What is the current regulation of cookies (memorandum)?

blog4.jpg

Introduction

The ePrivacy Directive has been in force since 2002, with a major amendment in 2009. It deals with the regulation of cookies only marginally in its Art. 5(3): 

"Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user."

Currently, this is the "EU cookie law". However, member states may have implemented this provision slightly differently into its domestic laws. In practice, controllers need to rely on the domestic cookie laws and not directly on the EU cookie law. Such is the nature of a directive. 

Following the adoption of the GDPR, a number of problematic issues started to arise concerning this provision. The three key issues in this context are:

  1. Is a consent needed for analytics and marketing cookies used by Google Analytics and Facebook ?

  2. Is it possible to use web browser settings to obtain a consent ?

  3. Can any analytics be regarded as necessary to provide the information society service ?

In addition, anwsers to these questions may be changed by the new ePrivacy regulation, which the German Presidency of the EU Council will have a good chance to adpot in the first half of 2020. The ePrivacy regulation drafts elaborate on the idea of a consent exemption for “web audience measuring” or “audience measuring”. However, it is unclear whether and to what extent this exemption would also cover services in question. The first draft of ePrivacy Regulation also worked with provision for a specific settings of web browsers and similar programs through which the consent could be obtained.

What do European regulators say ?   

 

ICO

CNIL

Board

Is a consent needed for analytics and marketing cookies used by Google Analytics and Facebook?

Yes, always

Mostly yes, but not always

Yes, always

Is it possible to use web browser settings to obtain a consent?

Not in the moment, yes in the future

Not possible at all

Not possible at all

Can any analytics be regarded as necessary to provide the information society service? 

No

Some (limited) analytics yes

No

What does it mean?

It means that member states still have slightly different approaches to the interpretation of the "EU cookie law" and therefore it is still necessary to adapt to these different approaches depending on what domestic law is applicable to the use of cookies.

In Slovakia, we do not have any practice or opinions of the regulator, which is Regulatory Authority for Electronic Communications and Postal Services. Moreover, according to the explicit wording of Section 73 of the Electronic Communications Act for violation of Section 55 (5) (the cookie provision), there is no sanction available (even though according to ePrivacy Directive there should be).

However, in our opinion the Slovak Data Protection Authority may indirectly monitor and penalize non-compliance with the provision through the basic principles of personal data processing under GDPR, which should also apply if personal data are processed via cookies. However, this would be a very bold approach by the supervisory authority.

Of course, this does not mean that nothing needs to be done. First of all, it is necessary to become familiar with the issue and regulation of cookies and subsequently analyze (knowing the legal framework) how cookies and cookies-like technologies are used in practice. Only then the impact of ePrivacy regulation be addressed.

Cookies Memorandum

Based on the above, we have decided to prepare a detailed Cookies Memorandum for our clients in which we try to answer the following questions:

  1. What are the cookies? 

  2. What is the legal regulation of cookies?

  3. Are cookies personal data?

  4. What is the relationship between the ePrivacy Directive and GDPR?

  5. What are the legal bases for cookie processing? 

  6. When is consent required to use cookies?

  7. When consent to use cookies is not required? 

  8. What is an information society service?

  9. Can setting of a web browser be considered as a consent under GDPR?

  10. What are the so-called "cookie walls" and what is their legal regime?

  11. How to fulfill the information obligation when processing cookies?

  12. What sanctions are there for the illegal use of cookies? 

  13. What changes can be brought by the ePrivacy Regulation?

  14. How to prepare and move forward?

Our 23-pages memorandum also includes an executive summary of the answers to all the questions above. The memorandum is based on the legal status of August 31, 2019 and we plan to update it regulary as newer guidelines and ePrivacy Regulation arrive. We spent almost 60 hours preparing the memorandum, but since we offer it to all clients and the public, its price is symbolic.

If you are interested in receiving the memorandum, please let us know.

Did you like this post?

jakub.png
Jakub Berthoty

Founding attorney

Jakub is the author implementer of the idea of a privacy & technology boutique law firm. In past, he... Show more

Contact us

Feel free to contact us

Contact us to get an offer for the service

Similar posts

  • tanner-boriack-jkuR9QteDGY-unsplash.jpg
    Controller's liability for hacker's attack according to the Court of Justice of the EU (part I.)

    Each of us can become victim to a hacker attack. However, the fulfillment of remediation, notification and documentation obligations under the GDPR doesn´t mean the end of the case itself. What usually follows is the establishment of liability. Although during this process, the courts will work with classic legal instruments, their application may get complicated by a still relatively new legal regulation for the courts - GDPR. In a series of blogs, we will follow Case C-340/21 before the CJEU, which may develop this area further.

  • abstract-1278061_1920.jpg
    US CLOUD Act vs. GDPR

    The United States adopted the so-called CLOUD Act in March 2019 with the term “CLOUD” actually (and ironically) referring to “Clarifying Lawful Overseas Use of Data.” The CLOUD Act represents amendment to United States Code to improve law enforcement access to data stored across borders, and for other purposes reflecting the latest case-law development in the United States (Microsoft case).

  • register.jpg
    Registre obsahujúce verejné dáta podľa GDPR

    Ako sa na registre, ktoré čerpajú dáta z verejných zdrojov a ponúkajú ich ďalej ako súčasť svojich služieb pozerá GDPR? Na čo si dať pozor pri výbere registra a za čo už registre dostali podľa GDPR pokutu vo výške 220 tisíc EUR?