversies, and the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) has recently issued new guidance on the use of website cookies.

In this first part of our 3-part article, we look at what cookies are and what the latest guidance from the Dutch Data Protection Authority states.

In the second part of this 3-part article, we look at what’s next and provide our tips and tricks for compliance. In the third part, we share latest guidance on cookies from the Court of Justice of the European Union.

So, what is a cookie, what are the rules, and what can you do to ensure compliance?

Cookies are small text files that can be collected by websites from someone’s browser. They allow the people accessing websites to perform functions more easily and efficiently, and they allow the owners of the websites to track their users either to further improve the performance of the website or use the information for marketing purposes. There are different categories of cookies. 

  • First party cookies are used by the website being accessed when a visitor is actively using it. The ICO has published guidance explaining that if these cookies are essential for the working of your site they can be exempt from EU cookie law, when their crucial functions perform actions such as remembering what items were in your shopping basket or ensuring security for online payments.

  • Third party cookies are set and collected by other entities, such as advertisers using the websites for web analytics. 

  • Session cookies are stored in a browsers memory until it is closed down and are used for site functions such as loading the web page quickly. 

  • Persistent cookies are set up with an expiration date and stay in your browser’s history until this end date, used to keep you logged in and to track web analytics.

  • Secure/HTTP cookies are only ever transferred over “https” sites in order to keep data encrypted and secure, used to prevent malicious cross-site-scripting attacks.  

Generally speaking, all cookies are subject to the EU data privacy rules!

What are the rules on cookies?

Before the passing of the General Data Protection Regulation (EU 2016/679, GDPR), the use of cookies was governed by the ePrivacy Directive passed in 2002 and amended in 2009. This continues to apply regardless of whether personal data is involved or not, and the GDPR applies only to personal data, so there is some overlap. 

The current EU rules set out that you have to ask a user for their permission before using cookies, which is normally done with a pop-up when users access a website, advising cookies will be used and allowing users to select “no” if they don’t want their data to be tracked.

This applies both for website owners located in the EU, and websites outside the EU which are targeted at individuals within the EU. Consent given must be freely given, specific and informed. It must involve some sort of unambiguous action and website owners must ensure that users understand cookies and are able to reject to their use. 

What’s new?

The Dutch data protection authority, AP, has recently passed guidance on so-called “cookie walls”.

Cookie walls essentially demand that a visitor agrees to internet browsing being tracked, by blocking access to the site unless they accept the use of cookies.

The AP published clear guidance after it received complaints from users who had been unable to access sites when they had rejected tracking cookies, ruling that using ad-targeting as the “price” for entry to a website is not compliant with the GDPR. 

Following so many complaints, the AP has promised to step up monitoring and has written to the most complained about authorities.

The guidance conforms to the GDPR’s rules requiring consent that is clear and unambiguous; internet visitors must be asked in advance for any tracking software, and permission is not “free” if there is no real choice. 

Whilst such guidance comes from the Netherlands, it is important to note that a key part of the roles of the data protection supervisory authorities across Europe is to collaborate and knowledge-share across the Member States so as to ensure a harmonized and uniform approach across the EU, so guidance from the AP is likely to be highly regarded by other national authorities, such as the ICO or the CNIL.

Check out Part 2 of this 3-part article for an overview of what is next, and our tips and tricks for compliance.

For any specific advice on the cookies that your website is using, or any advice on any other legal matters, please don’t hesitate to get in touch!

Author: Lily Morrison, Legal Consultant @ Gerrish Legal, June 2019.