The EU’s complex cookie regulatory framework requires hands-on technical and regulatory expertise for ongoing compliance. Our Privacy & Data team explores the different regulatory aspects to keep in mind for businesses to get digital privacy up to speed.
Introduction
Whilst the GDPR is turning six this year, the EU’s legislative bodies have yet to iron out the contentious points of the ePrivacy Regulation - the rules aimed to regulate cookies and similar tracking technologies across the internet.
The European Commission adopted the ePrivacy Regulation proposal in 2017 to remain up-to-date with the fast-paced developments in internet technology. Recently, it shifted its focus to the adoption of wider-ranging data related regulations such as the Digital Services Act. Nonetheless, website operators are still subject to important obligations under the current ePrivacy Directive (transposed into Maltese law through Subsidiary Legislation 586.01 - Processing of Personal Data (Electronic Communications Sector) Regulations) as well as the GDPR.
The ‘Cookie Rule’ under the ePrivacy Directive
The ePrivacy Directive aims at ensuring the confidentiality of electronic communications and requires website operators to collect the consent of their visitors before placing cookies on their devices. The Directive allows cookies to be exempted from obtaining consent if one of the following conditions applies:
- The cookie is used for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network; or
- The cookie is ‘strictly necessary’ for the service provider to provide an information society service explicitly requested by the subscriber or user.
In its Opinion 04/2012 on Cookie Consent Exemption, the Article 29 Data Protection Working Party, which is the predecessor of The European Data Protection Board (EDPB), provided that a cookie should be considered as ‘strictly necessary’ within the definition of the ePrivacy Directive in instances where it simultaneously satisfies the two conditions below:
- The service has been explicitly requested by the user. For example, cookies that record a user’s language or country preference when they visit a website; and
- The cookie is strictly needed to enable the service, meaning that the service requested may not function properly if such cookies are disabled.
The strains for businesses to correctly classify cookies and to adequately rely on the above exception remain evident in the EDPB’s 2023 report on ‘the work undertaken by the Cookie Banner Taskforce’. As reported by the EDPB, one of the top challenges for stakeholders is the technology’s changing features, which raises practical difficulties for such classification.
Interplay with the GDPR
As ruled by the CJEU in Case C-673/17 (the ‘Planet49 case’), the regime of consent under the ePrivacy Directive is governed by Articles 4(11) and 7 of the GDPR. So, for cookie consent to be valid, one should ensure that it is freely given, specific, informed, and an unambiguous indication of an individual’s wishes, by means of an affirmative action. Recital 32 of the GDPR provides in this respect that ‘silence, pre-ticked boxes or inactivity should not therefore constitute consent’.
Just as important is to provide individuals with the required information in terms of Article 13 of the GDPR. Specifically, website users should be informed of the types of cookies being placed on their devices, the purposes of such cookies, and the corresponding retention periods of the cookies. The completeness, timeliness and quality of information provision are critical in terms of respecting the rights of the data subjects under the GDPR.
However, whilst the GDPR concerns the processing of personal data only, the ePrivacy Directive significantly broadens the remit as Article 5(3) applies to ‘the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user’. The EDPB (in its ‘Guidelines 2/2023 on Technical Scope of Art. 5(3) of the ePrivacy Directive’) points out in this regard that the definition of the term ‘information’ should not be limited to the property of being related to an identified or identifiable natural person.
Consequently, the EDPB argues that the use of routing identifiers such as the MAC or IP address of a device, session identifiers, authentication tokens or caching mechanism (such as ETag) can potentially lead to the application of the ePrivacy Directive.
A topic of recent scrutiny
Oversight from regulators has also increased on this front. On 18 January 2024, the French supervisory authority (CNIL) reported that it had fined Yahoo EMEA Limited €10 million for its alleged violation of the ePrivacy Directive, namely, for placing non-essential cookies on the users’ devices without their consent and making it difficult for users to withdraw their consent.
Their German counterpart, the Bavaria data protection authority, issued a press release in February 2024 to communicate the results of its investigation on cookie banners. According to the regulator, an estimated 350 websites are in infringement of EU law by placing cookies on users’ devices without their consent.
The way forward
Cookie banners are now a widespread practice on the internet for providing cookie information. However, as mentioned above, not all cookie banners guarantee a website’s compliance with EU data protection laws. In certain instances, a cookie banner can have an adverse impact, and increase risk and exposure to user complaints and regulatory action. At a minimum, it is useful for website operators to have in place:
- A cookie policy which informs the website visitors on the type, purpose, and duration of each cookie placed on their website, including third-party cookies;
- A point of contact (such as the Data Protection Officer) for queries or complaints regarding the cookies used on the website; and
- If applicable, a mechanism allowing website visitors to give and withdraw their consent at any time.
How can we help?
At PwC Malta, our Privacy & Data team has the expertise to guide your organisation on cookie compliance. For more information on our GDPR compliance and regulatory digital readiness services, please reach out to our sector leaders below.
