Category: Cookies

EDPB creates “Cookie Banner Taskforce”

5. October 2021

On September 27, 2021, the European Data Protection Board (EDPB) announced that it has established a “Cookie Banner” taskforce in order to coordinate the complaints and corresponding responses filed with several EU data protection authorities (DPA) by the non-governmental organization None of Your Business (NOYB) in relation to website cookie banners.

In May 2021 NOYB sent over 500 draft and formal complaints to companies residing in the EU regarding the use of their cookie banners. The complaints seem to focus on the absence of a “reject all” button on most of the websites as well as the way cookie banners use deceptive design in order to get data subjects to consent to the use of non-essential cookies. Another regular complaint is the difficulty for refusing cookies, as opposed to the simple way of consenting to them.

The EDPB stated that “this taskforce was established in accordance with Art. 70 (1) (u) GDPR and aims to promote cooperation, information sharing and best practices between the DPAs”. The taskforce is meant to exchange views on legal analysis and possible infringements, provide support to activities on the national levels and streamline communication.

noyb filed complaints against the cookie paywalls of seven major news websites in Austria and Germany

25. August 2021

Privacy Activist Max Schrems’ data protection organization noyb (an acronym for “none of your business”) announced on August 13th, 2021, they filed complaints against the cookie paywalls of seven major German and Austrian news websites. In the statement, they question whether consent can be “voluntarily” given if you have to pay to keep your data.

An increasing amount of websites asks their users to either agree to data being passed on to hundreds of tracking companies (which generates a few cents of revenue for the website) or take out a subscription (for up to € 80 per year). Can consent be considered “freely given” if the alternative is to pay 10, 20 or 100 times the market price of your data to keep it to yourself?

With these paywalls, the user must decide whether to agree to the use of his or her own data for advertising purposes or to enter into a paid subscription with the respective publisher. However, personal data may only be processed if there is a legal basis for doing so. Such a legal basis may arise, for example, from Article 6 (1) (a) of the GDPR, if the data subject has given his or her consent to this processing. Such consent must be “freely given”. According to Rectical 42, sentence 5, “consent is not regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.” noyb is of the opinion that the paywall solution lacks the necessary voluntariness for consent and thus also lacks a legal basis according to Art. 6 (1) a) DSGVO.

Art. 7 (4) GDPR demands, “when assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”

In contrast, in a decision on November 30th, 2018, the Austrian data protection authority did not see a violation of the GDPR in a paywall system, as the data subject receives a recognizable benefit, and expressed that the decision was thus voluntary after all.

Accordingly, users’ personal data could be considered a “means of payment” with which they pay for a paid subscription instead of a monetary benefit. Consent to data processing would thus be necessary for fulfillment, as it represents the quid pro quo the data subject, in other words, the purchase price. How the responsible data protection authorities will ultimately decide remains to be seen.

These complaints by noyb represent the organization’s second major campaign this month. On August 10, they have already filed 422 formal complaints with 10 European regulators based on inadequate cookie banners.

CNIL plans to start enforcement on Ad Tracker Guideline

7. April 2021

Starting from April 1st, 2021, the French supervisory authority the Commission Nationale de l’Informatique et des Libertés (CNIL) is planning on starting its enforcement of Ad Tracker usage across the internet.

Following its Ad Tracker Guideline, the CNIL gave companies a time frame to adjust ad tracker usage and ensure compliance with the Guideline as well as the GDPR. This chance for the companies to adjust their ad tracker usage has ended on March 31st, 2021.

The new rules on cookies and ad trackers mainly revolve around the chance for the user to give active, free and informed consent. User consent for advertising cookies must be granted by a “clear and positive act”. This encompasses actions such as clicking an “I accept” button and no longer can be agreed to by simply continuing to use the website.

