Article 32-II of the French Data Protection Act transposes into French law the obligation to obtain informed consent to store information of Article 5.3, Directive 2002/58/EC (above).
Information to users: Article 32-II of the French Data Protection Act requires a banner to appear on the home page or a subpage of the website when a user visits it. The banner must specify:
- the exact purposes of the cookies being used;
More information is available here (in French).
User consent: the CNIL specifies (here in French) that users’ consent must be obtained before placing or reading cookies or using similar technologies (such as web bugs and fingerprinting technologies). Such consent must be obtained each time these technologies are used for a new purpose. It does not mention the option of implied consent.
The consent is valid if it is informed, i.e. if users are provided information – in particular, users must be clearly informed of the purposes for which the cookies and similar technologies are used. The CNIL’s Guidance recommends that a cookie consent is valid for up to 13 months. Also, users’ consent is valid only if the users have a real choice between accepting or refusing cookies and similar technologies. The CNIL follows the indication of WP29, Opinion 04/2012 on Cookie Consent Exemption. It specifies that certain analytical audience measurement solutions (analytics) are also exempt from consent.
Cookie violations. When a company fails to comply with the French Data Protection Act, the CNIL can either pronounce a warning or issue a formal notice to comply. Violations may be fined up to €150.000 (or €300.000 in the event of repeated breaches or 5% of the company’s gross revenue for legal entities) or be ordered to cease the processing.
In accordance with Articles 226-16 to 226-24 of the French Criminal Code, violations of the French Data Protection Act may constitute misdemeanors and be punished with 5 years’ imprisonment, and/or a fine of up to €300.000 (for individuals), or a fine up to EUR 1.5M and/or other sanctions (for entities). This also applies to cookie violations. See here here, in French
Privacy in online services is governed by the German Telemedia Act (Telemediengesetz). The Federal Data Protection Act (Bundesdatenschutzgesetz) also applies to online services, except where the Telemedia Act contains more specific provisions.
In June 2011 there was an attempt to modify the Telemedia Act by transposing the obligation to obtain informed consent of Article 5.3, Directive 2002/58/EC (above). The bill did not pass. The position of the Government was that German privacy law already included such provision, and the amendment was not necessary (see here and here). Opinions have asserted that Article 5.3, Directive 2002/58/EC, is a self-executing law (see here). The supervisory authorities of the majority of German state data protection authorities do not share this position, however, and still advocate for an implementation provision (see here, in German).
And talking about supervision: Germany has a Federal Data Protection Agency (whose primary function is the supervision of data processing by the federal government, BDSG §22–26), and sixteen state data protection agencies (whose primary function is overseeing data protection in the public sector of their state on the basis of state law, and data protection in the private sector of their state on the basis of federal law. BDSG §38–38a). See here for more info.
Information to users: in general, under German law, service providers must inform users at the beginning of the contractual relationship of the extent and purpose of data collection and use and whether the data will be processed outside of the European Union. If the provider intends to use an automated process that allows the identification of the user, then this information must be provided when data collection commences, and the user must at any time have access to this instruction (Telemedia Act, §13).
Considering that there is no specific provision implementing Article 5.3, Directive 2002/58/EC, sources (see the Position Paper available here) have stated that – when the consent requirement described above is applicable – users must be informed about all relevant aspects of the employed cookie prior to its setting”. This entails that
the user is always to be provided with information about the identity of the controller, the purposes of the processing for which a cookie or similar device is used and the life time of the cookie or similar device. If a cookie is used for tracking users’ surfing behaviour and creating user profiles, the user must be informed about this as well. Hereby, it must be made transparent to the user whether his or her surfing behaviour is only tracked on one particular or across multiple websites. In the latter case, the user must be informed about all websites on which his or her surfing behaviour is tracked. If (profile) data is disclosed to third parties, the user is also to be informed about the recipients or categories of recipients of this data. The user must be informed prior to the setting of a cookie or similar device.
