The writing’s on the cookie wall…

Two recent publications have shed light on the use of consent to place cookies on website users’ devices. The Dutch Data Protection Authority, Autoriteit Persoonsgegevens (the “AP“), has published guidance on the use of cookie walls, and CJEU Advocate General Maciej Szpunar has given his Opinion on the use of pre-ticked boxes for obtaining consent from website users to receive cookies.

Cookies

A cookie is a way of collecting information generated by a website and saved by an internet user’s browser. It is a small piece of data or a text file, usually less than one Kbyte in size, that a website asks an internet user’s browser to store on the local hard disk of the user’s computer or mobile device.

Under the EU General Data Protection Regulation (“GDPR“), there are a number of legal bases for processing personal data, including by obtaining the data subject’s consent.[3]  The European Data Protection Board (“EDPB“) has published an Opinion on the interplay between the GDPR and the ePrivacy Directive, noting that there are many examples of processing activities which fall within the scope of both the ePrivacy Directive and the GDPR.[4] The EDPB’s view is that where Article 5(3) of the ePrivacy Directive provides that prior consent is required for using cookies, “the controller cannot rely on the full range of possible lawful grounds provided by article 6 of the GDPR”  and is restricted to relying on consent as the lawful basis.[5]

The rules around cookies and similar technologies come from the EU’s ePrivacy Directive of 2002. This was updated in 2011 and implemented in the UK by the Privacy and Electronic Communications Regulations 2003 (“PECR“). Under the rules, operators must request permission from website visitors to place certain cookies on the user’s browser.[1] This consent may be “signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent[2].

As a result it is clear that the effect of the ePrivacy Directive is to particularise the GDPR, and a website operator must obtain a user’s consent to process personal data obtained from the use of cookies.

The AP’s Guidance

The AP has published a guidance note on the use of cookie walls under the GDPR in response to dozens of complaints received from website visitors who were unable to access web pages after refusing to accept tracking cookies.[6]

Websites with so-called “cookie walls” give visitors access to the site only if they agree to the placement of tracking cookies (or other similar tracking or monitoring technology). This is usually in the context of tracking a website visitor’s internet browsing for ad-targeting purposes.

The Clarification

The AP confirmed that the monitoring and analysis of the behaviour of website visitors, and the sharing of this data with third parties, is only permissible with the visitor’s permission. This permission must be given in complete freedom.

The AP clarified that preventing a website visitor from accessing a website unless they give consent to receive cookies means that the this permission is not ‘free’. Freedom requires a real or free choice. Cookie walls enable website operators and third parties to obtain visitors’ personal data by placing them under pressure to give permission to receive cookies. Either the visitor accepts the cookies and has access to the website, or does not access the website at all. As a result, website operators must obtain visitors’ consent to receiving cookies before entry to the website, and access to the website cannot be prevented if the user does not give such consent.

Whilst the AP’s guidance is Dutch, it relates to the GDPR which is intended to apply uniformly across Europe. So in the absence of any evidence to the contrary, it is reasonable to assume the ICO would take the same view.

EU Advocate General

Advocate General Maciej Szpunar (“AG“) has delivered an Opinion[7] on the question of whether websites should actually give users the choice to accept cookies and to what extent. The case concerned the use of a pre-ticked box to obtain consent from users to the use of cookies and third party cookies.

Whilst the case was brought under the old data protection law, the Data Protection Directive, the AG also dealt with whether the use of a pre-ticked box under the GDPR would be valid.

The AG stated that consent must be ‘freely given’ and informed. This requires consent to be active and separate to the act undertaken by the user; the giving of consent cannot be of an ancillary nature to the activity undertaken by the user (e.g. participating in an online lottery).[8] The AG cited the non-binding work of the Article 29 Working Party (the predecessor to the EDPB) which stated that consent implies a prior affirmative action from the users towards accepting the storage of the cookie and the use of the cookie.[9]

GDPR and consent

The GDPR makes it clear that consent should not be bundled up as a condition of service, unless it is necessary for that service. Article 7(4) GDPR provides:

When assessing whether consent is freely given, utmost account shall be taken of whether…the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.[10]

In addition, Recital 43 GDPR provides that “Consent is presumed not to be freely given…if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.”

Guidance from the UK Information Commissioner’s Office states that consent “should not generally be a precondition of signing up to a service“, and “If you make consent a precondition of a service, it is unlikely to be the most appropriate lawful basis.” In such a case, the ICO recommends that the organisation relies on legitimate interests as the lawful basis to process the personal data. However, in the context of cookies this will not be applicable, because as noted above an operator must obtain consent from data subjects to place cookies on their device.

The AG’s Opinion

The AG stated that there is no valid consent where consent is obtained by way of a pre-ticked box on a site that a user has visited. A pre-ticked box is not active consent and therefore not valid. In addition, where consent is obtained at the same time as confirmation of another activity (e.g. participating in an online lottery), this consent is not valid.

The AG reiterated that service providers must provide users with information about cookies, including the time period of operation of the cookie, and whether third parties have access to the cookies set or not. Crucially, the AG stated that if third parties do have access to cookies, their identity must be disclosed.

Final considerations

In conclusion, cookie walls may be in breach of the GDPR, and EU website providers should revisit how they obtain consent from visitors for the use of cookies and other tracking technology. In addition, it is clear that the use of pre-ticked boxes to obtain consent for cookies is not valid.

The AP has made it clear that it will be intensifying its monitoring of website operators in respect of the use of cookie walls, so we may well see enforcement from the AP on this issue. Any legal challenge to enforcement  may result in the issue going before the CJEU, and a subsequent and definitive judgment on the use of cookie walls and the GDPR.

Under the impending ePrivacy Regulation consent will no longer be required for non-intrusive cookies which improve the user’s internet experience. However any non-essential or third party cookies are likely to require the end users’ consent. The current form of the ePrivacy Regulation brings the fines under PECR in line with those available under the UK Data Protection Act 2018 and the GDPR. Therefore the potential fines for breach of the rules will be substantially higher. As a result there is likely to be an increased focus by providers on the use of cookies and efforts to ensure consent is obtained in a valid way.


[1] Regulation 6 Privacy and Electronic Communications Regulations 2003.

[2] Regulation 3A PECR.

[3] Article 6(1)(a) GDPR.

[4] Opinion 5/2019 of the European Data Protection Board.

[5] Paragraph 40 Opinion 5/2019 of the European Data Protection Board.

[6] https://autoriteitpersoonsgegevens.nl/nl/nieuws/websites-moeten-toegankelijk-blijven-bij-weigeren-tracking-cookies

[7] Opinion of Advocate General Szpunar on Case C-673/17 (“Opinion”).

[8] Paragraph 66, Opinion.

[9] Paragraph 81 Opinion.

[10]https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent/