London - Paris
Data@datarainbow.eu

Cookies are not yummies

Cookies are not yummies

This article was previously published. It’s being re-published here since the latest enforcements by national Data Protection authorities : After the French CNIL has fined the Supermarket Carrefour and Carrefour Bank for a total of 3 Million Euros, two new enforcements : Google for 100 million euros and Amazon for 35 million Euros for non-compliant use of #cookies (in particular placing advertising cookies without prior consent and adequate information). An injunction to delete unlawfully collected and processed data was not ordered.

In both deliberations, the CNIL found it is materially competent to control and sanction cookies placed by companies on the computers of users residing in France. It thus underlined that the one stop shop mechanism provided by the #GDPR was not intended to apply in these procedures, since the operations linked to the use of cookies fall under the #ePrivacy Directive, transposed to article 82 of the French Data Protection Act.

The same day, the Danish Data Protection Authority found that the consent format implemented by a website did not meet the regulatory requirements before setting cookies and any other technology.

In November, the Belgian authorities have expressed their intention to Take Down Websites Infringing GDPR.

Two major cases by the European Court of Justice (Fashion ID (c-40-17) and Planet49 (c-673/17)) had highlighted the importance of cookie compliance in Europe, and the complex intricacies which organisations must consider. In addition, an increase in the number of enforcement actions and fines in Europe had signified a move towards stricter regulation of ePrivacy.
➡️ Six jurisdictions have recently enforced non-compliant use of cookies with fines.
➡️ Eight jurisdictions accept that a user can provide consent via browser settings
➡️ Only a single jurisdiction (currently) accepts the user of cookie walls
➡️ Five jurisdictions find an implicit consent to be valid

DLAPiper have published a guide on cookie law in EU

With this in view, and while the new Council #ePrivacy deal is awaited any time soon, here is what we can say about cookies:

What do we mean by cookies?

Wikipedia has a page on yummy cookies. These are not the ones we want to talk about. What we are interested on are not yummy cookies, but the HTTP Cookies also called web cookie, Internet cookie, browser cookie, or commonly cookie. A cookie is ‘a small piece of data sent from a website and stored on the user’s computer by the user’s web browser while the user is browsing.

From a regulatory perspective, in Europe, the Directive or 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) commonly called ePrivacy. Being a Directive this text required individual implantions by the 28 member states into their national legislations. This explains the various national implementations. We will look more closely at the Privacy and Electronic Communication Regulation 2003 or PECR for its implementation in the UK or the French article 82 of the [Loi « Informatique et Libertés ».

The European Commission published a study on the “ePrivacy Directive: assessment of transposition, effectiveness and compatibility with proposed Data Protection Regulation” (SMART 2013/0071).

Although we will mostly mention cookies here, the regulation actually applies to anyone who stores information on a user’s device or gains access to information on a user’s device, in any ways.

This includes Flash cookies, smartphone or other electronic devices apps.

As the Wikipedia entry mentions ‘Cookies were designed to be a reliable mechanism for websites to remember stateful information (such as items added in the shopping cart in an online store) or to record the user’s browsing activity (including clicking particular buttons, logging in, or recording which pages were visited in the past). They can also be used to remember arbitrary pieces of information that the user previously entered into form fields such as names, addresses, passwords, and credit-card numbers.’

You can further read on cookies from KJ Kearie who has a Comprehensive Guide on cookies: ‘There are two main types of cookies – session cookies only collect details from a single browsing sessions, while persistent cookies remain on the user’s device and collect information over time.

This article comes out of a frustration expressed by many privacy advocates around the EU to witness a latence to see any improvement coming .

While the ePrivacy Directive is under reform, the European Data Protection Board on a recent guidance has further clarified how cookies implementation should comply with the requirements of transparency and consent as set by the GDPR.

The Privacy and Electronic Communications Regulations (PECR), sits alongside the Data Protection Act (DPA) and the General Data Protection Regulation (GDPR), imposing specific rules on electronic communications, including marketing solicitation, traffic and location data, itemised billing, line identification, directory listings, and the use of cookies.

The consent requirement

Consent is mandatory for all cookies that are not strictly necessary for the provision of a service. It has been argued no cookie is actually necessary, browser settings are capable of replacing functional cookies. the strict necessary cookie is to be limited to a specific service requested by the user.

