Fines for installing cookies without the user’s consent
Cookies and similar technologies are commonly used marketing tools enabling optimisation of marketing campaigns and more effective targeting of customers. So it comes as no surprise that it’s hard to find a website without a popup window informing users that the site uses cookies, referring the user to the privacy policy and cookies policy for more information. Interestingly, a great majority of these messages are themselves inconsistent with the applicable regulations on data protection, telecommunications, and electronic services.
The cardinal sin of owners of websites is suggesting in the popup that further use of the website means consent to use or installation by the website of types of cookies that under applicable law can be installed on a user’s device only with the user’s consent. These cookies include primarily marketing and remarketing cookies (but also functional and statistical cookies), as well as third-party cookies, such as Google Analytics. It is essential to use technical solutions that install cookies on the user’s computer or other device only after the user consents to receive the cookies. It is clear that the user’s passivity, specifically continuing to use the site, cannot be deemed to provide such consent. The law does not require consent to install files essential to the functioning of the site, but marketing cookies, Google Analytics or a Facebook pixel cannot be regarded as necessary cookies.
This view is hardly controversial, and thus it is surprising how widespread it is for cookies to be installed despite the lack of user consent. The reasons for this state of affairs must give pause. They seem to arise from a belief that in practice, regardless of what the regulations say, installing cookies without the required consent of users cannot have negative consequences for the owner of the site. Many owners of websites take the view that the matter is so trivial that it will not attract the interest of supervisory authorities.
Leaving aside the possibility of levying of fines by regulators for such practices, it should be pointed out that topics related to cookies have already entered the zone of interest of data protection authorities. The Spanish Data Protection Agency (AEPD) has so far issued two administrative decisions imposing fines for unlawful cookies practices. The first fine, of EUR 10,000, was assessed for installing cookies on a user’s device without his consent. This was found to infringe Art. 6 GDPR, i.e. processing of personal data without a sufficient legal basis. In the second case, AEPD fined an airline EUR 30,000 for not allowing end users to refuse to consent to installation of cookies, and thus, as it were, forcing them to use cookies every time they viewed the site. The airline’s website could not be viewed without accepting cookies. The regulator held that this violated Art. 5 and 6 GDPR, again due to the lack of a legal basis for processing the personal data of the website’s users.
How the issue of obtaining consent to installation of cookies is regulated may change in the future in connection with adoption of the EU’s proposed ePrivacy Regulation. It is not known when work on the regulation will be completed or what solution will ultimately be adopted. One of the premises of the work on this act is to create a regulation that is convenient to end users, who now often regard consenting to installation of cookies as a nuisance. But until the new rules in this area are known, it would be prudent to follow the guidelines presented above.
Katarzyna Szczudlik, adwokat, New Technologies practice, Wardyński & Partners
