Cookie rules or cookies rule? EU law and the situation in France, Germany, Italy, and the UK

Cookies are making headlines in Europe recently. In this blog we will have a closer look at the situation of France, Germany, Italy and the UK, focusing on information to users, users’ consent and consequences of violations.

What is a cookie?A cookie is a small piece of data that a website saves on your computer or mobile device when you visit the site”. The cookie enables the website to remember your actions and preferences (such as login, language, and font size) over time (definition by the EU Commission, see here.)

Cookies are used for a variety of reasons such as to identify users, to remember users’ custom preferences, to help users browsing from one page to another, to target online advertising. Cookies can be classified by their lifespan and the domain to which they belong (see here).

By lifespan, a cookie is either a session cookie (which is erased when the user closes the browser) or a persistent cookie (which remains on the user’s computer/device for a pre-defined period of time). As for the domain to which it belongs, a cookie can be either a first-party cookie (which is set by the web server of the visited page and shares the same domain) or a third-party cookie (which is stored by a different domain than the visited page’s domain. This can happen for example when the webpage references a file, such as JavaScript, located outside its domain.)

EU cookie law

The relevant EU legislation on cookies is the following:

1) Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data. The Regulation sets forth specific legal obligations concerning the protection of personal data and their processing. It also requires websites to inform users that cookies are not being used to gather unnecessary information.

2) Directive 2002/58/EC, concerning the processing of personal data and the protection of privacy in the electronic communications sector (“Directive on Privacy and Electronic Communications”, known as E-Privacy Directive), as amended by Directive 2009/136. Particularly relevant for cookies is Article 5.3, which requires prior informed consent for storage or for access to information on a user’s terminal equipment. In order to use cookies a website shall obtain the user’s informed, specific, and freely given consent.

WP29 has elaborated on the definition of “consent”. Opinion 15/2011. The Opinion provides a thorough analysis of the concept of “consent” as used in the Data Protection Directive and in the e-Privacy Directive.

To be true, not all cookies require consent according to EU law. Consent is not required if the cookie is:

  • used for the sole purpose of carrying out the transmission of a communication, and
  • strictly necessary to provide the service explicitly required by the user.

The following cookies are also exempt from consent (see WP29 Opinion 04/2012 on Cookie Consent Exemption):

  • user-input cookies (session-id) such as first‑party cookies to keep track of the user’s input when filling online forms, shopping carts, and the like, which typically last for the duration of a session or a few hours;
  • authentication cookies, to identify the user once he has logged in, for the duration of a session;
  • user-centric security cookies, used to increase the security of the service requested by the user. These cookies are expected to have a longer lifespan than authentication cookies;
  • multimedia content player cookies, used to store technical data to play back video or audio content for the duration of a session;
  • load-balancing cookies, which are necessary to carry out the communication over the session – they expire at the end of the session;
  • user-interface customization cookies such as language or font preferences; they last for the duration of a session (or slightly longer);
  • third-party social plug in content sharing cookies, for logged-in members of a social network to allow them to share contents.

The European Commission website contains an official Cookie Policy template in several languages. It could be used on website as Cookie Policy page.

More information on cookie law in Europe is available at http://cookiepedia.co….

France

Article 32-II of the French Data Protection Act transposes into French law the obligation to obtain informed consent to store information of Article 5.3, Directive 2002/58/EC (above).

On December 16, 2013, the CNIL, the French Data Protection Authority, released a set of practical FAQs (plus technical tools and relevant source code, in French) providing guidance on how to obtain consent for the use of cookies and similar technologies.

Information to users: Article 32-II of the French Data Protection Act requires a banner to appear on the home page or a subpage of the website when a user visits it. The banner must specify:

  • the exact purposes of the cookies being used;
  • that if the user continues browsing by accessing any other section or selecting any item on the website (e.g. by clicking a picture or a link), he or she signifies his or her consent to the use of cookies;
  • a clickable link to an extended Privacy Policy Page containing additional information on the (i) use of technical and analytics cookies; (ii) tools available to select the cookies to be enabled; (iii) possibility for the user to configure browser settings as a further mechanism to select the preferred use of cookies by the website; (iv) possibility to refuse consent to the installation of whatever cookies.

More information is available here (in French).

User consent: the CNIL specifies (here in French) that users’ consent must be obtained before placing or reading cookies or using similar technologies (such as web bugs and fingerprinting technologies). Such consent must be obtained each time these technologies are used for a new purpose. It does not mention the option of implied consent.