Cookies used for social media plugins or tracking, site personalisation, advertising, cross-device tracking, research, or product improvement purposes, will require user consent.

The UK ICO has produced guidance on the use of cookies completed by a blog post by Ali Shah, Head of Technology Policy clarifying that :

  • It can no longer be relied on implied consent for the use of cookies ;
  • Analytics cookies aren’t strictly necessary and so require consent as they are not part of the functionality that the user requests when they use an online service so we do not need consent ;
  • Statements such as ‘by continuing to use this website you are agreeing to cookies’ is not valid consent under the higher GDPR standard. Further clarifications of divergence views on this point will be gathered ;
  • PECR always requires consent for non-essential cookies, such as those used for the purposes of marketing and advertising. Legitimate interests cannot be relied upon for these cookies.

Ali Shah concludes that Cookie compliance will be an increasing regulatory priority for the ICO in the future.

The European Data Protection Board published a new guidelines 05/2020 on consent under Regulation 2016/679 in which it remind :

“Meanwhile, the EDPB is aware of the review of the ePrivacy Directive (2002/58/EC). The notion of consent in the draft ePrivacy Regulation remains linked to the notion of consent in the GDPR.7 Organisations are likely to need consent under the ePrivacy instrument for most online marketing messages or marketing calls, and online tracking methods including by the use of cookies or apps or other software. The EDPB has already provided recommendations and guidance to the European legislator on the Proposal for a Regulation on ePrivacy.’

Other requirements

To ensure a free, informed and unambiguous consent, users must be clearly informed about what cookies are in use (including any third party cookies) and what function they perform.  For non-essential cookies, pre-ticked boxes or equivalent default fixtures are not allowed, and user access should not be denied if they do not consent to such cookies. ICO is very specific about placement, formatting and wording of cookie information and consent request.

Prior to the EDPB, its predecessor, the Working Party article 29 had required that :

“Every organisation that maintains a website should publish a privacy statement/ notice on the website. A link to this privacy statement/ notice should be clearly visible on each page of this website under a commonly used term (such as “Privacy”, “Privacy Policy” or “Data Protection Notice”). Positioning or colour schemes that make a text or link less noticeable, or hard to find on a webpage, are not considered easily accessible.“

In November 2019, Privacy International [1], the UK based organisation, has filed complaints [2] against seven data brokers (Acxiom, Oracle), ad-tech companies (Criteo, Quantcast, Tapad), and credit referencing agencies (Equifax, Experian) with data protection authorities in France, Ireland, and the UK.

To ensure a valid transparency, privacy notices must be concise, transparent, intelligible and easily accessible (Article 12.1);

  • clear and plain language must be used (Article 12.1);
  • the requirement for clear and plain language is of particular importance when
  • providing information to children (Article 12.1);
  • it must be in writing “or by other means, including where appropriate, by electronic
  • means” (Article 12.1);
  • where requested by the data subject it may be provided orally (Article 12.1) ; and
  • it must be provided free of charge (Article 12.5).

The CNIL has published updated cookies recommendations. Soon reaching the CNIL’s deadline, what has changed?

Increasingly, websites have included cookie banners to require visitors consent. However, not all cookie banners are actually disabling with respect to visitors consent denial. A study published by

We have previously wrote about pernicious access to visitors data often ignored by web owners in two previous articles :

In January 2019, WEBSITE TRANSPARENCY : COOKIES AND PRIVACY NOTICE

and

In June 2019, WEBSITES SURREPTITIOUSLY TRACKING AND REPORTING ON VISITORS

Increasingly, websites have included cookie banners to require visitors consent. However, not all cookie banners are actually disabling with respect to visitors consent denial. A study published by Celestin Matte, Nataliia Bielova, PhDCristiana Santos  IEEE Symposium on Security and Privacy (IEEE S&P 2020) question :

In a second paper, submited in September 2020, the group question : ‘Are cookie banners indeed compliant with the law?

Deciphering EU legal requirements on consent and technical means to verify compliance of cookie banners’?

“In this paper, we describe how cookie banners, as a consent mechanism in web applications, should be designed and implemented to be compliant with the #ePrivacy Directive and the #GDPR, defining 22 legal requirements.

