Definitions

The Guidelines describe cookies as small text files in an alphanumeric format which are placed on a user's terminal equipment, by the server of the online service used or by a third-party server. The Guidelines differentiate between cookies that are not privacy-intrusive in their purposes (e.g. for remembering language preferences) and those which are (e.g. tracking internet browsing behaviour for targeted advertising).

The Guidelines also address technologies known as 'trackers', which are used for tracking and profiling purposes in particular. It is noted that, to the extent that such technologies involve reading information on a user's terminal equipment, the same legal regime is applicable as is for cookies.

Legal background

The Guidelines continue by setting out the legal framework which applies to cookies and other technologies, noting the importance of Article 5(3) of the Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) ('the ePrivacy Directive'), as transposed into national law by Act of 30 May 2005 Laying Down Specific Provisions for the Protection of Persons with regard to the Processing of Personal Data in the Electronic Communications Sector and amending Articles 88-2 and 88-4 of the Code of Criminal Procedure, as amended ('the Act'), which sets out that 'essential' cookies do not require user consent to be provided. Conversely, the Act provides that prior user consent will be required for the use of 'non-essential' cookies.

In regards to the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), the Guidelines note that while this law does not directly regulate cookies, the conditions it provides for valid consent have implications for the requirements of the Act. The Guidelines specify that references to consent should be read in line with Articles 4(11) and 7 of the GDPR. With regards to the latter, the Guidelines add that the judgment of the Court of Justice of the European Union ('CJEU') in Bundesverband der Verbraucherzentralen und Verbraucherverbände - Verbraucherzentrale Bundesverband e.V. v Planet49 GmbH (C-673/17) ('the Planet 49 Case') confirms that the GDPR standard of consent should be required for the consent required by the ePrivacy Directive for cookies. The Planet 49 Case also confirms that consent is not validly given when users must uncheck a pre-checked box in order to express refusal, as well as highlighting the relevance of Article 13 of the GDPR as to what information must be provided to users before collecting their consent.

However, the Guidelines stress that the legal framework as described applies merely to the use of cookie technologies in themselves and that, if personal data is collected as a result, then the GDPR as a whole must be observed (e.g. the need for a legal basis as per Article 6 and the need to supply information as per Articles 12 to 14).

Applicable principles and practices

In the above context, the Guidelines go on to specify how this legal framework applies to cookies, making a key distinction between essential and non-essential cookies.

Essential cookies

The Guidelines refer to essential cookies as those covered by Article 4(3)(e) of the Act; that is, those which aim exclusively to facilitate the transmission of a communication over an electronic communications network, or which are strictly necessary for the provision of an information society service explicitly requested by the subscriber or user. As noted above, these do not require consent. Furthermore, the Guidelines go on to give practical examples of cookies with purposes that will fall under this definition and whether they will need consent:

With regards to cookies used for statistical purposes, the CNPD considers that although cookies used to measure statistics relating to a website's audience (i.e. analytical cookies) do not pose significant privacy risks when these are placed directly by the website being visited, rather than a third party, when visitors are also clearly informed of such cookies being used, it is nevertheless necessary for consent to be obtained in this scenario. Despite this, the requirement for consent may be exempted when analytical cookies are necessary for the provision of the service (e.g. for evaluating server capabilities), provided that such cookies:

• are not passed on to third parties or cross-referenced with other data;
• are not used to monitor individuals across multiple apps or websites; and
• are collected for the exclusive use of the site operator and are used solely to produce anonymous statistics.

In order to ensure transparency, the Guidelines recommend that operators inform users when cookies are essential (e.g. through a cookie banner). When such cookies involve the processing of personal data, it is recommended that information is provided as per Article 13 of the GDPR, for example in a privacy or cookie policy.

Moreover, the Guidelines differentiate between essential cookies which do or do not involve personal data processing. It is noted that even when no personal data is processed, it is still good practice to explain to the user what a cookie is and what are the purposes for it being used.

