What is “Cookie Sweep Day”?
What is the focus of the investigation?
- What types of cookies are used on the website?
- What is the purpose of the cookies (i.e., do the cookies serve the functions of the website or do they enable web tracking or online behavioural advertising)?
- If so, how is this consent obtained (implied vs. explicit consent)?
- Can users still use the website even though they have refused to give their consent? Do the users have the option to deny their consent only with regards to specific cookies (e.g., cookies used for purposes of online behavioural advertising while still using the cookies which support the functions of the website)?
- Can users withdraw their consent at any time?
- What is the duration of cookies?
How should companies prepare?
Companies can prepare themselves for the “Cookie Sweep Day” by taking steps to ensure their compliance with data protection laws. Clearly it is better to proactively address compliance weaknesses in advance of any DPA website investigation – not least because fines can be imposed against organisations which do not comply with the existing rules.
Therefore, we recommend taking the following measures:
- Determine which kind of cookies are used on your websites and which purposes they serve.
- Assess whether consent is required (opt-in vs. opt-out) and how it must be obtained (implicit vs. explicit consent).
- Adjust the website according to the legal requirement, e.g. by updating the information on the website or by implementing a correct opt-in mechanism.
In contrast to the situation in France, Germany has not implemented the opt-in requirement stemming from Sec. 5 of Directive 2009/136/EC into national law. Rather, the German government takes the view that the existing opt-out regime already complies with the requirements under the Directive. This has caused some legal uncertainty because several legal scholars in Germany (and also some DPA’s) argue that the national law must be interpreted in the light of Directive 2009/136/EC and that, therefore, an opt-in would be required also in Germany.
In the Netherlands, clear and complete information on the use and purpose of cookies as well as prior opt-in consent is required before placing cookies on the equipment of an internet user. In addition, the Dutch cookie legislation contains a legal presumption that tracking cookies constitute the processing of personal data. Based on this legal presumption the Dutch DPA has enforced the cookie legislation twice over the last six months – making the enforcement of the cookie legislation a top priority in the Netherlands at the moment.
This posting is brought to you with the invaluable support of colleagues in the various European offices of Osborne Clarke, and in particular Flemming Moos and his team of our Hamburg office. If you have any further questions, Flemming would be happy to take them.