In addition, cookie banners must not only give the option to accept, they also have to give the option to reject. The act to reject cookie has to be as simple and easy as the act to accept cookies. Referring to “Cookie Options” is no longer a valid form of rejection, as it makes the user have to go through an extra step which may dissuade them from rejecting cookies. A valid option remains rejecting cookies by closing the Cookie Banner, but it has to be ensured that unless the cookies are indeed accepted, none but the essential cookies are activated.

Lastly, the Cookie Banner has to give a short information on the usage of the cookies. The CNIL’s Guideline allows for a more detailed information to be linked in the Cookie Banner, however companies should also give a short information in the Cookie Banner in order to be able to obtain “informed” consent.

At the beginning of March, the CNIL announced that “compliance with the rules applicable to cookies and other trackers” would be one of its three priorities for 2021, along with cybersecurity and the protection of health data. In a first act to follow that goal, the CNIL will now begin to conduct checks to ensure websites are in compliance with advertising tracker guidelines.

It is expected that companies that did not adjust their cookie and ad tracker usages will face fines according to the level of lacking compliance.

Google plans to stop the use of cookie tracking

15. March 2021

Google announces to stop the usage of third-party cookies in its browser Google Chrome and proclaim they will not implement other similar technologies that could track individuals while surfing on the web.

Cookies are small pieces of code used on almost every website. They are automatically downloaded when a user visits a website and from then on send data from the user back to the website operator. From this data, companies can create profiles of the user and personalize advertising based on the data collected. Originally, cookies were intended to give web browsers a “memory”. With cookies, online shops save shopping carts and users can stay logged in to online sites.

In a Blogpost published on March 3rd, 2021, David Temkin, Director of Product Management, Ads Privacy and Trust at Google, announced that the next update Google Chrome in April will allow cookie tracking to be turned of completely. With Google Chrome, only so-called “first-party cookies” of the respective website operator remain permitted. The decision will have lasting consequences, as Google Chrome has been the most widely used browser since 2012. The move comes after Google’s competitors Apple and Mozilla announced similar mechanisms for their Safari and Firefox browsers (please see our blog post). Temkin writes:

Keeping the internet open and accessible for everyone requires all of us to do more to protect privacy — and that means an end to not only third-party cookies, but also any technology used for tracking individual people as they browse the web.

Since the personalized advertising based on data, and thus the tracking of the data, is Google’s core business, Google will not stop either the data collection or the personalization of the advertising. Instead of individual profiles, Google will form cohorts of people with similar interests, to which advertising will be tailored. These cohorts are said to be broad enough to preserve the anonymity of individual users. This concept is called “Federated Learning of Cohorts” (FLoC). Google Ads FLoC based advertising is said to start in the second quarter of 2021.

Data will then be collected by the browser and stored locally and not by cookies. Every URL on a website and every content accessed can then be accessed by Google targeting algorithm. Algorithms on the end device are to calculate hash values from the browser history, for example, which enable the assignment to such a cohort. Google sends a selection of ads to the browser, which selects ads that match the cohort and shows them to the user.

While third-party cookies are gradually becoming obsolete, Google is replacing them with a system that Google can completely control itself. This will make it more difficult for competitors such as Facebook Ads in the future, as they will have to rely primarily on first-party data and on data obtained from cookies in smaller browsers.

Firefox introduces new tool to prevent cookie-based tracking

12. March 2021

Mozilla has announced the introduction of a new privacy tool for its Firefox browser, “Total Cookie Protection”, aimed at blocking cookie-based tracking by ad-tech companies. The new feature prevents cross-site tracking by confining cookies to the website where they were created and placing them into a so-called “cookie jar”.

Mozilla refers to cookies as “a useful technology, but also a serious privacy vulnerability” because they are shared between websites which enables tracking user’s browsing behavior. This approach allows advertising companies, in particular, to gather information about users, their browsing habits and interests as well as create detailed personal profiles.

Total Cookie Protection works by maintaining a separate “cookie jar”, assigned to each website visited. This procedure prohibits the deposited cookie from being shared with any other website. A limited exception only applies to cross-site cookies needed for non-tracking purposes.