Non-essential cookies

The Guidelines state that cookies that do not fit the definition for essential cookies above will require GDPR-compliant consent, including cookies used for tracking, profiling, targeting, and geolocation purposes, as well as 'social plugins' (for example links to social networks), where such plugins are linked to the use of cookies. The Guidelines remind that such consent must be prior, meaning that non-essential cookies cannot be placed before valid consent is obtained.

Per the Guidelines, informed consent is required for non-essential cookies, with information that meets the standards of Articles 12 and 13 of the GDPR. It is recommended that this information is provided at two levels, that is:

• A first level of information, which is generally provided via a cookie banner or in a 'pop-up' window (containing a link to the second level of information), which is generally where the user's decision whether to consent is collected. The CNPD opines that this first level should allow users to understand that cookies are being used by the website/app, who is responsible for the cookies, how they can accept/refuse, the possibility to withdraw consent, and the consequences of refusal.
• A second level of information, which is a 'cookie policy' or a section on cookies within a general privacy policy. This should provide further explanations about cookies and meet the requirements in Articles 12 and 13 of the GDPR, documenting:
• technical information on the cookies used and a detailed description of their purposes;
• a precise and exhaustive list of those responsible for the cookies;
• categories of data collected;
• the recipients who have access to cookies or to the data collected through them;
• operating time of the cookies used and the retention period of the data collected;
• any data transfers made of the data collected; and
• the existence of automated decision making based on the data collected.

The Guidelines note that information required by Article 13 of the GDPR not specifically related to the use of cookies may be contained in the more general privacy policy, which should be referred to in the cookie policy.

Furthermore, there is a requirement for free consent, meaning that a user cannot be required to provide consent to non-essential cookies as a precondition for accessing a website. The Guidelines continue by recommending that data controllers should avoid the use of misleading practices which may contravene the requirement for free, informed, and unambiguous consent.

The Guidelines state the need for consent to be unambiguous, giving some practical examples of when this will or will not be met. For example, checking a box or activating a button by sliding will be acceptable in this regard. Conversely, situations that will not be sufficient include continued browsing of a website or use of an app, not unchecking a pre-checked box, not exercising a choice after consent is requested, or the fact that the user's terminal equipment is configured to accept cookies. As regards specific consent, the Guidelines remind that if non-essential cookies are used to pursue different purposes, the user must be able to give or withhold consent separately for each of these purposes.

Moreover, the Guidelines remind that consent should be just as easy to withdraw or refuse as it is to provide. For example, if a user logs back in after previously giving consent, it must be easy for them access the same interface via which they initially provided consent (e.g. through a clear link at the bottom of each page). In addition, it should not be the case that users have go through more effort to refuse consent than provide consent (e.g. several operations/clicks), as this contravenes the requirement for consent to be freely given.

Regarding the duration of valid consent, although this is not specified in the GDPR, the Guidelines recommend that this does not exceed 12 months, after which it will be necessary to request renewed consent. Otherwise, it is recommended that consent is not requested unless there is a significant modification in terms of the data processing (e.g. change of advertising partner, change of categories of data collected, etc.).

The Guidelines note the requirement in Article 7(1) of the GDPR that provides data controllers must be able to prove they have validly collected user consent which, in relation to non-essential cookies, may be evidenced by storing information about the session in which the specific person gave their consent. It must also be possible to prove that consent was obtained validly, for example by carrying out audits of consent collection mechanisms, as done by third parties authorised for this purpose.

Finally, in relation to consent management platforms, the Guidelines remind that using such services does not mean the website/app operator can divert responsibility for ensuring compliance with the applicable rules. If personal data is processed by the consent management platform on behalf of the website/app operator, then such platforms will be considered a processor. As such, the Guidelines note that a subcontract which meets the requirements of Article 28 of the GDPR must be concluded between the two parties.

Troy Boatman Editor
[email protected]