It’s hard to believe that it has been a few years since the updated cookie “consent” rules came into effect across Europe. At that time, it was pretty much the hot topic in the data privacy world as
It’s hard to believe that it has been a few years since the updated cookie “consent” rules came into effect across Europe. At that time, it was pretty much the hot topic in the data privacy world as we all grappled with the rules’ implications and how to implement appropriate compliance mechanisms. However in recent times, one would be forgiven for almost forgetting those days. The early forecasts of intense DPA cookie enforcement activity didn’t quite happen and we’ve also had the minor issue of the new draft Regulation and the Snowden affair (not to mention the on-going daily challenges presented by data security, data processing contracts, BYOD, cloud computing issues etc) to keep us all occupied.
Therefore, it's nice to hear that there have been enough recent cookie developments in various EU member states to remind us that it is still an important compliance issue for any organisation that uses cookies and related tracking technologies. Here’s a run-down of what’s been happening in Europe:
Italy
The Italian Data Protection Authority (Garante) has published guidance on complying with the cookie requirements in Italy in order to obtain the express consent of the user. The main points are as follows:
Spain
After being the first EU member state to issue fines for infringement of its cookie rules (see here) the law regulating the use of cookies has been amended. We highlight the following changes. It has been clarified that it is an infringement to serve cookies without the individual’s consent. Due to a legislative error this was previously not the case and the Spanish DPA could not undertake enforcement action on this issue. Infringements may be ‘low’ or ‘serious’. The latter category will apply if the organisation infringes the cookie rules on several occasions within a period of three years. The enforcement powers available to the Spanish DPA have also changed so that it is able to issue warnings for failure to comply with the cookie rules, or decide that it will apply the lowest category of fines for serious infringements under certain circumstances. Advertising networks will also now be liable for their failure to comply with the cookie rules.
Netherlands
Following the Dutch DPA’s first investigation into an organisation’s use of cookies, the online advertising agency ‘YD Display Advertising Benelux’ (YD) was found to have infringed the Dutch cookie rules by placing tracking cookies on users’ web browsers in order to provide personalised advertising without the user’s consent. The cookies enabled YD and its network of advertisers to track the behaviour of visitors through multiple websites. The DPA found that the ability of users to opt-out of receiving personalised advertising was not sufficient to construe unambiguous consent and the information provided by YD to its users on the use of use of such cookies did not satisfy the notice requirements.
The Dutch DPA noted that such violations would still exist even if the proposed amendments to the current Dutch cookie rules (currently going through the Dutch Parliament) were applied because such tracking cookies would still require user consent. This investigation follows the Dutch DPA’s earlier announcement that one of its priorities for 2014 is to focus on the profiling, tracking and tracing of internet users.
France
This year has, and will continue to be, a busy year for the French Data Protection Authority (CNIL) (see here). A new consumer rights law came into force on 17 March, which amends the Data Protection Act and grants the CNIL new powers to conduct online inspections (in addition to the existing on-site inspections). This provision gives the CNIL the right, via an electronic communication service to the public, “to consult any data that are freely accessible, or rendered accessible, including by imprudence, negligence or by a third party’s action, if required, by accessing and by remaining within automatic data protection systems for as long as necessary to conduct its observations.” This new provision opens up the CNIL’s enforcement powers to the digital world and, in particular, gives it stronger powers to inspect the online activities of companies. The CNIL says that this law will allow it to verify online security breaches, privacy policies and consent mechanisms in the field of direct marketing. One can expect the use of cookies to also fall under this remit.
Belgium
Finally, the Belgian DPA has recently launched a public consultation on its draft cookie guidance (see our previous blog), stating that implied user consent may be an acceptable model for the use of cookies.