Firefox has blocked some cookies used by ad-tech companies for years in an effort to fight against cookie abuse and web tracking. In order to achieve this goal, “Enhanced Tracking Protection” (ETP) was introduced in 2019. It blocks many of the companies identified as trackers by Mozilla’s partners at Disconnect. Despite being an effective strategy to stop tracking, this form of cookie blocking has its limitations, Johann Hofmann and Tim Huang remark on the developer blog Mozilla Hacks:

ETP protects users from the 3000 most common and pervasive identified trackers, but its protection relies on the fact that the list is complete and always up-to-date. Ensuring completeness is difficult, and trackers can try to circumvent the list by registering new domain names. Additionally, identifying trackers is a time-consuming task and commonly adds a delay on a scale of months before a new tracking domain is added to the list.

With this in view, Total Cookie Protection has been built into ETP as a new privacy advance. The feature intends to address the limitations of ETP and provide more comprehensive protection. It is complemented by Supercookie Protections rolled out last month, which shall eliminate the usage of non-traditional storage mechanisms (“supercookies”) as a tracking vector.

In conclusion, Mozilla stated:

Together these features prevent websites from being able to “tag” your browser, thereby eliminating the most pervasive cross-site tracking technique.

Privacy Activist Schrems unleashes 101 Complaints

21. September 2020

Lawyer and privacy activist Maximilian Schrems has become known for his legal actions leading to the invalidation of “Safe Harbor” in 2015 and of the “EU-U.S. Privacy Shield” this year (we reported). Following the landmark court decision on the “EU-U.S. Privacy Shield”, Schrems recently announced on the website of his NGO “noyb” (non-of-your-business) that he has filed 101 complaints against 101 European companies in 30 different EU and EEA countries with the responsible Data Protection Authorities. Schrems exercised the right to lodge a complaint with the supervisory authority that every data subject has if he or she considers that the processing of personal data relating to him or her infringes the Regulation, pursuant to Art. 77 GDPR.

The complaints concern the companies’ continued use of Google Analytics and Facebook Connect that transfer personal data about each website visitor (at least IP-address and Cookie data) to Google and Facebook which reside in the United States and fall under U.S. surveillance laws, such as FISA 702. Schrems also published a list of the 101 companies which include Sky Deutschland, the University of Luxembourg and the Cyprus Football Association. With his symbolic action against 101 companies, Schrems wanted to point to the widespread inactivity among many companies that still do not take the data protection rights of individuals seriously despite the recent ruling by the Court of Justice of the European Union.

In response, the European Data Protection Board (“EDPB”) has set up a “task force” to handle complaints against European companies using Google Analytics and Facebook services. The taskforce shall analyse the matter and ensure a close cooperation among the members of the Board which consists of all European supervisory authorities as well as the European Data Protection Supervisor.

Belgian DPA releases Guidance and FAQs on Cookies and Trackers

23. April 2020

On Thursday, April 9th 2020, the Belgian Data Protection Authority (Belgian DPA) has issued a guidance along with frequently asked question on the subject of cookies and other tracking technologies.

The key points presented by the guidance revolve around the definitions of cookies, what needs to be presented in a cookie policy, how the consent of data subjects needs to be obtained and which requirements it needs to fulfill, as well as the storage period of a cookie on a user’s device.

The Belgian DPA made it clear that of the utmost importance is the transparency of the cookie usage. That entails that the users need to be informed about the scope of each individual cookie used. This should be done through a cookie policy on the website. The cookie policy needs to be written in a language the targeted users of the website can understand, as well as be easily accessible, e.g. through a hyperlink.

Specifically, these cookie policies need to include and inform about:

  • identification of the cookies used;
  • their purposes and duration;
  • whether third-parties have access to such cookies;
  • information about how to delete cookies;
  • the legal basis relied upon for the use of cookies;
  • information about individuals’ data protection rights and the ability to lodge a complaint to the competent data protection authority;
  • information about any automated decision making, including profiling.

