Website Cookies: A Blurred Legal Situation

Definition of Cookies

Cookies are small text files of different types that a website provider stores on the user’s computer. Cookies allow information to be used to facilitate navigation or to analyze the user’s behavior for the benefit of the website operator behind the screen.

Very recently, the Court of Justice of the European Union (hereinafter the “CJEU”) has ruled on the parameters of the use of cookies and on the requirement for consent by the users before cookies are stored and analyzed.  Despite the recent judgments, however, many website providers have not as of yet implemented a privacy-compliant consent mechanism and strategy .

CJEU: The Planet49 Judgment

The Planet49 dispute concerned an online gaming company collecting data for a promotional online lottery – maintained a website which was configured to provide cookie consent via an opt-out process. The company transferred the personal information of participants to its third-party partners and sponsors. Users willing to participate filled out a form with their contact details and consent to the use of cookies was given via a pre-ticked checkbox, which users had to deselect if they did not agree to cookies being stored on their devices.

In its judgment, the CJEU ruled that:

• • a pre-checked checkbox does not constitute valid consent as such consent requires the user’s active, and not passive, behavior;
  • this applies irrespective of whether the information stored and accessed via cookies is “personal data” as defined by the relevant EU legislation; and
  • the website provider must inform the user of the duration of the operation of cookies and whether third parties may have access to those cookies.

The judgment makes clear that:

• • ‘non-essential cookies’ may not be installed when users start their browsing of a website;
  • website operators must provide cookie management options alongside clear and comprehensive information; and
  • users must be able to easily withdraw their consent.

Importantly, the CJEU further clarified that cookie banners with the widely-used ‘by continuing to use our website you agree to our use of cookies’ do not constitute consent and must not be regarded as a form of obtaining a valid one.

As mentioned above, despite the recent judgment(s), many website providers have not as of yet implemented a privacy-compliant consent mechanism and the rationale behind this practice is that the situation is not as clear as it may initially appear.

Website Cookies: A blurred legal situation

Despite the number of EU judgments that dealt with the use of cookies, the court has as of yet merely focused on the process of obtaining consent and did not elaborate on when cookies can be used without the user’s consent. It is true that, under certain circumstances (ie when cookies are ‘strictly necessary’ for the service explicitly requested by the user), the Directive on privacy and electronic communications (Directive 2002/58/EC) (known as the “e-Privacy Directive”) allows for exception to the requirement for consent. Legal interpretations of the “strictly necessary” element of the directive vary however, and the extent of what should be regarded as “strictly necessary” is still subject to debate even among the national European data protection authorities (DPAs).

Despite the blurred legal situation, every company or individual that uses cookies on their website should critically review the strategy/mechanisms of obtaining and analyzing cookies since failure to comply with privacy requirements can lead to high fines under the General Data Protection Regulation.

Defining a cookie strategy

In defining and setting up a cookies strategy, we advise website operators to consider (at least) the following:

• • Whether to request consent for both analytical and tracking cookies;
  • Whether the collected data can be accessed by third parties, and if this is clearly and properly disclosed to website users.
  • Whether the data they collect rises to the level of ‘personal information’, and if so, whether it is covered by privacy policies and current company practices
  • Whether existing cookie walls should be removed;
  • Whether to amend cookie banners and include both the ‘Accept’ and ‘Decline’ buttons;
  • Whether to provide information about cookie purposes and retention periods in the cookie banner; and
  • What additional information should be included in the second-layer cookie statement.

Our firm helps our clients to navigate this increasingly complex and highly regulated landscape by providing clear and practical legal advice on data protection and privacy law issues. If you require any further information, please do not hesitate to contact us.

Disclaimer: This note serves as a general overview of the relevant Cyprus legislation and the information set out shall not be considered as a legal advice nor shall be relied upon by any natural or legal person. G.C. Hadjikyprianou & Associates LLC shall not be liable for any damages incurred by any person who relied solely on the information provided herein. For the avoidance of any doubt, this note is merely intended to highlight key issues and not to be comprehensive and no party shall re-produce and/or use the same without our prior written consent. Use of the information provided herein is subject to our Terms of Use.