However, as mentioned, there is no provision clearly applying the above requirements to cookies, nor explaining when a contractual relationship starts with reference to cookies. See here.
The Telemedia Act, §15.3, is applicable to profiling in cases of advertisement, market research, or for tailoring of services. In particular, the law allows profiling if pseudonyms but no further identifying information is used. This provision could be applicable to the initial storing and access to information contained in cookies. However, it only grants a subsequent right to objection (opt-out) – it does not require the user’s prior consent (which contrasts with the prior consent requirement of the Directive.)
ID-cookies do not require consent if they are strictly necessary for the sole purpose of rendering possible the use of telemedia and billing (§15(1), Telemedia Act).
Cookie violations: §43 of the Federal Data Protection Law, provides for a maximum €300,000 fine for administrative violations.
Some violations of data protection laws are criminal offences and may be punished with imprisonment of up to two years or a fine, which depends on how serious the violation is (for example, in case of willful behavior or if the violation occurred to obtain a financial benefit. See here for more information).
In case of a violation, the perpetrator could also be (i) held liable for reputational damages; (ii) subject to confiscation of the profits of a violation; and (iii) be subject to civil liability and injunctive reliefs.
Supervisory authorities may order measures to rectify violations in the collection, processing or use of personal data or technical or organizational irregularities detected. In the event of serious violations or irregularities, the supervisory authority may prohibit collection, processing or use (or the use of particular procedures) if the violations or irregularities are not rectified, despite the imposition of a fine. The supervisory authority may demand the removal of the data protection officer when not in possession of specialized knowledge and reliability.
§122 of the Italian Data Protection Code transposed into Italian law the obligation to obtain informed consent to store information (Article 5.3, Directive 2002/58/EC above). On May 8, 2014, the Autorità Garante della Privacy (Italian DPA) published a document on Simplified Arrangements to Provide Information and Obtain Consent Regarding Cookies. More information is available here.
- that the website uses profiling cookies to send advertising messages (if first-party profiling cookies are used);
- that the website allows sending third-party cookies;
More information available here.
User consent: User consent must be either explicit or implied depending on the type of cookie.
- Explicit consent is required if the website uses first-party profiling cookies. Also it must be used if the website is not sure about which cookies it is using.
- Implied consent can be used if website does not use first-party profiling cookies, i.e., the website is only using technical and/or third-party cookies. Third-party cookies do not require user consent. Websites owner is not responsible for any third-party cookies because the website acts as technical intermediary and must only provide a link to the information notice and consent form of the third-party.
Profiling cookies, which are persistent in nature, must be notified to the Italian Data Protection Authority. Persistent technical cookies do not have to be notified to DPA.
- Failure to provide information about cookies as well as other violations of 13 of the Italian Personal Data Protection Code: fines between €6.000 and 36.000;
- Installation of cookies without prior user consent (note: the requirement applies only for first-party profiling cookies): fines between €10.000 and 120.000;
- Failure to notify processing operations to the DPA (when required) or incomplete notification to the DPA under the terms of 37(1), letter(d) of the Italian Personal Data Protection Code : €20.000 – 120.000.
Information to users: Regulation 6 of the PECR requires websites using cookies or similar technologies to provide “clear and comprehensive” information about the purposes of the deployed technology. Regulation 6 does detail what information must be provided or how to provide it. However, it specifies that it must be clear and easily available. Consent by the subscriber or user of a website must be freely given, specific and informed. It must involve some form of positive action – for example, ticking a box or clicking a link – and users must fully understand that they are giving consent.
User consent: according to the ICO consent does not necessarily have to be an explicit ‘opt-in’ consent. Implied consent can also be valid. However, users need to fully understand that their actions will result in cookies being set (see here).
Cookie violations: there are a number of remedies available to the ICO for taking action against breaches of PECR. They include criminal prosecution, non-criminal enforcement and audit. The Information Commissioner has also the power to serve a monetary penalty notice up to £500,000. More information is available here.
For more information, contact Francesca Giannoni-Crystal