In order to be able to use cookies, the consent of the user needs to be obtained. The Belgian DPA stated in their guidance that the consent has to be obtained for the use of all non-essential cookies, which means all cookies that are not necessary for a user requested function of the website. A necessary cookie would be, for example, the cookie to remember the item in a user’s cart, or cookies that enable booking communication with a user.

The consent especially needs to be:

  • obtained for the use of all non-essential cookies, as well as all social media plugins;
  • informed, specifically, prior to giving their consent to the use of cookies, users must be provided with information regarding the use of cookies: The information that needs to be given to the data subjects are the entity responsible for the use of cookies, the cookies’ purposes,  the data collected through the use of cookies, and their expiration. Users must also be informed about their rights with respect to cookies, including the right to withdraw their consent;
  • granulated, whereas in a first instance, users need to decide between what types of cookies they want to give consent to, and in a second instance, users can decide exactly which cookies they want to give consent to;
  • unambiguous and provided through a clear affirmative action.

Further, it is also important to keep in mind that the Belgian DPA has confirmed that cookie walls are unlawful, and that companies must show proof of obtained consent through keeping logs.

The Belgian DPA has also given guidance on the lifespan of cookies. Cookies should not have unlimited lifespans, but rather follow basic data protection rules: once a cookie is no longer necessary for the purpose or it has fulfilled its determined purpose, it needs to be removed. If the cookie cannot be deleted from the controller’s side, it is important to give the users the information on how to do it themselves.

Overall, the Belgian DPA’s guidance has given controllers a clear way to maneuvering their cookie usage, and has provided a new list of FAQs in case of further questions. In this regard, the Belgian DPA has made sure that cookies and their use are easy to comprehend and handle, hopefully helping data protection compliance within the subject.

CNIL announces focus for Control Procedures in 2020

16. March 2020

The french Commission Nationale de l’Informatique et des Libertés (CNIL) has announced their focus in regards to the Control Procedures they intend to take in 2020.

Out of 300 Control Procedures done in one year, in 2020 at least 50 of those are going to be focused on three prioritized themes: health data security, geolocation and cookies compliance. The CNIL decided on prioritizing these areas because of the high relevance all of them have on the daily life of the french citizens.

Especially in regards to health data because of the sensitive nature of the data collected, as well as geological data, due to the never ending new solutions to transportation or enhancements to daily life, it is important to keep an eye on the scope of the data processing and the private sphere which is affected.

Regarding cookies and other tracers, CNIL continues to underline the importance in regards to profiled advertisement. On top of the planned Control Procedures, the CNIL intends to publish a recommendation in the spring of 2020 with regards to cookies. It will keep an eye on the implementation of the recommendation, and give companies a 6 months period to adjust and implement them.

The CNIL also stated that in addition they will continue to work together with other national Data Protection Authorities, in order to ensure the regulation of transnational data processing.

Greek Data Protection Authority releases Guidance on Cookies

On 25 February 2020, the Hellenic Data Protection Authority (DPA) published a guidance on Cookies and other tracking tools. Previously, the Authority had found that Greek websites and service providers have been largely failing to comply with the rules on the use of Cookies and other trackers set out by the ePrivacy Directive and the GDPR, and reaffirmed by the European Court of Justice’s ruling on Planet 49.

The guidance states that it will be relevant to HTTP/S Cookies, Flash Cookies, local storage applying to HTML 5, device fingerprinting, OS identifiers, and material identifiers.

The Greek DPA reiterated that, generally, providers are obliged to obtain the user’s consent if they are using any tracking tools – irrespective of whether the processing of personal data is taking place. It also outlined that technically necessary trackers are exempt from the obligation to consent. Furthermore, the guidance goes into detail on how information and consent can be made available on websites specifically.

Lastly, the Authority has given Greek website providers a grace period of two months to implement the provisions of this guidance and thereby become compliant with the European rules on tracking tools.

