Legal Insight
June 2021
Christina Koliatou, LL.M, PgCert
Ioannis Psarakis, Lecturer, LL.M (III), PhD Cand.
(republished from Startup.gr)
Summary: Cookies have now become a familiar term to the vast majority of the population. This has largely happened due to the publicity that Regulation 2016/679 EU (more commonly known by its acronym GDPR) has enjoyed. If we want to be precise, however, the obligation to comply with the cookie-related regime already existed before the adoption of this Regulation. Nevertheless, it is common knowledge that compliance with this regime is rather insufficient. This is even observed at pan-European level, even by organised bodies and large entities, a reality that is often surprisingly negative. Many factors have contributed to maintaining this low level of compliance. One of the most important of these is the feeling that non-compliance goes largely unpunished. It is therefore "worth the risk". But this - particularly as a product of time - is a false impression. Audits are still to come and the 'adjustment periods' granted by the national authorities are long gone. Ultimately, compliance pays off.
The example
A short browse on the internet is enough to see that the current legislation on cookies (trackers) is not respected in our country. There is no need to look "through the binoculars" for non-compliant websites; it is enough to edit the ones we have chosen to display on start-up in our browser.
By reading what is set out below, we will be able to spot 'misspellings' ourselves - even on well-known sites.
The impetus for writing this article was the decision of the European Data Protection Supervisor (EDPS) in case 2019-0878, from which strong confirmation of what has gone before is drawn. In particular, the decision issued on 3.5.2021 notes that even the website of the Court of Justice of the European Union (CJEU) itself failed to comply with the Cookies legislation, in more than one respect.
Thus, the 'culture' of non-compliance is not only found in Greece; nor is it exclusive to small and medium-sized enterprises. This finding is interesting since - although quite (and) technical - EU and national texts make compliance possible, without any particular grey areas, providing appropriate information and guidance. With the right legal guidance, compliance is possible - as long as there is also the will on the part of e.g. a company.
Compliance
A key guide to compliance is to distinguish between cookies as necessary (operational) and unnecessary. The difference is simple and lies in the following: while the former are technically necessary for the realisation of the connection to the website or for the provision of the internet service (and therefore mainly serve the interests of the visitor-user), the latter are installed for the benefit of the owner of the website (or a third party) and mainly benefit him. Secondarily, they also benefit the user in the following sense: they provide data on the user's habits, thus enabling the website to be subsequently configured in a way that better reflects his or her preferences (as his or her activity to date has shown).
Indicative categories of necessary cookies include, for example, those necessary when the user fills in an online form or for the registration of the user's purchases in an online shop (e.g. by selecting the "add to basket" button), for the authentication of the subscriber or user in services that require authentication (e.g. when carrying out a banking transaction over the Internet), cookies that are installed for the security of the subscriber or user, such as "cookies" that detect the user's identity, cookies that are installed for the purpose of the subscriber's or user's security, cookies that are installed for the purpose of the user's access to the website, cookies that are installed for the purpose of the user's access to the website, cookies that are installed for the purpose of the user's access to the website and cookies that are installed for the purpose of the user's access to the website.
The distinction between necessary and non-necessary cookies is useful because it answers the question: is consent (the law refers to "consent") needed before they are installed? If they are not necessary Cookies, "consent" before they are installed is necessary (note: the use of a tracker to store a user's choice is technically necessary).
In the following, we will present three main compliance pillars with examples of the most common mistakes observed in practice.
The consent
We have already mentioned that consent is required for certain types of cookies. This consent requires a clear affirmative action. So, for example, simply continuing to browse or scrolling is not an acceptable way of giving consent. But neither are ticked boxes a 'good practice'.
In the absence of any manifestation of opt-in consent, no unnecessary tracker should be used. Instead, necessary cookies are already legally installed. Caution though: The user's consent is not deemed to exist in the case in which the browser has the option to accept cookies.
Also, the user should be able, with the same number of actions ("clicks") and from the same level, either to accept the use of trackers (those for which consent is required) or to reject it.
