September 15, 2019

September 13, 2019

Subscribe to Latest Legal News and Analysis

New Developments in EU for Cookies and Online Tracking

July was a busy month for the regulation of cookies and online tracking technologies in the EU. First, the UK Information Commissioner’s Office published lengthy guidance on cookies that, among other topics, addresses in detail the relationship between the GDPR and the Privacy and Electronic Communications Regulation (PECR), the UK’s implementation of the E-Privacy Directive (2002/58/EC). A couple of weeks later, the supervisory authority of France, CNIL, published its updated cookie guidance. Then, in an unrelated development, the Court of Justice of European Union (CJEU) published an opinion in Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV (C-40/17) that addressed data protection responsibility for social media widgets. 

We recommend using these recent developments as an opportunity to reassess how websites and online services use cookies and other tracking technologies. In particular, we recommend you review your existing privacy policy, cookie notice and consent practices, and determine whether any updates need to be made. 

In this article, we summarize our key takeaways from July’s cookie law developments: 

  • Don’t forget about other tracking technologies and IoT devices.

Both the ICO and CNIL clarify that the E-Privacy Directive also applies to any technique that can read from or write to “terminal equipment” (i.e., the user’s device), including device fingerprinting, which is the practice of identifying a unique device based on a combination of information collected from the device (e.g., operating system, browser, installed fonts, clock information, etc.).

The E-Privacy Directive also extends beyond traditional computers and browsers to devices such as wearables and smart televisions. Unfortunately, neither the ICO nor CNIL provides practical recommendations for how to obtain informed consent on those devices.

  • Perform (regular) audits of cookie practices

This has been a recommended practice for a long time, but the ICO specifically recommends performing a cookie audit, both at the outset of the online service and periodically over time to account for changes. A cookie audit is not only an opportunity to identify various cookies and tracking technologies on an online service to update notices and consents, but also an opportunity for clean-up. It is not uncommon to discover cookies during a review of a website that are no longer being used, but are remnants of legacy code.

  • Determine whether an exemption to consent applies. 

The E-Privacy Directive provides an exemption from the consent requirements for cookies that are “strictly necessary” to perform a service requested by the user. One area of disagreement between the ICO and CNIL is whether this exemption applies to analytics cookies—i.e., cookies used to facilitate audience measuring. 

The ICO takes the position that analytics cookies are not “strictly necessary,” and therefore require consent. As almost every online service uses analytics cookies, the ICO’s position would require most online services (if operating within the territorial scope of the PECR) to comply with cookie consent requirements. Fortunately, the ICO states that it does not consider analytics cookies a high priority for enforcement action, if such cookies have a low privacy risk as implemented. 

In contrast, CNIL takes the view that analytics cookies are eligible for the “strictly necessary” exemption, if certain conditions are met. Specifically, the analytics cookie must be: (1) set by the publisher of the site or its processor; (2) users must be informed of such cookies; (3) there must be an opt-out mechanism; (4) the cookie must only be used to create statistics or other aggregated data and, then, for limited purposes (e.g., to evaluate effectiveness of published content); (5) geolocation information derived from an IP address must not be more specific than a city; and (6) the cookie must expire within 13 months and the analytics information must not be retained for more than 25 months. Where these requirements are met, CNIL concludes that an online service does not need consent for analytics cookies.

  • Develop clear and comprehensive notices

Both the ICO and CNIL emphasize the importance of providing individuals with notice of cookie practices. This is important not only to meet the “informed” consent requirement, where applicable, but also for transparency under the GDPR. Based on the recent guidance, here are a few tips for notice:

  • Make the cookie notice readily available. The ICO recommends linking the notice to the cookie consent mechanism and providing a link at the top or bottom of the website. In each case, the text of the link should be more descriptive and informative than “Privacy Policy."

  • Include information on the purposes and duration of cookies.

  • Avoid lengthy, technical details in a cookie notice. According to the ICO, it is often better to provide useful information on the purposes of processing categories of cookies than to provide a long list of individual cookie names with limited context.

  • If using third-party cookies (i.e., a cookie that originates from a third-party domain, such as a social media site), the cookie notice should specifically name the third party. The ICO recommends also including information on how the user can learn more about cookies from the third party platform (e.g., linking to the third party’s privacy or cookie notice).

  • Obtain specific, freely given and informed consent.

Consent is the most visible, and in many cases, challenging requirement for online service operators. Based on the recent guidance, here are some tips for consent:

  • Obtain consent for cookies before setting them.

  • Implement a user-friendly consent mechanism that works best for your online service’s user interface. Both ICO and CNIL advise against relying on browser settings for consent, although the ICO leaves open the possibility for this to change based on future developments in browser technology.

  • Cover third party cookies, as well as cookies set by your online service.

