03 November 2020

Admissibility of cookies: Requirements for consent to «online-tracking»

  • Articles
  • Compliance
  • Legal
  • Blockchain / Digital Assets
  • Data / Technology / IP

The use of cookies on websites is associated with risks. The data protection authorities have tightened the screw. This applies in particular to the area of online-tracking.

Introduction

The use of cookies on websites is associated with risks. The data protection authorities have tightened the screw. This applies in particular to the area of online-tracking. The following article provides an overview of the latest views on consent to online-tracking.

Cookies and “cookieless” technologies

Speaking of ""online tracking"" it must basically be distinguished between cookies and “cookieless” technologies. Cookies are small files that contain data and are stored on the user's end device. ""Cookieless"" technologies means for example, fingerprinting, where data about the browser and the end device can be collected when visiting a website similar to a ""fingerprint"" and thus the surfing behaviour can be tracked, or mobile tracking, a method for identifying the location of a cell phone. Cookies enable access to data on the user's end device. Fingerprinting or mobile tracking, on the other hand, uses the information that the user's device transfers to the publisher's server anyway.

It is still controversial whether the consent of the user is also required for ""cookieless"" technologies. The French data protection authority ""Commission Nationale de l'Informatique et des Libertés"" (CNIL) published guidelines (orientation guide) and a practical implementation guide for publishers on the subject ""cookies and other trackers"" at the beginning of October. In these guidelines, the CNIL states that consent is required for all types of tracking technologies. Whereas the CNIL takes a different view for analytics services. According to the CNIL no consent is required for analytics services, and regardless of whether cookies will be set or not, provided that the data collected is used for the intended purpose and only for the strict measurement of the number of visitors.

""All or nothing"" principle

Another major theme in the two CNIL announcements is CNIL's wish that a ""first layer"" button with ""reject all cookies"", like “accept all cookies”, shall be mandatory and visibly displayed on the websites. According to the CNIL, the refusal to give consent should be as simple for the user as the granting of consent and demands in addition a period of validity of six months for giving or refusing consent. Currently, the possibility of refusal is often only made possible in a second step (so-called “second layer”).

Cookie Walls

Likewise, the so-called Cookie Walls also ensure an ""all or nothing"" situation. Cookie walls can be used to deny access to a website if users do not agree to all cookies and trackers available on that website. The CNIL had originally banned cookie walls because they interfere with the voluntary nature of consent. However, this prohibition was reversed by the French Supreme Administrative Court (Conseil d’État).

CMP, TCF and transparency obligations

Consent Management Platforms (CMPs) can be used to control user consent on websites regarding the collection and handling of personal information. In this context, the CNIL requires that users shall be given the possibility of limiting or excluding their consent with respect to specific processing purposes or services used. In accordance with the Transparency and Consent Framework V2.0 (TCF 2.0) this would be provided in the “second layer” of the CMP accordingly.

The CNIL has also commented on the transparency obligations of publishers when using tracking technologies and demands a complete list of all controllers using trackers subject to consent. For publishers who collect user data for disclosure to third parties, e.g. in the case of data brokers or data enrichment, this requirement is difficult to implement, as the publisher has little or no idea who is ultimately using or receiving the data. If tracking scripts such as Facebook Pixel are also used, publishers are jointly responsible for the data collection process, which requires, in addition to further transparency obligations, the conclusion of a Joint Controller Agreement. The latter was also confirmed in the so-called ""Fashion-ID"" ruling of the European Court of Justice.

Situation in Switzerland

Swiss publishers are facing similar challenges to those in the EU. When using online tracking technologies, it is important to check the extent to which data is being processed and to ensure that data is being processed lawfully. The latter may require the consent or even the express consent of the user. It is also necessary to comply with statutory information obligations. Especially since websites can hardly be limited to Swiss users only, the applicable ePrivacy Directive and the General Data Protection Regulation of the EU must also be taken into account and generally observed by Swiss publishers. Non-compliance can also result in heavy fines in the EU. In 2019, for example, the Spanish data protection authority imposed a fine of 30,000 euros on the low-cost airline Vueling because a cookie banner violated Spanish data protection law.

Conclusion

Online tracking, which can be conducted intentionally or unintentionally by various methods, holds numerous stumbling blocks especially for publishers and often leaves the user with great annoyance. It is worth keeping an eye on the developments in the EU and checking the use of tracking technologies against the requirements of the relevant data protection laws. We would be pleased to help you with the implementation and are also available to answer any further questions you may have about data protection.

We would like to thank our World IT Lawyers network partner Dr. Lukas Mezger of Unverzagt Rechtsanwälte for valuable input.