Privacy Alert: “Cookie Sweep” about to take place in Europe


September 8, 2014 Leave a comment

Following an announcement by the CNIL, (the French data protection authority) “Cookie Sweep Days” will take place across the EU between 15 – 19 September 2014. Now is a good time for companies to ensure that the use of cookies on their websites in the EU complies with the applicable data protection laws – which are unfortunately not as harmonized throughout the EU as one might hope. After Germany’s initiative regarding privacy compliance in mobile apps, this is the second time in only a few weeks that data protection authorities are announcing extra scrutiny regarding privacy law questions highly relevant for the games industry.

What is “Cookie Sweep Day”?

During “Cookie Sweep Day” (which is actually a week) the French CNIL and other European data protection authorities will conduct online investigations (involving automatic scans of selected websites) to verify compliance with the legal requirements regarding the use of cookies under EU data protection laws.

What is the focus of the investigation?

The focus of the investigation will be on the following aspects of the use of cookies:

  • What types of cookies are used on the website?
  • What is the purpose of the cookies (i.e., do the cookies serve the functions of the website or do they enable web tracking or online behavioural advertising)?
  • Does the website collect opt-in consents from the users into the use of cookies?
  • ŸIf so, how is this consent obtained (implied vs. explicit consent)?
  • What information does the website provide on the use of cookies? Is the information comprehensive and accessible?
  • Can users still use the website even though they have refused to give their consent? Do the users have the option to deny their consent only with regards to specific cookies (e.g., cookies used for purposes of online behavioural advertising while still using the cookies which support the functions of the website)?
  • Can users withdraw their consent at any time?
  • What is the duration of cookies?

How should companies prepare?

Companies can prepare themselves for the “Cookie Sweep Day” by taking steps to ensure their compliance with data protection laws. Clearly it is better to proactively address compliance weaknesses in advance of any DPA website investigation – not least because fines can be imposed against organisations which do not comply with the existing rules.

Therefore, we recommend taking the following measures:

  • Determine which kind of cookies are used on your websites and which purposes they serve.
  • Assess whether consent is required (opt-in vs. opt-out) and how it must be obtained (implicit vs. explicit consent).
  • Assess the comprehensiveness, clarity and accessibility of the information on cookies provided on the website / in the privacy policy.
  • Adjust the website according to the legal requirement, e.g. by updating the information on the website or by implementing a correct opt-in mechanism.

Diverging legal requirements regarding the use of cookies in the EU

Any assessment of the EU’s cookie law regime needs to take into account which EU Member State the website operator is established in or in which the cookie is actually used. This is because – unfortunately – legal requirements regarding the use of cookies on websites still differ across Europe even though an EU directive governs this area of law (Directive 2009/136/EC). The reason for this divergence being that the Directive is not directly applicable but instead is implemented into national law in each EU Member State. The resulting national laws differ considerably. Furthermore, the interpretation by the various national DPA’s vary, too.

By way of example, we have summarised the main requirements regarding the use of cookies for some EU jurisdictions below (please note that the information is not comprehensive and additional requirements might be applicable in the individual case):

ŸIn France, the CNIL requires websites to only set cookies after user consent has been obtained. In this regard, the CNIL has taken a two step ”soft opt-in” approach to consent requirements: the CNIL recommends posting a dedicated banner on the home page that states that by continuing to use of the website, the user agrees to have cookies set on his/her terminal (the first step). The banner shall also include a link to another page with the practical ways to oppose such use (opt-out) (e.g. a “more information” link on the banner to the cookie policy) (the second step). The CNIL has recently imposed a fine on Google in part because cookies were already set while the banner informing about the use of cookies was displayed on the website. Furthermore, the CNIL requires web publishers to give users the possibility to only refuse the use of specific cookies (like those for behavioural advertising). Some exceptions apply, (e.g., session cookies; authentication cookies; basket cookies) for which no consent is necessary.

ŸAs is the case in France, Belgian law requires websites to only set ‘non-functional’ cookies after user consent has been obtained. (No consent must be obtained for the use of so called ‘functional’ cookies such as e.g., session cookies, authentication cookies, basket cookies). The Belgian legislator however failed to clarify what constitutes valid user consent or how it must be obtained. In an effort to tackle the legal uncertainties surrounding the use of cookies under Belgian law, the Belgian Privacy Commission launched a consultation round on 24 April 2014. All the relevant stakeholders have been invited to participate and submit their advice and suggestions before 31 July. The Privacy Commission is expected to publish its report with recommendations later this year.

In contrast to the situation in France, Germany has not implemented the opt-in requirement stemming from Sec. 5 of Directive 2009/136/EC into national law. Rather, the German government takes the view that the existing opt-out regime already complies with the requirements under the Directive. This has caused some legal uncertainty because several legal scholars in Germany (and also some DPA’s) argue that the national law must be interpreted in the light of Directive 2009/136/EC and that, therefore, an opt-in would be required also in Germany.

ŸThe ICO in the UK has recently recognised an implied “soft opt-in” consent approach similar to that accepted by the CNIL in France as a valid form allowing the use of cookies. However, as is the case in France, if a company is relying on implied consent, it must be satisfied that users understand that their actions will result in cookies being set. Otherwise, the company would not have their informed consent. For that reason website operators are encouraged to include links to further information via banners and pop up notices.

ŸIn the Netherlands, clear and complete information on the use and purpose of cookies as well as prior opt-in consent is required before placing cookies on the equipment of an internet user. In addition, the Dutch cookie legislation contains a legal presumption that tracking cookies constitute the processing of personal data. Based on this legal presumption the Dutch DPA has enforced the cookie legislation twice over the last six months – making the enforcement of the cookie legislation a top priority in the Netherlands at the moment.

In Italy, a decision by the national DPA on the use of cookies has just been published on 3 June 2014, according to which an implied consent for the use of profiling cookies has been accepted. Yet, as soon as the user accesses the website, a banner of appropriate dimensions must immediately be visualized, informing about the use of cookies. The banner must contain detailed information about the use of cookies, their purposes and how to accept or deny them. Compliance with these requirements must be ensured within 1 year after the publication of the decisions, i.e. by 3 June 2015.

The Spanish DPA also accepts implied consent as a condition to use specific cookies (e.g. analytic and behavioural advertising cookies), provided that users are given clear and accessible information on their purposes, origin (whether these are first or third party cookies) and they are warned that a specific action is considered an acceptance to use them (lack of action cannot be considered valid consent). Moreover, website editors must permanently inform users on how to uninstall said cookies, without this implying the automatic termination of the website service. The Spanish DPA has recently imposed sanctions to small and medium sized enterprises due to the lack of compliance with consent and information requirements on the use of cookies.

This posting is brought to you with the invaluable support of colleagues in the various European offices of Osborne Clarke, and in particular Flemming Moos and his team of our Hamburg office. If you have any further questions, Flemming would be happy to take them.

Print Friendly
Konstantin Ewald

Konstantin Ewald

Partner at Osborne Clarke
Konstantin Ewald is a Partner and Head of Digital Business at Osborne Clarke, Germany. He advises leaders in the digital media and software industry throughout Europe and the US on all matters of digital media and IT law as well as IP/technology-related transactions.

Add a Comment: