Most people have had concerns other than ePrivacy , GDPR and cookies over these past few months. Over this same period and longer, this data protection blogger’s waistline has increasingly hinted at affection for cookies of the baked variety. To be more accurate: it is evidence of such affection. It stands as an affection that, whilst not a direct consequence of the pandemic, nevertheless has been predominantly encouraged, facilitated and maximised by this global pandemic. We all need some kind of excuse!
During the last few months thoughts around the architecture of other cookie types have also taken on a more reflective mode. These cookies are the cookies we encounter when we browse the internet. Some announce themselves immediately; others seek to delay announcing their presence, while more adopt a strategy of hide and seek. In the context of data protection generally, and GDPR more specifically, this raises many concerns. As data protection consultants , many queries we receive relate to uncertainties and doubts about cookies that have made their way onto user devices.
This blog will outline the data protection ramifications for the proliferation of the various cookie types. It will also outline the associated compliance requirements for their use under the GDPR and the old ePrivacy Directive, which was given effect in Ireland by the European Communities Privacy and Electronic Communications Regulations, S.I. 336 of 2011 . There is still no definitive answer as to when the long awaited EU ePrivacy Regulation will be finally agreed upon and become law.
What are Cookies?
Many will be all too familiar with the question above, and the ubiquitous presence of cookies on the internet, but still how many truly understand or bother to learn more? How many times have we all as internet surfers just ignored cookie notices and clicked ‘accept boxes’ in order to quickly access the information we are seeking? Definitions of cookies abound and vary. The aim of this blog post is to offer clear information in a manner that avoids the strictly technical descriptions, especially those that often confuse more than they enlighten or explain.
Cookies are small pieces of information, stored in simple text files, placed on your computer by a website. These cookies can then be read by the website on your subsequent visits. Some of the information stored in a cookie may relate to your browsing habits on the web page, or a unique identification number so that the website can ‘remember’ you on your return visit. In general, cookies do not contain personal information from which you can be identified, unless you have specifically furnished such information to the website.
Historically, cookies were conceived to make up for the web protocols’ inability to record preferences (e.g. languages) or actions already performed on website (such as the articles already in the shopping basket of an ecommerce website). Later on, their use was extended to enabling user authentication during a session, recording browsing behaviour for web service improvement purposes, or for tracking and profiling users, e.g. to serve targeted advertising.
For example, Google Analytics is Google’s analytics tool that helps website and app owners to understand how their visitors engage with their properties. It may use a set of cookies to collect information and report site usage statistics without personally identifying individual visitors to Google.
Most commonly, cookies store user preferences and other information. We will see later how much of the information is aggregated and anonymised so as not to readily identify individual users. However, it is not quite as simple as that, and with some cookie types there are hidden dangers for a person’s privacy and data protection rights.
Cookie Classifications.
Duration
Some cookies are defined by the length of time they remain active. For example cookies are most often referred to as ‘session’ or ‘persistent’. ‘Session’ cookies are most usually stored temporarily during a browsing session and are deleted from the user’s device when the browser is closed. ‘Persistent’ cookies are saved on your computer for a fixed period, and are not deleted when the browser is closed, allowing them to conveniently and quickly manage return visits to a website. (Consent is not required by the law when cookies are used to enable the communication on the web and when they are strictly necessary for the service requested by the user.)
Source/Origin
Third Party cookies
These cookies may be set through a site by that site’s advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites.
They do not directly store personal data, but act to uniquely identify your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising. For example, many website owners use social media platforms, such as Facebook, Twitter or Instagram et cetera, as tools to enhance their own website, but these cookies are set by the social media companies.
Primarily, such cookies are set by third parties for their own specific purposes and such purposes are predominantly purely of a commercial nature, e.g. advertising. Such third party advertising cookies may be used by those third parties to anonymously target advertising to you on other websites, based on your previous visit to an entirely unrelated website. These cookies cannot be used to identify an individual; they can only be used for statistical purposes, for example, in providing you with advertisements that are more relevant to your interests.
One of the reasons Facebook’s ads are so successful is that they track and target the user across websites. If you’re an advertiser, third party cookie data allows you to learn about your web visitors’ overall online behaviours, such as websites they frequently visit, purchases, and interests that they’ve shown on various websites. Users are being tracked across the entire web within a specific browser, and not just on the site on which cookies might have been installed. With this detailed data, you can build robust visitor profiles. Armed with this, you can then create a retargeting list that can be used to send ads to your past visitors or people with similar web profiles.
First party cookies
These are the opposite of third party cookies. First party cookies are directly stored by the website or domain you visit. They are set and controlled by a website itself and are set with the purpose of giving the website information about the usage of its site. The usual goal is to allow the website owner provide as good a user experience as possible. With that in mind, the cookies can collect analytics data, remember language settings, and perform a myriad of useful functions. The architecture and design of modern websites is focused on optimising the ability to gain as much (relevant) information as possible about the operation of specific websites. Functional, performance and targeting cookies may be first party cookies, but not in all cases. First party cookies are directly stored by the website or domain you visit.
A first-party cookie is a code that gets generated and stored on a website visitor’s computer by default when they visit the same website. This cookie is often used for user experience as it is responsible for remembering passwords, basic data about the visitor, and other preferences. With a first-party cookie, you can learn about what a user did while visiting your website, see how often they visit it, and gain other basic analytics that can help you develop or automate an effective marketing strategy around them. However, you can’t see data related to your visitor’s behaviour on other websites that aren’t affiliated with your domain.
Purpose
Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. No opt outs are permissible on these cookies, and as they are necessary for the proper functioning of the website the user does not have to consent to these. It is a ‘take them or leave them’ type of choice. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.
Preferences cookies — Also known as ‘functionality cookies’, these cookies allow a website to remember choices you have made in the past, like what language you prefer, what region you would like weather reports for, or what your username or password is so you can automatically log in. These cookies, therefore, enable a website to provide enhanced functionality and personalisation. They may be set by a website or by third party providers whose services a website adds to its pages. No information is gathered or stored unless you interact with these features.
Statistics cookies — Also known as ‘performance cookies’, these cookies collect information about how you use a website, like which pages you visited and which links you clicked on. None of this information can be used to identify you. It is all aggregated and, therefore, anonymized. Their sole purpose is to improve website functions. This includes cookies from third-party analytics services as long as the cookies are for the exclusive use of the owner of the website visited. Blocking these cookies means the site will not know when you have visited the site, and will not be able to monitor its performance.
Marketing cookies — These cookies track your online activity to help advertisers deliver more relevant advertising or to limit how many times you see an ad. These cookies can share that information with other organizations or advertisers. These are persistent cookies and almost always of third-party provenance. When people complain about the privacy risks presented by cookies, they are generally speaking about third-party, persistent, marketing cookies.
These are the main ways of classifying cookies, although there are cookies that will not fit neatly into these categories or may qualify for multiple categories. When people complain about the privacy risks presented by cookies, they are generally speaking about third-party, persistent, marketing cookies. These cookies can contain significant amounts of information about your online activity, preferences, and location. The chain of responsibility (who can access a cookies’ data) for a third-party cookie can get complicated as well, only heightening their potential for abuse.
Related/Used in conjunction with cookies
Browser web Storage: Browser web storage enables websites to store data in a browser on a device. When used in ‘local storage’ mode, it enables data to be stored across sessions. This makes data retrievable even after a browser has been closed and reopened. One technology that facilitates web storage is HTML 5.
IP address
Every device connected to the Internet is assigned a number known as an Internet protocol (IP) address. These numbers are usually assigned in geographic blocks. An IP address can often be used to identify the location from which a device is connecting to the Internet.
Pixel tag
A pixel tag is a type of technology placed on a website or within the body of an email for the purpose of tracking certain activity, such as views of a website or when an email is opened. Pixel tags are often used in combination with cookies
Referrer URL
A Referrer URL (Uniform Resource Locator) is information transmitted to a destination webpage by a web browser, typically when you click a link to that page. The Referrer URL contains the URL of the last webpage the browser visited.
Server logs
Most websites automatically record the page requests made when you visit those particular sites. These ‘server logs’ typically include your web request, Internet Protocol address, browser type, browser language, the date and time of your request, and one or more cookies that may uniquely identify your browser.
Google gives an example below of how a simple search for “cars” might look like as a server log file.
A typical log entry for a search for “cars” looks like this:
123.45.67.89 – 25/Mar/2003 10:15:32 –
http://www.google.com/search?q=cars –
Firefox 1.0.7; Windows NT 5.1 –
740674ce2123e969
• 123.45.67.89 is the Internet Protocol address assigned to the user by the user’s ISP. Depending on the user’s service, a different address may be assigned to the user by their service provider each time they connect to the Internet.
• 25/Mar/2003 10:15:32 is the date and time of the query.
• http://www.google.com/search?q=cars is the requested URL, including the search query.
• Firefox 1.0.7; Windows NT 5.1 is the browser and operating system being used.
• 740674ce2123a969 is the unique cookie ID assigned to this particular computer the first time it visited Google. (Cookies can be deleted by users. If the user has deleted the cookie from the computer since the last time they’ve visited Google, then it will be the unique cookie ID assigned to their device the next time they visit Google from that particular device).
Unique identifiers
A unique identifier is a string of characters that can be used to uniquely identify a browser, app, or device. Different identifiers vary in how permanent they are, whether they can be reset by users, and how they can be accessed.
Unique identifiers can be used for various purposes, including security and fraud detection, syncing services such as an email inbox, remembering your preferences, and providing personalized advertising. For example, unique identifiers stored in cookies help sites display content in your browser in your preferred language. You can configure your browser to refuse all cookies or to indicate when a cookie is being sent.
Unique identifiers may also be incorporated into a device by its manufacturer (sometimes called a universally unique ID or UUID), such as the IMEI-number of a mobile phone. For example, a device’s unique identifier can be used to customize a website’s service to your device or analyze device issues related to that service.
Some Cookie Problems.
There is a close relationship between ePrivacy and cookies. Cookies do not exist in a vacuum, but rather interact in both negative and positive manners with internet users on a daily basis. This interaction is regulated by both the ePCR and the GDPR. The ePCR supplements (and in some cases, overrides) the GDPR, addressing crucial aspects about the confidentiality of electronic communications and the tracking of internet users more broadly.
One aspect that overrides all others in the day to day interactions is the concept of consent. It is the absence of any cookie consent mechanism, or the dilution of the consent mechanism, that primarily causes problems. While cookies are specifically regulated under the auspices of the ePCR, consent in relation to cookies is governed by the very strict standards under the GDPR. Under the ePCR consent is required to either store information, or gain access to information stored, on an individual’s device. This is the essence of the cookies rules. The two exceptions to this general rule are where:
1. The sole purpose is for carrying out the transmission of a communication, or
2. It is strictly necessary in order to provide an online service explicitly requested by that individual
These rules apply regardless of whether personal data is processed. EU law aims to protect the user from any interference with his or her private life, in particular, from the risk that hidden identifiers and other similar devices enter those users’ terminal equipment without their knowledge.
In a report in 2019, the DPC noted that many controllers categorised the cookies deployed on their websites as having a‘necessary’ or ‘strictly necessary’ function, where the stated function of the cookie appeared to meet neither of the two consent exemption criteria set down in the ePrivacy Regulations/ePrivacy Directive. These included cookies used to establish chatbot sessions that were set prior to any request by the user to initiate a chatbot function. In some cases, it was noted that the chatbot function on the websites concerned did not work at all”.
The GDPR speaks more to the nature of the concept of consent. It is specific as to the quality of consent, as it is the quality that sets it apart.
The Notion of Consent under the GDPR.
One of the most common problems alluded to above is the absence of, or the strategic manipulation of, the nature and essence of consent. The GDPR always foresaw how the promulgation of many of its objectives was to be inextricably linked to a full understanding of the attendant concept of consent. Trample upon or weaken the nature of true consent and you simultaneously trample upon data subject rights.
Article 4 (11) GDPR
The article defines consent of the data subject as ‘ any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’. We know in the context of the ePCR that the data being processed does not necessarily have to be personal data. Nevertheless, the standard of consent is the GDPR standard. Art. 7 GDPR expands on the concept and gives the general conditions to be met to validate consent.
At the outset where a controller is using consent as a basis for processing that controller has to be able to demonstrate that the data subject has indeed consented (Art.7 (1) GDPR).
Where consent is given in the context of a written declaration and is juxtaposed or mixed in with other items, any request for consent has to be clearly distinguishable from those other items (Art. 7 (2) GDPR).
Consent may be withdrawn at any time. Even before consent is given, the data subject must be informed it shall be as easy to withdraw as to give consent. Any withdrawal of consent subsequent to the processing of personal data shall not affect the lawfulness of processing prior to the withdrawal of consent Art.7 (3) GDPR).
In regard to the concept of ‘free consent’, and especially in relation to consent given as a contractual term for the provision of a service, account will be taken as to whether that provision is conditional on consent to processing of personal data that is not necessary for the performance of that contract ( Art.7 (4) GDPR).
Recital 32 is most instructive on the consent concept and relates more directly to consent in the cookie sphere. It emphasises consent ‘by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her…’ Common examples are written statements including by electronic means or oral statements. (Note: controller needs to be careful with oral statements as he/she needs to demonstrate the data subject has consented)
Other examples could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover processing activities for the same purpose or purposes. If multiple purposes are involved then consent has to be given for all purposes .
Of most relevance in the cookie consent context is that any consent given following a request by electronic means must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided. (cookie walls) The standard of consent that controllers must obtain from users or subscribers for the use of cookies must now be read in light of the GDPR standard of consent: i.e. it must be obtained by means of a clear, affirmative act and be freely given, specific, informed and unambiguous. ( See DPC cookie sweep report here)
Planet49 case
In this case, a lottery website had required users to consent to the storage of cookies in exchange for access to play a promotional game. The Court (CJEU) decided that the consent which a website user must give to the storage of and access to cookies on his or her equipment is not validly constituted by way of a prechecked checkbox which that user must deselect to refuse his or her consent.
That decision is unaffected by whether or not the information stored or accessed on the user’s equipment is personal data. EU law aims to protect the user from any interference with his or her private life, in particular, from the risk that hidden identifiers and other similar devices enter those users’ terminal equipment without their knowledge.
The Court notes that consent must be specific. Merely selecting the button to participate in a promotional lottery is not sufficient for it to be concluded that the user validly gave his or her consent to the storage of cookies.
Furthermore, according to the Court, the information that the service provider must give to a user includes the duration of the operation of cookies and whether or not third parties may have access to those cookies.
So, to sum up, pre-checked consent boxes (or cookie banners that tell you a cookie has already been dropped and pointlessly invite you to click ‘ok’) aren’t valid under EU law.
Furthermore, cookie consent can’t be bundled with another purpose (in the Planet49 case the promotional lottery) — at least if that fuzzy signal is being used to stand for consent.
There’s also an interesting new requirement which looks set to shrink the ability of service operators to obfuscate how persistently they’re tracking Internet users.
For consent to cookies to be legally valid, the court now says the user must be provided with some specific information on the tracking, namely: How long the cookie will operate, and with whom their data will be shared.
The proposed new ePrivacy Regulation.
Earlier we mentioned that the debate over the new Regulation is still continuing. Remember! A regulation is a more powerful legislative instrument for EU lawmakers as it’s binding across all EU Member States. It immediately comes into legal force on a pre-set date , without any need to be transposed into national laws. A regulation is self -executing. On the other hand, Member States have more discretion and flexibility with a directive because it’s up to them as to exactly how they implement the substance of any directive. For example, they could adapt an existing law or create a new one.
With the regulation all deliberation happens among the EU institutions and, once that discussion and negotiation process has concluded, the agreed text becomes law across the bloc. As a rule, it is more difficult to get agreement and consensus on a regulation. In the case of the GDPR, some articles specifically made provisions for Member States to be able to vary the substantive application of parts of the regulation .
In Ireland, for example, the age of a child under the DPA 2018 for the purposes of the application of the GDPR is 18years. ( DPA 2018, s.29) However, GDPR Art. 8 allows Member States to set a lower age in relation to the offering of information society services to a child. Accordingly, S.31, DPA 2018 sets this at sixteen. Nevertheless, the GDPR has the final say in stipulating that no Member State can lower the age to less than 13years in the same context. ( Art.8 (1) GDPR) Because a regulation is usually so precisely and uniformly applied once enacted, the debate beforehand may be long technical and arduous. Member States and lobby groups attempt to bring influence to bear on the final draft. It will be too late once the final draft is agreed and it becomes law. It is hardly surprising then that the debate on the ePrivacy regulation has taken so long.
There are many contested issues and what view one has is predicated upon individual interests. Media ,and the publishing industry associations in general, remain entrenched in opposition to the new ePrivacy regulation. Their fears centre on the potential for the regulation to wreak financial havoc on their ad- supportd business models. Such models rely heavily on cookies and tracking technologies , strategically utilising them to try to monetise free content via targeted ads. Empowering ordinary ‘users’ to opt in to being tracked represents a step too far!
Key content of the ePrivacy Regulation
The ePrivacy Regulation regulates the use of electronic communications services within the European Union and is intended to replace the Directive on Privacy and Electronic Communications (Directive 2002/58/EC). The ePrivacy Regulation is primarily aimed at companies operating in the digital economy and specifies additional requirements they need to meet in relation to the processing of personal data.
Originally, the ePrivacy Regulation was intended to apply from 25 May 2018 together with the General Data Protection Regulation (GDPR). Unlike with the GDPR, however, the EU Member States have not yet been able to agree on the draft legislation. The negotiations of the ePrivacy Regulation are still ongoing now in 2021.
In view of the fact that there are some points of contention regarding the current text of the Regulation, however, these may not progress as quickly as the Portuguese presidency has recently been pushing forward ePrivacy. The ePrivacy Regulation is certainly not expected to enter into force before 2023. A potential transitional period of 24 months means that any new regulations would then not come into effect before 2025.
Techcrunch has outlined some sources of disagreements.
“There are many contested issues, depending on the interests of the group you’re talking to. Media and publishing industry associations are terrified about what they say ePrivacy could do to their ad-supported business models, given their reliance on cookies and tracking technologies to try to monetize free content via targeted ads — and so claim it could destroy journalism as we know it if consumers need to opt-in to being tracked.
The ad industry is also of course screaming about ePrivacy as if its hair’s on fire. Big tech included, though it has generally preferred to lobby via proxies on this issue.
Anything that could impede adtech’s ability to track and thus behaviourally target ads at web users is clearly enemy number one, given the current modus operandi. So ePrivacy is a major lobbying target for the likes of the IAB who don’t want it to upend their existing business models.
Even telcos aren’t happy, despite the potential of the regulation to even the playing field somewhat with tech giants — suggesting they will end up with double the regulatory burden, as well as moaning it will make it harder for them to make the necessary investments to roll out 5G networks.
Plus, as I say, there also seems to be some efforts to try to use ePrivacy as a vector to attack and weaken GDPR itself.”
Google announces suspension of third party cookies.
The way we use cookies could change dramatically with Google’s announcement that it will phase out 3rd party cookies on Chrome browser by 2022.
A Google blog post announcing the phaseout explains, “Users are demanding greater privacy–including transparency, choice, and control over how their data is used–and it’s clear the web ecosystem needs to evolve to meet these increasing demands.” What is also clear is that users are becoming increasingly frustrated with cookie banners designed to pressure them into accepting ad tracking cookies. Firefox and Safari have already phased out the third party cookie but Google has decided to wait until 2022. It has done this on the basis of wishing to work with advertisers ‘to ensure this pivot does not destroy the online advertising business’.
Google also takes the view that ”by undermining the business model of many ad-supported websites, blunt approaches to cookies encourage the use of opaque techniques such as fingerprinting (an invasive workaround to replace cookies), which can actually reduce user privacy and control. We believe that we as a community can, and must, do better.” This is also something the new ePrivacy Regulation should address.
Patrick Rowland, GDPRXpert.ie.
We are GDPR and Data Protection consultants based in Carlow/Kilkenny and Mayo.
Visit www.gdprxpert.ie for more details and any queries.