Cookies – How 2019 brought Clarification on Cookie Consent Requirements
People may have noticed that a lot of websites have different cookie banners now; well this is due to recent clarifications on the law governing cookies. Previously “implied” consent was considered acceptable, i.e. “By continuing to use this website, you agree to our cookies”. However, this is no longer the case, now where consent is needed, it must be “active” consent; i.e. a user must actively click a consent box in order to provide valid consent. Now entities are grappling with the technological challenge of complying with this requirement.
What happened?
As everyone knows, the General Data Protection Regulation (GDPR) came into force in May 2018. One of the highly publicised elements of the GDPR is that it provided a very clear definition of consent. For consent to be valid, it is required that it is active consent. This means, for example, that tick boxes for consent can NOT be pre-ticked; a user must actively tick a consent box. As a result of this, there was a lot of discussion and ambiguity over what this meant for cookies; this is because “non-necessary” cookies require consent in accordance with the ePrivacy Directive 2002/58/EC, as amended by Directive 2009/136/EC (“Cookie” Directive).
The GDPR naturally only governs personal data and not all cookies collect personal data; so what’s the problem? Surely the GDPR definition of consent only applies to those cookies that collect personal data? For example, some cookies collect IP addresses, which is considered personal data.
Well, that’s not the entire story. The “Cookie” Directive defines consent in accordance with the definition of consent within the old data protection law (Directive 95/46/EC). However, Article 94 GDPR states that Directive 95/46/EC is repealed and that any reference to the old data protection law shall be construed as references to the GDPR. Therefore, Article 94 GDPR means that the consent required under the “Cookies” Directive is now the same as the consent required under the GDPR, regardless of whether the cookie collects personal data or not.
This might seem straight forward – cookie consent is the same as GDPR consent – so why was there ambiguity? This was due to the fact that the law governing cookies is in the process of being rewritten (known as the ePrivacy Regulation proposal), and one of the debated points is the requirement for consent and the associated definition. Recital 173 GDPR even states:
In order to clarify the relationship between this Regulation and Directive 2002/58/EC [Cookies Directive], that Directive should be amended accordingly. Once this Regulation is adopted, Directive 2002/58/EC [Cookies Directive] should be reviewed in particular in order to ensure consistency with this Regulation
Therefore, people were hesitant to change their approach to cookies, since it is under review. Indeed, I was hesitant to refer to the “new” definition of consent for cookies in my book on GDPR, choosing to refer to the old definition of consent in chapter 21, which detailed cookie legal requirements.
However, 2019 cleared up this question. First, the European Data Protection Board opinion on 12 March 2019 indicated that the definition for consent under the associated “Cookies” Directive had changed. Second, the Irish Data Protection Commission released an opinion (version last updated in June 2019), explicitly stating that the definition for consent under the “Cookies” Directive is the same as the definition for consent under the GDPR, stating:
One of the important impacts of the interaction between the GDPR and the fact that it is read together with the ePrivacy Regulations [“Cookie” Directive], is that any ‘consent’ as required under the ePrivacy Regulations, will now be defined in the same way as in the GDPR.
Third, on 1 October 2019, the EU court in the “Planet49” case explicitly clarified that consent required under the “Cookies” Directive follows the definition of consent under the GDPR.
Thus, the situation is now clear. All “non-necessary” cookies, as detailed within the “Cookies” Directive, require consent in accordance with the GDPR definition of consent.
What does this mean?
This primarily means that company websites should no longer automatically collect “non-necessary” cookies, as these require active consent; thus, some active action, whether via a tick box or something else, is required for valid consent. The main “non-necessary” cookies floating around are marketing cookies; thus, companies will need to be very careful on how they gain consent for these cookies. This is posing some technical challenges and many companies are choosing to only collect “necessary” cookies, which do not require consent. I encourage you to discuss with your legal advisor what constitutes a “necessary” cookie. Essentially, these are cookies that are required (“necessary”) for the actual website, or requested activity, to function.
Following these developments, the Irish Data Protection Commission confirmed that they are conducting a “cookies sweep”, where they are interacting with a certain number of companies in order to review the current level of compliance with cookie law in Ireland. Therefore, hopefully, the subsequent review will provide guidance to companies on how to handle the practical and technological challenges associated with the new definition for cookie consent.
Please note that there are a host of legal requirements when it comes to cookies, and consent for “non-necessary” cookies is only one element of the story; however, it is the element that has caused the biggest headache in 2019!
Below is a chart on the changing definition of consent:
| Pre May 2018 (Directive 95/46/EC) | Post-May 2018 (GDPR) | ||
| Definition of consent under the “Cookies” Directive. | “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed” | “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;” | |
| Implied consent permissible? | “Implied” or passive consent was considered acceptable; however, academics argued over this. | “Implied” or passive consent not valid. |
Guest post by barrister Laura Keogh and author of “Data Protection Compliance: A Guide to GDPR and Irish Data Protection Law”. Find out more here.
Irish Tech News https://ift.tt/2ENhwSQ
No comments: