What is the current regulation of cookies (memorandum)?

Introduction

The ePrivacy Directive has been in force since 2002, with a major amendment in 2009. It deals with the regulation of cookies only marginally in its Art. 5(3): 

"Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user."

Currently, this is the "EU cookie law". However, member states may have implemented this provision slightly differently into its domestic laws. In practice, controllers need to rely on the domestic cookie laws and not directly on the EU cookie law. Such is the nature of a directive. 

Following the adoption of the GDPR, a number of problematic issues started to arise concerning this provision. The three key issues in this context are:

1. Is a consent needed for analytics and marketing cookies used by Google Analytics and Facebook ?

2. Is it possible to use web browser settings to obtain a consent ?

3. Can any analytics be regarded as necessary to provide the information society service ?

In addition, anwsers to these questions may be changed by the new ePrivacy regulation, which the German Presidency of the EU Council will have a good chance to adpot in the first half of 2020. The ePrivacy regulation drafts elaborate on the idea of a consent exemption for “web audience measuring” or “audience measuring”. However, it is unclear whether and to what extent this exemption would also cover services in question. The first draft of ePrivacy Regulation also worked with provision for a specific settings of web browsers and similar programs through which the consent could be obtained.

What do European regulators say ?   

What does it mean?

It means that member states still have slightly different approaches to the interpretation of the "EU cookie law" and therefore it is still necessary to adapt to these different approaches depending on what domestic law is applicable to the use of cookies.

In Slovakia, we do not have any practice or opinions of the regulator, which is Regulatory Authority for Electronic Communications and Postal Services. Moreover, according to the explicit wording of Section 73 of the Electronic Communications Act for violation of Section 55 (5) (the cookie provision), there is no sanction available (even though according to ePrivacy Directive there should be).

However, in our opinion the Slovak Data Protection Authority may indirectly monitor and penalize non-compliance with the provision through the basic principles of personal data processing under GDPR, which should also apply if personal data are processed via cookies. However, this would be a very bold approach by the supervisory authority.

Of course, this does not mean that nothing needs to be done. First of all, it is necessary to become familiar with the issue and regulation of cookies and subsequently analyze (knowing the legal framework) how cookies and cookies-like technologies are used in practice. Only then the impact of ePrivacy regulation be addressed.

Cookies Memorandum

Based on the above, we have decided to prepare a detailed Cookies Memorandum for our clients in which we try to answer the following questions:

1. What are the cookies? 

2. What is the legal regulation of cookies?

3. Are cookies personal data?

4. What is the relationship between the ePrivacy Directive and GDPR?

5. What are the legal bases for cookie processing? 

6. When is consent required to use cookies?

7. When consent to use cookies is not required? 

8. What is an information society service?

9. Can setting of a web browser be considered as a consent under GDPR?

10. What are the so-called "cookie walls" and what is their legal regime?

11. How to fulfill the information obligation when processing cookies?

12. What sanctions are there for the illegal use of cookies? 

13. What changes can be brought by the ePrivacy Regulation?

14. How to prepare and move forward?

Our 23-pages memorandum also includes an executive summary of the answers to all the questions above. The memorandum is based on the legal status of August 31, 2019 and we plan to update it regulary as newer guidelines and ePrivacy Regulation arrive. We spent almost 60 hours preparing the memorandum, but since we offer it to all clients and the public, its price is symbolic.

If you are interested in receiving the memorandum, please let us know.