While some are provided by legal sources, others result from the domain expertise of computer scientists.

We perform a technical assessment of whether technical (with computer science tools), manual (with a human operator) or user studies verification is needed.

We show that it is not possible to assess legal compliance for the majority of requirements because of the current architecture of the web.
With this approach, we aim to support policy makers assessing compliance in cookie banners, especially under the current revision of the EU ePrivacy framework”.

Cookie audit. Guidance provides a detailed list of actions to be taken for new and existing cookies.

Analytics cookies. These are not exempt from the consent requirement by default, because they usually do not amount to being ‘strictly necessary’. However, “this may not always be the case where the setting of a first-party analytics cookie results in a low level of intrusiveness and low risk of harm to individuals”.

Compliance deadline. No fixed term is specified in the guidelines, but ICO’s Head of Technology Policy, Ali Shah, has published a  post instructing the online service providers to “start taking steps to comply now”.

Other jurisdictions. French data protection authority CNIL has announced that this month it will repeal its 2013 cookie recommendation that has become outdated in some respects (in particular regarding  what concerns the expression of consent), and publish guidelines outlining the applicable rules of law. Similar actions have been taken by the Dutch and German data protection authorities.

In a paper submited July 2018 entitled ‘We Value Your Privacy … Now Take Some Cookies : Measuring the GDPR’s Impact on Web Privacy’

Martin Degeling, Christine Utz, Christopher Lentzsch, Henry Hosseini, Florian Schaub and Thorsten Holz from the Ruhr-Universität Bochum, Germany and thr University of Michigan, Ann Arbor, MI, USA,

  • monitored and analysed the GDPR’s impact on popular websites in all 28 member states of the European Union.
  • They found that 84.5 % of websites had a privacy policy.
  • 72.6 % of websites with existing privacy policies
    updated them close to the ebtry into force of the GDPR.
  • 62.1 % of websites displayed cookie consent notices, 16 % more than in January 2018. These notices inform users about a site’s cookie use and user tracking practices.
  • They observed cookie consent notices and evaluated 16 common implementations
    with respect to their technical realisation of cookie consent.
    This revealed that core web security mechanisms such as the same-origin policy pose problems for the implementation of consent according to GDPR rules, and opting out of third party cookies requires the third party to cooperate. In conclusion, they fond that the GDPR is making the web more transparent, while it still lacks of both functional and usable mechanisms for users to consent to or deny processing of their personal data on the Internet.
  • For each country, the 500 most popular websites were examined for the presence of and updates to their privacy policy.

In January 2020, another study was published Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence by Midas Nouwens, Ilaria Liccardi, Michael Veale, David Karger, Lalana Kagal (UCL, MIT and Aarhus University), suggests that many cookie consent pop-ups are flouting EU privacy laws. and noticed that:

“New consent management platforms (CMPs) have been introduced to the web to conform with the EU’s General Data Protection Regulation, particularly its requirements for consent when companies collect and process users’ personal data. This work analyses how the most prevalent CMP designs affect people’s consent choices. We scraped the designs of the five most popular CMPs on the top 10,000 websites in the UK (n=680).

We found that dark patterns and implied consent are ubiquitous; only 11.8% meet the minimal requirements that we set based on European law. Second, we conducted a field experiment with 40 participants to investigate how the eight most common designs affect consent choices. We found that notification style (banner or barrier) has no effect; removing the opt-out button from the first page increases consent by 22–23 percentage points; and providing more granular controls on the first page decreases consent by 8–20 percentage points. This study provides an empirical basis for the necessary regulatory action to enforce the GDPR, in particular the possibility of focusing on the centralised, third-party CMP services as an effective way to increase compliance.”

An illusion of control and transparency?

The French CNIL

The legal framework relating to consent has evolved, and so does the website of the CNIL

Online targeted advertisement: what action plan for the CNIL? TIt was announced “The CNIL has received an important number of individual and collective complaints (La Quadrature du Net, Privacy International, NOYB) relating to online marketing. In 2018, 21% of the complaints were related to marketing in the broad sense.