What this means now
Whilst the adoption of the draft Regulation may currently be grabbing all the headlines, regulating the use of cookies has not been completely forgotten by Europe’s national regulators. This presents challenges to organisations operating on an EU-wide basis as they attempt to understand and comply with the various developments and requirements in specific EU member states. Therefore the message is clear for businesses operating in Europe:
Therefore, it's nice to hear that there have been enough recent cookie developments in various EU member states to remind us that it is still an important compliance issue for any organisation that uses cookies and related tracking technologies. Here’s a run-down of what’s been happening in Europe:
Italy
The Italian Data Protection Authority (Garante) has published guidance on complying with the cookie requirements in Italy in order to obtain the express consent of the user. The main points are as follows:
- Website operators are required to implement a web banner on the landing page outlining cookies used, the right to refuse cookies and a link to a separate notice setting out full details of the cookies used and the means by which a user can turn them on or off.
- The requirement to notify the Garante where profiling cookies and related technologies are used.
- Penalties under Italian data protection law can range from €6,000 to €120,000 (for example for serving cookies without obtaining the appropriate consent and failing to notify the Garante of such processing activities).
- Operators shall benefit from a one-year grace period (expiring on 3rd June 2015) to implement the relevant measures.
Spain
After being the first EU member state to issue fines for infringement of its cookie rules (see here) the law regulating the use of cookies has been amended. We highlight the following changes. It has been clarified that it is an infringement to serve cookies without the individual’s consent. Due to a legislative error this was previously not the case and the Spanish DPA could not undertake enforcement action on this issue. Infringements may be ‘low’ or ‘serious’. The latter category will apply if the organisation infringes the cookie rules on several occasions within a period of three years. The enforcement powers available to the Spanish DPA have also changed so that it is able to issue warnings for failure to comply with the cookie rules, or decide that it will apply the lowest category of fines for serious infringements under certain circumstances. Advertising networks will also now be liable for their failure to comply with the cookie rules.
Netherlands
Following the Dutch DPA’s first investigation into an organisation’s use of cookies, the online advertising agency ‘YD Display Advertising Benelux’ (YD) was found to have infringed the Dutch cookie rules by placing tracking cookies on users’ web browsers in order to provide personalised advertising without the user’s consent. The cookies enabled YD and its network of advertisers to track the behaviour of visitors through multiple websites. The DPA found that the ability of users to opt-out of receiving personalised advertising was not sufficient to construe unambiguous consent and the information provided by YD to its users on the use of use of such cookies did not satisfy the notice requirements.
The Dutch DPA noted that such violations would still exist even if the proposed amendments to the current Dutch cookie rules (currently going through the Dutch Parliament) were applied because such tracking cookies would still require user consent. This investigation follows the Dutch DPA’s earlier announcement that one of its priorities for 2014 is to focus on the profiling, tracking and tracing of internet users.
France
This year has, and will continue to be, a busy year for the French Data Protection Authority (CNIL) (see here). A new consumer rights law came into force on 17 March, which amends the Data Protection Act and grants the CNIL new powers to conduct online inspections (in addition to the existing on-site inspections). This provision gives the CNIL the right, via an electronic communication service to the public, “to consult any data that are freely accessible, or rendered accessible, including by imprudence, negligence or by a third party’s action, if required, by accessing and by remaining within automatic data protection systems for as long as necessary to conduct its observations.” This new provision opens up the CNIL’s enforcement powers to the digital world and, in particular, gives it stronger powers to inspect the online activities of companies. The CNIL says that this law will allow it to verify online security breaches, privacy policies and consent mechanisms in the field of direct marketing. One can expect the use of cookies to also fall under this remit.
Belgium
Finally, the Belgian DPA has recently launched a public consultation on its draft cookie guidance (see our previous blog), stating that implied user consent may be an acceptable model for the use of cookies.
What this means now
Whilst the adoption of the draft Regulation may currently be grabbing all the headlines, regulating the use of cookies has not been completely forgotten by Europe’s national regulators. This presents challenges to organisations operating on an EU-wide basis as they attempt to understand and comply with the various developments and requirements in specific EU member states. Therefore the message is clear for businesses operating in Europe:
- Audit your cookie use and find out what you’ve got
- Assess the intrusiveness of those cookies
- Adopt a notice and consent strategy
- Implement forward-facing cookie management mechanisms