Cookies: an update.
What you need to know.
If your company has a website, there is a significant chance it has cookies. Even purely informative websites (ones without a webshop, for example) often have cookies: to keep track of the visitor's language preferences, collect statistics about the way visitors use the site or to personalise advertisements. No matter what your website developer says, in the vast majority of cases these cookies will collect personal data. In practice, the data protection world - unlike the technical world - is much less likely to conclude that cookies are « anonymous ».
Doing nothing while awaiting the new ePrivacy Regulation is therefore no longer an option. Time for an update of our previous Privacy Talk on this subject.
The ePrivacy Directive stipulates that the website visitor's consent is necessary for the placement of cookies, with the exception of the technical storage of information or the provision of a service explicitly requested by the subscriber or end user when placing a cookie is strictly necessary for this purpose. In practice, these two exceptions mean that consent is not required for cookies that are necessary (i) for the functioning of the website (often called « essential » cookies) and (ii) to provide a functionality explicitly requested by the visitor (often called « functional » cookies). These include for example, cookies that are necessary to establish a connection, to remember a login or language preferences, to store selected products in a shopping basket, etc.
Consent under the ePrivacy Directive must comply with the conditions of the General Data Protection Regulation. This means, amongst other things, that the consent must be informed and unambiguous. Furthermore, website owners must comply with the general transparency requirement (Articles 12 and 13 GDPR).
What you need to do.
Everything starts with a proper understanding of the cookies your website uses. In practice, this is exactly where the sticking point lies. This information must be provided by the website developer. Possibly you (as a lawyer) can double check this information with the result of a « cookie scan » as provided by online tools. Such tools are certainly not flawless, however: experience has shown that website developers too can overlook cookies. It is therefore often advisable to ask a few additional questions.
To play it safe, you should assume that all cookies collect personal data. The threshold to be able to speak of « anonymous » cookies is very high, so you should not run the risk that the supervisory authority would take a different view (than the website developer).
- The cookie banner contains a brief description of the types of cookies used by the website and a link to the cookie statement for more information. If the website already has a privacy statement (in accordance with articles 12 and 13 GDPR), that cookie statement only needs to contain the following information: for each cookie, its name, purpose, retention period and possibly the name of the third party that placed the cookie and/or uses the cookie. The cookie statement also has to contain information about changing the browser settings and the possibility of revoking the consent. The cookie statement must be drawn up in the language of the target group and must be easily accessible (i.e. available via a link on every page of the website).
- You must obtain the visitor's consent for placing the non-essential/non-functional cookies. This too is best done through the cookie banner that appears immediately on the first visit to the website. Obtaining consent should be done granularly, i.e. at least per type of cookie (statistical, advertising and social media). If you provide the possibility of accepting all cookies with a single click, it is also a good idea to provide a button for rejecting all (non-essential/non-functional) cookies. You are not allowed to work with pre-ticked boxes (for non-essential/non-functional cookies), nor is it sufficient to have a message that continued surfing is deemed to be consent.
Remember that many supervisory authorities and also the European Data Protection Board do not accept cookie walls, i.e. making access to the website dependent on the visitor's consent to the installation of non-essential and non-functional cookies.
Please consult our website or contact one of our team members if you have questions or require more information:
In the Picture - July 2021
Forum selection and choice of law clauses: they’re not just boilerplates...