Website-Compliance: How to Lawfully Use Cookies

Whilst debates among EU institutions and lobby groups on a revision of cookie regulations continue, the data protection supervisory authorities in Europe carry on with interpreting and enforcing the existing regulations by taking a stand on how to lawfully use cookies. After the German supervisory authorities issued guidance in March, the British Information Commissioner’s Office (ICO) followed in July. We have summed up for you the current state of the discussion.

ePrivacy or GDPR – Which Law Applies?

Since 2002, the EU Data Protection Directive, which governed processing of personal data irrespective of the technical environment, and the EU ePrivacy Directive, which sets up specific requirements in the context of the internet, concurrently applied to the use of cookies. Both Directives had to be transposed into national law by the EU member states.

When the European Union endorsed the General Data Protection Regulation (“GDPR”) in 2016, the question arose of which rules would prevail– the GDPR itself, that is directly applicable in all EU member states and generally overrules deviating national law, or the subsisting national provisions on ePrivacy? Luckily, the GDPR provided an answer itself: it does not impose additional obligations where specific obligations with the same objective stemming from the ePrivacy Directive applies. Hence, wherever national provisions on ePrivacy allow cookie use, such legal basis may apply instead of the GDPR.

ePrivacy: Consent Requirement for Cookie Use

What are the requirements for cookie use under the ePrivacy Directive? According to its Art. 5 (3), storing of information, or the gaining of access to information already stored, in the user's device is only allowed on condition that the user has given his or her consent. Determining the requirements for valid consent, the Directive referred to the Data Protection Directive, which now must be understood as a reference to GDPR, leading to higher requirements compared to the pre-GDPR era.

An exceptions for the consent requirement applies where cookies are strictly necessary in order for the provider of an information society service explicitly requested by the user to provide the service. Thus, the cookie must be technically necessary for the functioning of a website. This may, for example, include cookies for shopping baskets and checkout process in an online shop.

Irrespective of whether GDPR or ePrivacy rules apply, of whether consent is required or not: In any case, online service providers must provide their users with general information regarding the use of cookies and the processing of personal data, usually reflected in the website’s privacy policy.

How to Obtain Valid Consent for Cookie Use

As consent is required for most cookies, the decisive question arises of how to obtain it in compliance with the GDPR. The following paragraphs briefly outline the instructions provided by the German supervisory authorities:

• At the time of first access to the website, a cookie banner appears, providing an overview of the different cookies being used, the purposes of the collection of personal data and, if applicable, third parties involved.
• Any functionalities that collect personal data are disabled until the user activates the respective cookies by actively clicking on a button that was not pre-ticked. It is important that the user can separately activate cookies for any functionality or purpose of the cookie.
• For purposes of documentation, it is not necessary to store information on the user’s identity. Website providers may place a cookie on the user’s device that contains information on which cookies the user consented to.
• After the cookie-banner was clicked away, it must be possible to reopen it and adjust the settings, i.e. to easily withdraw the given consent by opting-out later.

The ICO, which is the data protection supervisory authority in the United Kingdom, also recently issued guidance on cookie use. The findings seem to entirely confirm the German authorities’ opinion. Additional takeaways include:

• Conditioning access to a website by usage of “cookie walls” that generally prevent displaying the content until the user consented is unlawful. Access to specific services may, however, be conditioned on the user’s consent to certain cookies.
• If a website sets third party cookies, the companies responsible for those cookies must be specifically named when providing the necessary information to data subjects.
• Website operators should ask their users to re-consent after a certain period of time. However, the ICO does not provide further information on how to determine the intervals.
• The ICO provides an online tool to find out whether consent applies for the cookies you use by filling in a questionnaire.

Is opt-in consent also required in Germany?

Until the GDPR’s coming into force, service providers in Germany were able to justify the use of marketing cookies by a specific provision that allows creation of usage profiles on a pseudonymous basis, such as an IP address shortened by the last digits. The German government as well as, reportedly, the European Commission assumed that this was in line with the ePrivacy standards.

Now, the German data protection supervisory authorities raised concerns regarding such interpretation. According to a recently published guideline, they take the view that these provisions did not apply anymore as they fell below the standards of the ePrivacy Directive. Since the ePrivacy Directive does not directly apply to service providers if its provisions were not properly transposed into national law, there was no law in force that would prevail over the GDPR. Consequently, they suggest assessing compliance of cookie use with the GDPR instead.

Applicability of GDPR presupposes that personal data are being processed. As this does not only mean information on an identified person, e.g. in connection with an individual’s name, but also on identifiable persons, processing personal data may includes the collection of online identifiers, such as IP addresses, cookie identifiers, MAC addresses, advertising IDs, pixel tags, and device fingerprints. Profiling of individuals will also lead to applicability of GDPR, as the possibly unique combination of personal preferences may be linked to an individual person.

Regarding the relevant legal basis, authorities emphasize that data processing based on legitimate interests requires in-depth legal review. Outcomes are likely to equal the approach of the ePrivacy Directive: a general consent requirement and exceptions where cookies are technically necessary. As an example, authorities argue that using web beacons in an online shop in order to retarget customers for advertisement purposes in a social network requires consent.