The writingâ€™s on the cookie wallâ€¦
Two recent publications have shed light on the use of consent to place cookies on website usersâ€™ devices. The Dutch Data Protection Authority, Autoriteit Persoonsgegevens (the â€œAPâ€œ), has published guidance on the use of cookie walls, and CJEU Advocate General Maciej Szpunar has given his Opinion on the use of pre-ticked boxes for obtaining consent from website users to receive cookies.
A cookie is a way of collecting information generated by a website and saved by an internet userâ€™s browser. It is a small piece of data or a text file, usually less than one Kbyte in size, that a website asks an internet userâ€™s browser to store on the local hard disk of the userâ€™s computer or mobile device.
Under the EU General Data Protection Regulation (â€œGDPRâ€œ), there are a number of legal bases for processing personal data, including by obtaining the data subjectâ€™s consent.Â The European Data Protection Board (â€œEDPBâ€œ) has published an Opinion on the interplay between the GDPR and the ePrivacy Directive, noting that there are many examples of processing activities which fall within the scope of both the ePrivacy Directive and the GDPR.Â The EDPBâ€™s view is that where Article 5(3) of the ePrivacy Directive provides that prior consent is required for using cookies,Â â€œthe controller cannot rely on the full range of possible lawful grounds provided by article 6 of the GDPRâ€Â Â and is restricted to relying on consent as the lawful basis.
The rules around cookies and similar technologies come from the EUâ€™s ePrivacy Directive of 2002. This was updated in 2011 and implemented in the UK by the Privacy and Electronic Communications Regulations 2003 (â€œPECRâ€œ). Under the rules, operators must request permission from website visitors to place certain cookies on the userâ€™s browser.Â This consent may be â€œsignified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consentâ€œ.
The APâ€™s Guidance
The AP has published a guidance note on the use of cookie walls under the GDPR in response to dozens of complaints received from website visitors who were unable to access web pages after refusing to accept tracking cookies.
Websites with so-called â€œcookie wallsâ€ give visitors access to the site only if they agree to the placement of tracking cookies (or other similar tracking or monitoring technology). This is usually in the context of tracking a website visitorâ€™s internet browsing for ad-targeting purposes.
The AP confirmed that the monitoring and analysis of the behaviour of website visitors, and the sharing of this data with third parties, is only permissible with the visitorâ€™s permission. This permission must be given in complete freedom.
The AP clarified that preventing a website visitor from accessing a website unless they give consent to receive cookies means that the this permission is not â€˜freeâ€™. Freedom requires a real or free choice. Cookie walls enable website operators and third parties to obtain visitorsâ€™ personal data by placing them under pressure to give permission to receive cookies. Either the visitor accepts the cookies and has access to the website, or does not access the website at all. As a result, website operators must obtain visitorsâ€™ consent to receiving cookies before entry to the website, and access to the website cannot be prevented if the user does not give such consent.
Whilst the APâ€™s guidance is Dutch, it relates to the GDPR which is intended to apply uniformly across Europe. So in the absence of any evidence to the contrary, it is reasonable to assume the ICO would take the same view.
EU Advocate General
Whilst the case was brought under the old data protection law, the Data Protection Directive, the AG also dealt with whether the use of a pre-ticked box under the GDPR would be valid.
The AG stated that consent must be â€˜freely givenâ€™ and informed. This requires consent to be active and separate to the act undertaken by the user; the giving of consent cannot be of an ancillary nature to the activity undertaken by the user (e.g. participating in an online lottery).Â The AG cited the non-binding work of the Article 29 Working Party (the predecessor to the EDPB) which stated that consent implies a prior affirmative action from the users towards accepting the storage of the cookie and the use of the cookie.
GDPR and consent
The GDPR makes it clear that consent should not be bundled up as a condition of service, unless it is necessary for that service. Article 7(4) GDPR provides:
When assessing whether consent is freely given, utmost account shall be taken of whetherâ€¦the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
In addition, Recital 43 GDPR provides that â€œConsent is presumed not to be freely givenâ€¦if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.â€
Guidance from the UK Information Commissionerâ€™s Office states that consent â€œshould not generally be a precondition of signing up to a serviceâ€œ, and â€œIf you make consent a precondition of a service, it is unlikely to be the most appropriate lawful basis.â€ In such a case, the ICO recommends that the organisation relies on legitimate interests as the lawful basis to process the personal data. However, in the context of cookies this will not be applicable, because as noted above an operator must obtain consent from data subjects to place cookies on their device.
The AGâ€™s Opinion
The AG stated that there is no valid consent where consent is obtained by way of a pre-ticked box on a site that a user has visited. A pre-ticked box is not active consent and therefore not valid. In addition, where consent is obtained at the same time as confirmation of another activity (e.g. participating in an online lottery), this consent is not valid.
The AG reiterated that service providers must provide users with information about cookies, including the time period of operation of the cookie, and whether third parties have access to the cookies set or not. Crucially, the AG stated that if third parties do have access to cookies, their identity must be disclosed.
The AP has made it clear that it will be intensifying its monitoring of website operators in respect of the use of cookie walls, so we may well see enforcement from the AP on this issue. Any legal challenge to enforcementÂ may result in the issue going before the CJEU, and a subsequent and definitive judgment on the use of cookie walls and the GDPR.
Â Regulation 6 Privacy and Electronic Communications Regulations 2003.
Â Regulation 3A PECR.
Â Article 6(1)(a) GDPR.
Â Opinion 5/2019 of the European Data Protection Board.
Â Paragraph 40 Opinion 5/2019 of the European Data Protection Board.
Â Opinion of Advocate General Szpunar on Case C-673/17 (â€œOpinionâ€).
Â Paragraph 66, Opinion.
Â Paragraph 81 Opinion.