Interest based advertising is a key part of many online business models. Users can be addressed more directly, which increases the effectiveness of advertising and thereby the payouts for website and app operators. A necessary prerequisite for personalised advertising is the tracking of the individual surfing behaviour of the users. This is primarily done by placing cookies. Various major European supervisory authorities have provided guidelines on the privacy requirements to achieve compliance with respect to the placing of cookies and the subsequent data processing.
What’s the trouble?
Art. 5 (3) of the ePrivacy Directive (and the respective implementation laws by the EU Member States) state that access to or storage of information already stored in a user’s terminal device (for example via the dropping of cookies or by receiving access to other user identifiers) is only permitted if the user concerned has given his or her consent. This applies regardless of whether personal data is affected. Where tracking involves the processing of personal data, such processing also needs to comply with GDPR requirements.
Thus, the placing and reading of cookies and other identification mechanisms generally require consent within the EU. In its recent „cookie ruling“, the European Court of Justice specified how a required consent is to be obtained. On this point, it clarified that the use of an already ticked checkbox (“opt-out”) does not fulfil the requirements for effective consent. An effective consent always requires active behaviour on the part of the user (“opt-in”). In practice, however, the preceding question is in which cases and under which conditions consent is actually required. On this question, various European supervisory authorities have published statements.
Approach of the German Data Protection Authorities
The German supervisory authorities issued an “orientation guide for telemedia providers” in March 2019.
Interestingly, the German authorities do accept that some cookie-related processing activities may be justified without user consent, based on the publisher’s legitimate interests, and provides very detailed “three step guidance” on how to assess whether such legitimate interests are an appropriate legal basis for data processing in an online context.
Step 1: existence of a legitimate interest for the processing of the data
The basic prerequisite is that there is a legitimate interest in the processing by the publisher. The requirements for this are very low. It can be any interest of an economic, ideational or legal nature. Illegal or discriminatory motives cannot establish a legitimate interest.
Step 2: necessity in order to uphold the legitimate interest
Further, the data processing must be necessary to safeguard the relevant legitimate interest. Again, the requirements are not too high. However, no milder, equally effective means should be available. The processing must therefore be limited to the extent necessary.
Step 3: balancing in the specific individual case
The legitimate interests of the controller must be weighed against the interests of the data subjects, in particular the fundamental right to the protection of personal data. The German authorities specify detailed criteria for the weighing, such as predictability of data processing, transparency, and the duration of observation.
Approach of the French supervisory authority CNIL
The CNIL has updated its statements on online tracking with the statement 2019-093 from 4 July 2019. It states that only so-called „functional cookies“ do not require consent. If consent is required, such consent must be given expressly and voluntarily. A mere possibility to „opt-out“ or „cookie walls“ are insufficient. Like the German authorities, the CNIL also demands that it be possible to consent separately for different purposes. A declaration of consent covering all cookies is accepted, but the user must also be given the opportunity to select and deselect certain cookies.
The declaration of consent must in any case indicate the identity of the controller and the purposes of the data processing or cookie setting as well as the right to revoke the declaration of consent at any time. In addition, all third parties that gained access to data through the tracking mechanisms should be made transparent and covered by the consent. The consent of the user must also be adequately documented.
A particular feature of the French statement lies in the handling of cookies which are used for analytics purposes. Specifically, this concerns cookies used to improve the usability of the website, to segment the website audience in order to assess the effectiveness of editorial decisions or to dynamically adapt the website on a global scale. To a limited extent, the CNIL recognises these as functional cookies, with the consequence that they do not require consent.
Approach of the UK ICO
According to the ICO, the setting of cookies requires consent pursuant to § 6 (1), (2) PECR (implementation of Art. 5 (3) ePrivacy Directive). Since neither the PECR nor the ePrivacy Directive defines consent in more detail, the requirements for consent under the GDPR should be applied. The ICO argues that, as consent is required anyhow from a PECR perspective, it will be impossible to base the involved data processing under GDPR on any other legal basis than consent, as this could lead to unfair evaluations and confusion among users, for example if a user withdraws his consent and the data processing is subsequently based on legitimate interests.
Enforcement of the standards throughout the EU
The statements of the various EU regulators differ only in nuances. It is expected that the elaborations from Germany, France and the United Kingdom will be the basis for a concentrated approach in Europe and an opinion of the European Data Protection Board.
More legal certainty can possibly be provided by the upcoming ePrivacy Regulation, which is intended to complement the GDPR, inter alia with respect to online tracking. However, its entry into force is more uncertain than ever. After the Committee of Permanent Representatives of the Governments of the Member States to the European Union (COREPER) rejected the draft text in November 2019, EU Commissioner for Digital Affairs Breton proposed a complete reorientation. The further procedure is still unclear, but at any rate the ePrivacy Regulation is not to be expected in near future.
Taylor Wessing, Paul Voigt Lic. en Derecho, CIPP/E, Partner, Berlin