Following  the publication in July 2019 of an updated guidance on cookies, the French data protection authority proposed a consultation on its draft recommendations on practical ways to collect website user consent for cookies and similar technologies on January 2020. The Recommendations including requirements for obtaining GDPR-standard consent, by various European data protection authorities, including the CNIL and the ICO. The CNIL has since undertaken a consultation to develop practical methods to obtain user consent.

Olivier Proust from the Law Firm Fieldfisher has published a comparative table of what is new on the July cookie guidance to compare with the 2013 guidelines in CNIL publishes revised guidelines on cookies and other tracking technology. A larger scope, a new legal ground now based on the Article 82 of the amended French Data Protection Act, adapting to the GDPR standard of consent. It is specifically mentioned that browser settings ‘do not provide enough information to users, and therefore, do not enable to obtain informed consent.’

Additionally, the CNIL takes the position that in certain conditions ‘Cookies used to measure audiences on a web site or mobile app may be exempt from consent’

How these rules are currently implemented by the major websites in France?

No one better than lawyers could read and implement regulations. Lawyers handle sensitive data bound under professional confidentiality.  Some advise other organisations they influence on their implementation of the regulation. We have been analysing the French national Bar’s website as well as the major law society website in the Capital city avocatparis.org

The website has a “mentions légales” for legal matters with a very succinct mention of the Loi Informatique et Libertés, “Loi n° 78-17 du 6 Janvier 1978 relative à l’informatique, aux fichiers et aux libertés

“En regard de la loi 78-17 du 6 Janvier 1978, vous disposez d’un droit d’accès et de rectification aux données personnelles vous concernant.

Il suffit d’en faire la demande à : droit_acces@avocatparis.org”

The requirements of the Article 13 GDPR are grossly missing to provide the regulatory transparency. The website lack encryption certificate as well.

As for the cookies, a banner online gives the option to accept cookies that are placed as soon as the website is accessed, So no privacy by default.

If the visitor wanted to know more, click the button ‘en savoir plus’ takes you to the CNIL’s webpage explaining the requirements they had ignored!!

No privacy by design as there is no way to disable cookie dropping.

Lack of transparency means visitors are in total ignorance of id collected from them. no privacy on the website inform the visitors that their web browsing, IP address and other websites they will visit will be logged and shared and made accessible to other users of their electronic devices.

No consent is requested therefore no option to modulate the drop of cookies ans part of what should be privacy by default.

Being the website of the French law society, the sensitivity of the data accessed is highly concerning. The law society invites victims of domestic abuse to get information on their website trough radio advertisement. Many distressed victims will never expect surfing such a website could result in sharing their personal data for the sake of profiling and targeting.

Recently, a ranking website operating in France has been under attack by the law society. Ironically, the law society has produced a model of SAR letter for all lawyers to send to this web owners. This can be wrong from several angles, not mentioning GDPR compliance should not become an instrument of banning free speech.

Lawyers member of the bar are invited to send the letter with a copy of their ID card. Was spreading ID card to add on the publicly available data by providing further personal data. This was possibly a mistake.

On their SAR model letter, they have included an enquiry concerning the company’s website compliance. This is where it becomes more interesting for our purpose. It is satisfying to notice that GDPR compliance, and more specifically data collection by the website is of concern for the law society whose biggest entity in Paris has a fully non-compliant website for months, resisting to make any amendment to complete with the regulation.

The National representation, Conseil National des Barreaux, CNB, have rushed to make their website in order, using a cookie management tool [Tarteaucitron]. However, again despite refusing tracking cookies are dropped with up to 5 years retention! Why should they need that?

The Entity repenting lawyers in the Capital city Paris, remains full of cookies, java Scripts, for detention periods far above the 13 months tolerated by the French Data Protection Authority CNIL.

Additionally, data is transferred outside the US in infringement with the ECJ decision Schrems-II since the invalidation of the Privacy Shield.

Many law firm’s websites are in the same poor state. Despite the CNB having produced an exhaustive [guidance] on what should be implemented. Is this an application of the old principle “do what you are told, not what we do’ ?

What are the consequences of ignoring the regulation ?

Shared liability for cookie compliance

In principle, the person setting the cookie is primarily responsible for compliance with the requirements of the cookie regulation. For third party cookies, both the online service provider and the third party have a responsibility for ensuring users are clearly informed about cookies and for obtaining consent.