The consent is valid if it is informed, i.e. if users are provided information – in particular, users must be clearly informed of the purposes for which the cookies and similar technologies are used. The CNIL’s Guidance recommends that a cookie consent is valid for up to 13 months. Also, users’ consent is valid only if the users have a real choice between accepting or refusing cookies and similar technologies. The CNIL follows the indication of WP29, Opinion 04/2012 on Cookie Consent Exemption. It specifies that certain analytical audience measurement solutions (analytics) are also exempt from consent.

Cookie violations. When a company fails to comply with the French Data Protection Act, the CNIL can either pronounce a warning or issue a formal notice to comply. Violations may be fined up to €150.000 (or €300.000 in the event of repeated breaches or 5% of the company’s gross revenue for legal entities) or be ordered to cease the processing.

In accordance with Articles 226-16 to 226-24 of the French Criminal Code, violations of the French Data Protection Act may constitute misdemeanors and be punished with 5 years’ imprisonment, and/or a fine of up to €300.000 (for individuals), or a fine up to EUR 1.5M and/or other sanctions (for entities). This also applies to cookie violations. See here here, in French

Germany

Privacy in online services is governed by the German Telemedia Act (Telemediengesetz). The Federal Data Protection Act (Bundesdatenschutzgesetz) also applies to online services, except where the Telemedia Act contains more specific provisions.

In June 2011 there was an attempt to modify the Telemedia Act by transposing the obligation to obtain informed consent of Article 5.3, Directive 2002/58/EC (above). The bill did not pass. The position of the Government was that German privacy law already included such provision, and the amendment was not necessary (see here and here). Opinions have asserted that Article 5.3, Directive 2002/58/EC, is a self-executing law (see here). The supervisory authorities of the majority of German state data protection authorities do not share this position, however, and still advocate for an implementation provision (see here, in German).

And talking about supervision: Germany has a Federal Data Protection Agency (whose primary function is the supervision of data processing by the federal government, BDSG §22–26), and sixteen state data protection agencies (whose primary function is overseeing data protection in the public sector of their state on the basis of state law, and data protection in the private sector of their state on the basis of federal law. BDSG §38–38a). See here for more info.

Information to users: in general, under German law, service providers must inform users at the beginning of the contractual relationship of the extent and purpose of data collection and use and whether the data will be processed outside of the European Union. If the provider intends to use an automated process that allows the identification of the user, then this information must be provided when data collection commences, and the user must at any time have access to this instruction (Telemedia Act, §13).

Considering that there is no specific provision implementing Article 5.3, Directive 2002/58/EC, sources (see the Position Paper available here) have stated that – when the consent requirement described above is applicable – users must be informed about all relevant aspects of the employed cookie prior to its setting”. This entails that

the user is always to be provided with information about the identity of the controller, the purposes of the processing for which a cookie or similar device is used and the life time of the cookie or similar device. If a cookie is used for tracking users’ surfing behaviour and creating user profiles, the user must be informed about this as well. Hereby, it must be made transparent to the user whether his or her surfing behaviour is only tracked on one particular or across multiple websites. In the latter case, the user must be informed about all websites on which his or her surfing behaviour is tracked. If (profile) data is disclosed to third parties, the user is also to be informed about the recipients or categories of recipients of this data. The user must be informed prior to the setting of a cookie or similar device.

However, as mentioned, there is no provision clearly applying the above requirements to cookies, nor explaining when a contractual relationship starts with reference to cookies. See here.

User consent: as mentioned, German data protection law does not explicitly address consent to the use of cookies. However, there are opinions (see the Position Paper available here) stating that §12 of the Telemedia Act by requiring prior consent for the collection and use of personal data would be applicable to cookies. It must be noted that §12 refers to “personal data” and not to information in a broader sense, such as it is addressed in Article 5.3, Directive 2002/58/EC. Personal data are defined as “individual pieces of information about personal or factual circumstances about an identified or identifiable human being” (see §3, Federal Data Protection Act). This distinction may lead to think that the provision is not necessarily applicable to all cookies but only to cookies that contain personal identifiable information – only those cookies would require prior consent. However, cookies with information that refer solely to the service do not contain personal identifiable information and may not require prior consent.

The Telemedia Act, §15.3, is applicable to profiling in cases of advertisement, market research, or for tailoring of services. In particular, the law allows profiling if pseudonyms but no further identifying information is used. This provision could be applicable to the initial storing and access to information contained in cookies. However, it only grants a subsequent right to objection (opt-out) – it does not require the user’s prior consent (which contrasts with the prior consent requirement of the Directive.)

ID-cookies do not require consent if they are strictly necessary for the sole purpose of rendering possible the use of telemedia and billing (§15(1), Telemedia Act).

