Cookies Can Kill You says EU regulators
Cookies are being targeted by EU regulators and courts. Data Protection concerns mean that website owners can be fined for depositing (a.k.a. 'dropping') cookies on EU and EEA visitors' web browsers.
In the past it was considered acceptable to imply that consent was given based purely on continued use of a web site's services. However, since GDPR became law, the standard for consent has been revised. Consent can no longer be implied and is only deemed valid when it is given as a clear, explicit, affirmative and unambiguous act. It must be granular and not cover multiple or blanket conditions.
Across Europe, Data Protection Authorities have been tightening up their guidance for cookie consent.
· In February 2019, after carrying out a web-site survey in its jurisdiction, the Bavarian DPA warned that no websites in their sample met the revised guidelines.
· In March 2019, the Dutch DPA warned that websites that only allow access if end-users agree to accept cookies, are unlawful.
· In June 2019, the Irish DPA explicitly laid out cookie consent requirements
· In July 2019, the French and British DPAs both issued new guidance, affirming that consent must meet the tougher GDPR standards.
In parallel to these changes the European Court of Justice (CJEU) has continued its extremely hard line on data protection. Time and again, the CJEU takes an expansive view of what data protection is.
This piles cost and responsibilities on to website owners (see Wirtschaftsakademie Schleswig-Holstein & Jehovan Todistajat). In the recent Fashion ID case, the German fashion retailer had included a Facebook "Like" button on their website. The court found this makes them a "joint controller" together with Facebook for the processing of vistors' personal data.
This means that all website owners MUST check if they deploy cookies for third- parties and if they do either:
· Ensure there are joint controller agreements in place,
· Establish which lawful basis applies for the processing of end-user personal data,
· Explain the data usage to website end-users, and
· Be ready to vindicate end-users rights in all cases.
Or, alternatively, just remove the cookies!
DigiTorc offers cost effective and practical data protection services across Ireland and the UK. We deliver GDPR Audit and Compliance Services, Privacy Assessments, Data Protection Consulting and Training. See www.digitorc.com for more information.