>>>The UK ICO acknowledges that this is one of the most challenging areas in which to achieve compliance with PECR.

In Fashion ID ruling, the European Court of Justice has set the principle of liability of a Facebook Fan page admin for data processed by Facebook for which he could not exercice any control. This ruling can be translated an obligation for any facilitator of data processing to check their data processor and provide the necessary transparency. Therefore the owner of a website cannot simply rely on the promise of their web developper to be GDPR compliant. they have a duty to check the presence of cookies in order to provide the appropriate information and request consent before any tracking.

The Planet49 (Case C-673/17) 1 ECJ decision had applied a strict interpretation of obligations under ePrivacy and data protection legislation, not limited to personal data, prohibiting cookie walls.

The Baden-Württemberg data protection authority (‘LfDI Baden-Württemberg’) issued, on 9 October 2019, a statement on cookies and consent (only available in German here), following the Planet 49 Judgment. In addition, the LfDI Baden-Württemberg also released, on 29 April 2019, its frequently asked questions regarding cookies, tracking, and compliance with the GDPR (only available in German here).

We have mentioned the complaint made by Privacy International and La Quadrature du Net.

Following the ECJ decision in Max Schrems-II, Max Schrems filed 101 complaints and stated :

Guess What? Many Cookie Banners Ignore Your Wishes, So Max Schrems Goes On The GDPR Attack Again https://www.techdirt.com/articles/20191210/07425443541/guess-what-many-cookie-banners-ignore-your-wishes-so-max-schrems-goes-gdpr-attack-again.shtml

“An initial scan of 22,949 Web sites from the EU domains, as well as .org and .com, showed 1,426 that had cookie banners based on the Interactive Advertising Bureau Europe Transparency and Consent Framework, the main industry standard for this area. Of those, the team of researchers took a close look at 560 Web sites from .uk, .fr, .it, .be, .ie and .com domains to detect possible GDPR violations. Shockingly, they found four types of violations in cookie banners, across 305 Web sites — 54% of the sample:….

noyb.eu identified countless violations of European and French cookie privacy laws as CDiscount, Allociné and Vanity Fair all turn a rejection of cookies by users into a “fake consent”. The privacy enforcement non-profit noyb.eu filed three formal [GDPR] complaints with the French Data Protection Authority (CNIL) today.

Up to 565 “fake consents” per user. Despite users going through the trouble of “rejecting” countless cookies on the French eCommerce page CDiscount, the movie guide Allocine.fr and the fashion magazine Vanity Fair, these webpages have sent digital signals to tracking companies claiming that users have agreed to being tracked online. CDiscount has sent “fake consent” signals to 431 tracking companies per user, Allocine to 565 and Vanity Fair to 375, as the analysis of the data flows now show.

Max Schrems with his team used the INRIA’s research group tool “Cookie Glasses” to validate their findings and to file complaints to the CNIL.

Schrems points out that one company taking advantage of “fake consent” is Facebook, which is happy to place cookies after people have clearly objected to all tracking. That means the scale of the potential GDPR breach is considerable. It will be some time before CNIL hands down its decision, but based both on Schrems’ track record and on the facts of the case, it seems probable that he will prevail once more. Although the initial ruling will only apply to France, it is likely to be followed by data protection authorities in other EU countries. If any of the Web sites mentioned above challenge a result that goes against them, there may be a referral to the EU’s top court, whose decision will be definitive and apply across the whole region. That, in its turn, is likely to influence online privacy laws around the world, as the GDPR is already doing.

The issue of non-consistency of national DPAs

The consistency mechanism that requires a harmonious enforcement of the regulation has not been enforced by the European Data Protection Board.

Remains hopes to see the reformed privacy and electronic communication regulation or more possibly individual redress or class actions as they were introduced with the GDPR.

Real Time Biding and Brave browser ?

Johnny Ryan has been actively advocating. On 12 September 2018 a Formal GDPR complaints, accompanied by an overview of RTB that details evidence from Google and IAB technical documentation (the ‘Ryan Report’), are submitted to Irish Data Protection Commission (DPC) and UK Information Commissioner’s Office (ICO) by Johnny Ryan of Brave, and Jim Killock of Open Rights Group and Michael Veale of UCL. https://brave.com/rtb-updates/

We won’t further develop on that subject here. You can read : Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence “New consent management platforms (CMPs) have been introduced to the web to conform with the EU’s General Data Protection Regulation, particularly its requirements for consent when companies collect and process users’ personal data. This work analyses how the most prevalent CMP designs affect people’s consent choices. “

And here a great in depth article by Marie-Claire Peroux LLM : Death of 3rd Party Cookies : Is Privacy Protection Possible For The Future AdTech In The EU ?