Cookie violations: §43 of the Federal Data Protection Law, provides for a maximum €300,000 fine for administrative violations.

Some violations of data protection laws are criminal offences and may be punished with imprisonment of up to two years or a fine, which depends on how serious the violation is (for example, in case of willful behavior or if the violation occurred to obtain a financial benefit. See here for more information).

In case of a violation, the perpetrator could also be (i) held liable for reputational damages; (ii) subject to confiscation of the profits of a violation; and (iii) be subject to civil liability and injunctive reliefs.

Supervisory authorities may order measures to rectify violations in the collection, processing or use of personal data or technical or organizational irregularities detected. In the event of serious violations or irregularities, the supervisory authority may prohibit collection, processing or use (or the use of particular procedures) if the violations or irregularities are not rectified, despite the imposition of a fine. The supervisory authority may demand the removal of the data protection officer when not in possession of specialized knowledge and reliability.

Italy 

§122 of the Italian Data Protection Code transposed into Italian law the obligation to obtain informed consent to store information (Article 5.3, Directive 2002/58/EC above). On May 8, 2014, the Autorità Garante della Privacy (Italian DPA) published a document on Simplified Arrangements to Provide Information and Obtain Consent Regarding Cookies. More information is available here.

Information to users: Article §13 of the Italian Personal Data Protection Code, requires users to be shown an initial “short” notice in an overlay banner on the home page (and on any other landing page). The banner must be such as to cause a perceptible discontinuity in the user’s experience of the visited webpage. The banner must include the consent request (explicit or implied) to the use of cookies, in addition to the following information, as the case may be:

  • that the website uses profiling cookies to send advertising messages (if first-party profiling cookies are used);
  • that the website allows sending third-party cookies;
  • that if the user continues browsing by accessing any other section or selecting any item on the website (e.g. by clicking a picture or a link), he or she signifies his or her consent to the use of cookies;
  • a clickable link to an extended Privacy Policy Page containing additional information on the (i) type of cookies used; (ii) tools available to select the cookies the users would want to enable; (iii) possibility for the user to configure browser settings as a further mechanism to select the preferred use of cookies by the website; (iv) possibility to refuse consent to the installation of whatever cookies.

More information available here.

User consent: User consent must be either explicit or implied depending on the type of cookie.

  • Explicit consent is required if the website uses first-party profiling cookies. Also it must be used if the website is not sure about which cookies it is using.
  • Implied consent can be used if website does not use first-party profiling cookies, i.e., the website is only using technical and/or third-party cookies. Third-party cookies do not require user consent. Websites owner is not responsible for any third-party cookies because the website acts as technical intermediary and must only provide a link to the information notice and consent form of the third-party.

Profiling cookies, which are persistent in nature, must be notified to the Italian Data Protection Authority. Persistent technical cookies do not have to be notified to DPA.

Cookie violations:

  • Failure to provide information about cookies as well as other violations of 13 of the Italian Personal Data Protection Code: fines between €6.000 and 36.000;
  • Installation of cookies without prior user consent (note: the requirement applies only for first-party profiling cookies): fines between €10.000 and 120.000;
  • Failure to notify processing operations to the DPA (when required) or incomplete notification to the DPA under the terms of 37(1), letter(d) of the Italian Personal Data Protection Code : €20.000 – 120.000.

UK

Regulation 6 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”) applies to anyone who stores information on a user’s device or gains access to information on a user’s device (Article 5.3, Directive 2002/58/EC above). On May 2012, the Information Commissioner Officer (“ICO”) issued Guidance on the rules on use of cookies and similar technologies. Further guidance for websites storing information is available here.

Information to users: Regulation 6 of the PECR requires websites using cookies or similar technologies to provide “clear and comprehensive” information about the purposes of the deployed technology. Regulation 6 does detail what information must be provided or how to provide it. However, it specifies that it must be clear and easily available. Consent by the subscriber or user of a website must be freely given, specific and informed. It must involve some form of positive action – for example, ticking a box or clicking a link – and users must fully understand that they are giving consent.

User consent: according to the ICO consent does not necessarily have to be an explicit ‘opt-in’ consent. Implied consent can also be valid. However, users need to fully understand that their actions will result in cookies being set (see here).

Cookie violations: there are a number of remedies available to the ICO for taking action against breaches of PECR. They include criminal prosecution, non-criminal enforcement and audit. The Information Commissioner has also the power to serve a monetary penalty notice up to £500,000. More information is available here.

For more information, contact Francesca Giannoni-Crystal