  • The consent mechanism should offer users the opportunity to demonstrate assent in an unambiguous manner. The failure by a user to engage with a consent mechanism should not be considered consent when the user navigates to other parts of the online service.

  • Do not rely on general terms and conditions as a basis for consent. CNIL emphasizes that users must have an opportunity to consent to each purpose, which suggests offering users granular choices through a cookie settings menu.

  • Avoid “nudge” behavior that pushes individuals to accept cookies. For an example to avoid, the ICO’s guidance provides an illustration of a consent banner with a large accept button but only a small link to decline cookies.

  • Cookie consent should not be required for entry to a site; therefore, a cookie wall that requires consent or does not allow a user to enter is not “freely given” consent.

  • Cookies should not be pre-enabled. For example, if providing users with the opportunity to enable or disable certain cookies, the default option should be to disable cookies.

  • Analyze obligations under both the GDPR and the E-Privacy Directive.

It is possible that the E-Privacy Directive applies, but the GDPR does not apply, and vice versa. For example, the E-Privacy Directive requires consent for cookies even if such cookies do not involve the processing of personal data. Similarly, because the E-Privacy Directive and GDPR have different material and territorial scopes and exemptions, it is possible the GDPR may apply to certain cookies, where the E-Privacy Directive does not.

With that being said, in many cases, the E-Privacy Directive and GDPR will overlap. Typically, the use of cookies will also involve the processing of personal data. Where both the E-Privacy Directive and GDPR apply, the question becomes—what steps must you take to comply with both?

The first step is to fully analyze whether your cookies are subject to the E-Privacy Directive consent requirements or whether there is an applicable exemption. If not, your requirements under the GDPR will depend on your role: controller, joint controller, or processor.

In Fashion ID, the CJEU reviewed the responsibilities of the parties with respect to a social media widget (e.g., a “like button” hosted by a third-party social platform). A social media widget allows the social media platform to track individuals across websites and over time through a third-party cookie. This tracking cookie can work even when the user is not currently logged into the platform. The CJEU concluded that the website operator is a joint controller with the social media platform for purposes of the collection of personal data and the transfer to the social media platform. However, the social platform is solely responsible for how it processes the tracking information thereafter, assuming no other involvement by the website operator.

If acting as a controller, you are responsible for establishing a basis for processing. The GDPR offers six potential legal bases for processing. However, the ICO emphasizes that, where consent is required under the E-Privacy Directive, consent is also required under the GDPR.

  • Address responsibilities for compliance with third parties.

Websites and other online services frequently integrate third-party widgets (including the social media widgets discussed in Fashion ID) to enhance the function of their service and to provide users with opportunities to share content on other platforms. If these widgets include third-party cookies, the agreement between the online service operator and the widget provider should address the parties’ respective responsibilities for compliance. 

The ICO takes this issue a step further and takes the position that widget providers “may need to take further steps [beyond entering into an agreement], such as ensuring that the consents were validly obtained.” Similarly, CNIL points out that a controller must be able to demonstrate that consent has been validly obtained, beyond pointing to a contractual obligation of the other party. As both parties may be held jointly responsible, we recommend that both parties periodically review compliance and cooperate with each other as necessary to ensure any consent requirements are met.

Unless, and until, the E-Privacy Regulation comes into effect, the cookie requirements in the E-Privacy Directive remain as relevant as ever. The overlap with the GDPR adds more teeth to the cookie consent requirements, as a supervisory authority may investigate a cookie-consent issue as a violation of the GDPR (e.g., transparency, lawful basis for processing) instead of a violation of the PECR or an EU Member State’s implementation of E-Privacy Directive. The recent activity from the ICO, CNIL and CJEU shows the use of cookies and similar tracking technologies remain an important consideration for data protection enforcement. 

© Polsinelli PC, Polsinelli LLP in California

TRENDING LEGAL ANALYSIS


About this Author

Shareholder

Liz is a dual-qualified attorney in Colorado and the United Kingdom who counsels clients on data privacy, advertising and technology licensing matters.  Prior to practicing in the U.S., she practiced law in the U.K. for over 10 years counseling clients on EU privacy and technology matters.

Liz’s practice involves three key areas: privacy, advertising, and technology licensing.  She has significant experience counseling clients on how to comply with their EU privacy obligations, with a particular focus on how to prepare for, respond to, and implement...

303.583.8228
Steven Hengeli, Polsinelli Law Firm, Kansas City, Data Privacy Attorney
Associate

With a background in computer programming, Steven Hengeli takes a problem-solving approach to privacy, data security, and technology transactions. He aims to provide practical legal advice, taking into consideration not only the legal risks involved, but the business impact. Steve uses his technology background to assist clients in the software, Internet-of-Things, and medical device industries build privacy and security into their products. 

816-360-4392