CNIL publishes recommendations on how to get users’ cookie consent

21. January 2020

On 14 January 2020, the French data protection authority (“CNIL”) published recommendations on practical modalities for obtaining the consent of users to store or read non-essential cookies and similar technologies on their devices. In addition, the CNIL also published a series of questions and answers on the recommendations.

The purpose of the recommendations is to help private and public organisations to implement the CNIL guidelines on cookies and similar technologies dated 4 July 2019. To this end, CNIL describes the practical arrangements for obtaining users’ consent, gives concrete examples of the user interface to obtain consent and presents “best practices” that also go beyond the rules.

In order to find pragmatic and privacy-friendly solutions, CNIL consulted with organisations representing industries in the ad tech ecosystem and civil society organisations in advance and discussed the issue with them. The recommendations are neither binding or prescriptive nor exhaustive. Organisations may use other methods to obtain user consent, as long as these methods are in accordance with the guidelines.

Among the most important recommendations are:

Information about the purpose of cookies
First, the purposes of the cookies should be listed. The recommendations contain examples of this brief description for the following purposes or types of cookies:
(1) targeted or personalised advertising;
(2) non-personalized advertising;
(3) personalised advertising based on precise geolocation;
(4) customization of content or products and services provided by the Web Publisher;
(5) social media sharing;
(6) audience measurement/analysis.
In addition, the list of purposes should be complemented by a more detailed description of these purposes, which should be directly accessible, e.g. via a drop-down button or hyperlink.

Information on the data controllers
An exhaustive list of data controllers should be directly accessible, e.g. via a drop-down button or hyperlink. When users click on this hyperlink or button, they should receive specific information on data controllers (name and link to their privacy policy). However, web publishers do not have to list all third parties that use cookies on their website or application, but only those who are also data controllers. Therefore, the role of the parties (data controller, joint data controller, or data processor) has to be assessed individually for each cookie. This list should be regularly updated and should be permanently accessible (e.g. through the cookie consent mechanism, which would be available via a static icon or hyperlink at the bottom of each web page). Should a “substantial” addition be made to the list of data controllers, users’ consent should be sought again.

Real choice between accepting or rejecting cookies
Users must be offered a real choice between accepting or rejecting cookies. This can be done by means of two (not pre-ticked) checkboxes or buttons (“accept” / “reject”, “allow” / “deny”, etc.) or equivalent elements such as “on”/”off” sliders, which should be disabled by default. These checkboxes, buttons or sliders should have the same format and be presented at the same level. Users should have such a choice for each type or category of cookie.

The ability for users to delay this selection
A “cross” button should be included so that users can close the consent interface and do not have to make a choice. If the user closes the interface, no consent cookies should be set. However, consent could be obtained again until the user makes a choice and accepts or rejects cookies.

Overall consent for multiple sites
It is acceptable to obtain user consent for a group of sites rather than individually for each site. However, this requires that users are informed of the exact scope of their consent (i.e., by providing them with a list of sites to which their consent applies) and that they have the ability to refuse all cookies on those sites altogether (e.g., if there is a “refuse all” button along with an “accept all” button). To this end, the examples given in the recommendations include three buttons: “Personalize My Choice” (where users can make a more precise selection based on the purpose or type of cookies), “Reject All” and “Accept All”.

Duration of validity of the consent
It is recommended that users re-submit their consent at regular intervals. CNIL considers a period of 6 months to be appropriate.

Proof of consent
Data controllers should be able to provide individual proof of users’ consent and to demonstrate that their consent mechanism allows a valid consent to be obtained.

The recommendations are open for public consultation until 25 February 2020. A new version of the recommendations will then be submitted to the members of CNIL for adoption during a plenary session. CNIL will carry out enforcement inspections six months after the adoption of the recommendations. The final recommendations may also be updated and completed over time to take account of new technological developments and the responses to the questions raised by professionals and individuals on this subject.

Pages: 1 2 3 Next
1 2 3