However, there may be such a configuration that even the provision of explicit consent is in fact non-genuine, artificial (e.g. the case of "cookie walls"). For example, a website provider installs a program that prevents the display of website content except for a request to accept cookies and information about the cookies used and the purposes of data processing. In this case, it is not possible to access the content without clicking on the "Accept cookies" button. Since the data subject is not given a real choice, his/her consent is not freely given. The consent in this case does not constitute the valid consent required, as the provision of the service relies on the click on the "Accept cookies" button by the data subject. However, the data subject is not, in this way, provided with a real choice.
But even if consent is duly given, the user must be able to withdraw his consent in the same way and with the same ease with which he gave it.
Common mistake:This can be found out easily and free of charge via a good cookie scanner.
The update
Consent, even if given, is empty of content if it has not been based on a previous appropriate update. Thus, it is considered bad practice if only a general information on the use of trackers is provided (e.g. within a general data protection policy document). In other words, an explanation of the role of each tracker and the duration of its storage should be provided, at least at a second level.
By level 1 information we mean the initial information (e.g. upon entering the site, in the form of a banner), while level 2 information means the more extensive information that (should) be provided, usually by clicking on the "more information" icon.
In particular, if cookies that also collect personal data are involved, the details of the data controller and the reason for their installation must also be indicated.
At this point, a clarification is necessary: the issue of cookies does not necessarily fall under the GDPR. Although the public did indeed start to become familiar with the issue of cookies on the occasion of the GDPR frenzy, the framework regulating the use of cookies can be traced back some years (ePrivacy Directive 2002/58/EC and Law 3471/2006). Simply put, even if the GDPR did not exist, the above would still be necessary. This is because the regulatory texts on cookies apply regardless of whether personal data is collected with them: if personal data is also collected, the GDPR is applicable (cookies which, especially when combined with unique identifiers and other information received by servers can be used to identify the user). It is indicative that the GDPR mentions cookies in only one place and even in its preamble (para. 30 ). The point of overlap between the two laws is that of consent: according to the 5/2020 Guidelines on consent under Regulation 2016/679 /58/EC) of the European Data Protection Board "The concept of consent in the draft Regulation on privacy and protection of personal data in electronic communications remains linked to the concept of consent in the GDPR".
Common mistake: not mentioning (not even at 2nd level) categories of cookies, retention time, etc. Lack of information also 'pollutes' consent.
The banner
There are also cases in which the attempt to secure consent is attempted to be served through the appropriate configuration of the corresponding banner.
Taking such tactics into account, the DPA's guidance states that in order to ensure that the user is not influenced in favour of opting in, it is recommended that buttons and font of the same size, tone and colour are used, offering the same ease of reading. Thus, tactics such as a particular size or color of the "accept" or "consent" button, or even default, are found to be contrary to the CPD. The configuration of the labels is "prohibited from dictating" the final choice.
At the same time, with the help of IT, the text of the information must be adapted to each type of terminal device from which it is accessed (mobile or fixed device) and must be legible.
Also, on many pages we will notice that on many pages there is simply an option to obtain consent in the form of "Okay, I have been informed" or "Okay, I agree", with no possibility to continue browsing seamlessly (with the removal of this message) if the user does not select the above. This tactic should be avoided.
Common mistake: The option to reject the use of trackers is only given at the second level of information, i.e. after "clicking" on a hyperlink with "more information". Good practice dictates that acceptance should be as easy as rejection (and therefore at the same level; e.g. level 1 [banner]).
Epilogue
Compliance with the cookie legislative regime is probably an easy task. Particularly with expert help, it is possible to make it an area of low (or even zero) risk for the business. Having said that, we cannot but touch on the all too often observed lack of compliance with the regime governing the installation of cookies. In large part, this attitude is also fuelled by the (false) sense that website (or even application - the legislation does not distinguish between websites and applications) administrators will be left out of the loop. In reality, however, 'it is not worth the risk'. It is certain that sooner or later intensive controls will be launched. The question is when.
It is highly likely that the first fines will be high; and for educational reasons. After all, the grace period granted by the DPA (as well as other authorities, e.g. the French CNIL), has long expired (see here). Moreover, the announcement of the Office of the Data Protection Commissioner of the Republic of Cyprus is indicative: already since 22.6.2021 - that is, for a few days now - checks on websites that use cookies have started.
This guide intends to provide some first basic guidance for the whole set of sites; hence its generality. But it is precisely this generality that makes it necessary to seek specific advice for each individual case.