Time for web owners to check their websites and rethink all these third party cookies, check the retention periods, usually unlawful above 13 months maximum. Google Analytics and Facebook Connect are under the radar especially due to their Terms of use and data transfert outside the EEA.

A white collar crime high profile attorney should not use a ‘Not Secure’ website to invite its web users to fill in a contact form and use cookies without transparency and consent.

Further read on the ECJ decisions Planet49 and Fashion ID :

ECJ 5 June 2018 Judgment in Case C-210/16

Wirtschaftsakademie Schleswig-Holstein

Facebook Fan Page Admin

The administrator of a fan page on Facebook is jointly responsible with Facebook for the processing of data of visitors to the page

The case arised from a dispute over a German Fan Page on Facebook which used the social network to store cookies on visitors’ hard drives to collect data about them. A German data protection authority ordered the operator of the fan page, an education company, to deactivate the page as visitors were not made aware of the collection of their personal data. The company argued it was not responsible for the processing of personal data by Facebook and that any action should be brought against the social network.

This ECJ ruling establish a joint controller liability between Facebook and the page’s Admin meaning that owners of Facebook Fan Pages who fall within the scope of the GDPR might have to make joint controllership arrangements with Facebook to establish who is responsible for what. You can read more .

The ECJ considered that the administrator takes part in deciding what data to collect and how to process it, for example by defining a target audience and asking for demographic data or information on the lifestyles and interests of visitors to the page. Therefore it has to be held responsible for protecting visitors’ personal data and cannot hide behind the social network.

The admin liability as a joint controller is engaged despite its lack of control over the data processed by Facebook,

ECJ 1 October 2019 (request for a preliminary ruling from the Bundesgerichtshof — Germany) — Bundesverband der Verbraucherzentralen und Verbraucherverbände — Verbraucherzentrale Bundesverband eV v Planet49 GmbH

(Case C-673/17) 1

[Planet49]

A lottery competition was organised requiring users to tick a box or a pre-ticked box allowing Planet49 to set cookies to track the user’s behaviour online.

The German Federation of Consumer Organisations (the ‘Federation’) claimed that these two check-boxes did not satisfy German law requirements, and sought an injunction requiring Planet49 to cease using them. The case ultimately reached the German Federal Court of Justice (the ‘Bundesgerichtshof’) , which in turn referred the case to the CJEU for preliminary ruling.

  1. Pre-ticked check-boxes authorising the use of cookies and similar technologies do not constitute valid consent under the e-Privacy Directive.

    2. Where consent is required for cookies under the e-Privacy Directive, the GDPR standard of consent applies.

    3. It does not matter whether the cookies constitute personal data or not – Article 5(3) of the e-Privacy Directive (i.e. the cookie consent rule) applies to any information installed or accessed from an individual’s device.

    4. Website users must be provided with information on the duration of the cookies, and whether third parties will have access to the cookies.
  • The ePrivacy Directive requires users to give active consent before cookies can be dropped on their devices, preselected tick in a box are not a “statement or clear affirmative action” as required by the General Data Protection Regulation (“GDPR”).
  • With regard to Recital 17 of the ePrivacy Directive, combined with Recital 32 of the GDPR, “silence, pre-ticked boxes or inactivity” from being taken to constitute consent.

The Planet49 decision had applied a strict interpretation of obligations under ePrivacy and data protection legislation.

The Baden-Württemberg data protection authority (‘LfDI Baden-Württemberg’) issued, on 9 October 2019, a statement on cookies and consent (only available in German here), following the Planet 49 Judgment. In addition, the LfDI Baden-Württemberg also released, on 29 April 2019, its frequently asked questions regarding cookies, tracking, and compliance with the GDPR (only available in German here).

**Photography kindly shared by Vanja Munerati who is a regulatory economist passionate about outdoors and keen nature photographer. **