Cookies and GDPR

Irek Bagautdinov

Irek Bagautdinov

Head of Cybersecurity at Andersen

IT Security
Aug 18, 2020
4 minutes to read
  1. Cookie policy implementation rules (-)
  2. Basic mistakes in implementing the cookie policy or what you should not do
  3. Example 1. A banner warning that by continuing to use the website, you consent to the use of cookies
  4. Example 2. A banner with the correct consent form that does NOT operate on ALL pages of the website
  5. Example 3. Insufficiently transparent cookie policy

These documents officially define cookies as personal data and make provisions for extraterritorial responsibility, as well as imposing huge fines on site owners for illegal use of such files.

Due to the absence of judicial practices and real punishments, business representatives used to have a sense of security; in other words, "while the cat’s away, the mice will play." But the cat is not away. One of the heaviest fines - 30,000 euros - for a violation of the cookie law was imposed on Vueling Airlines in October 2019 by the Spanish Data Protection Authority. The reason was the absence of the possibility to decline to install third-party cookies.

As a result of another such analysis, it became clear that in the pursuit of implementing the GDPR requirements, many companies have also put their web resources in order. However, it seems that due to misunderstanding the requirements or a lack of desire to "spoil" the user interface of the website, every second organization incorrectly implements the cookie policy on its resources.

You should comply with them if the site uses any cookies for creating a user profile on the network. However, this does not involve:

  • Cookies that are strictly necessary for the correct operation of the website;
  • Cookies that are strictly necessary to provide an online service to the user, such as when the user fills out an online form, uses a shopping cart, or authenticates on the site to log in to the online service delivery system.

Let's get back to the rules. Their essence is as follows:

  1. Cookies must only be installed with the user's prior consent.
  2. This consent must be given by a clear action confirming the user's choice, and if there is a checkmark in a form, this mark cannot be set by default.
  3. The user must be provided with clear and understandable information about the purpose of cookies, the purpose of installation, the duration period, and the third-parties to which user data is transmitted.
  4. The user must be able to change or withdraw consent at any time.
  5. All cookie consents must be recorded because the site owner, as a controller or handler, must be able to confirm that consent has been obtained.

Let's look at three examples of incorrect implementation of the cookie policy, which are most common among websites with personal data controllers and handlers.

This practice is widespread among web resources. According to the cookie policy provided on the website, the user will have technical cookies, functional cookies, and third-party marketing companies' cookies installed.

However, the warning on the banner at the bottom of the page usually reads: "This website uses technical and analytical cookies as well as third-party profiling cookies. If you select "Continue” or access any content on our website without doing so, you consent to using cookies. To learn more and to refuse the use of cookies, click here."

In this case, we observe the violation of all the above-mentioned rules:

  1. Cookies are installed automatically when the user accesses the website.
  2. Continuing to use the website or clicking the "Continue” button is not a clear confirmation, since the user is not given the right to choose, and they cannot refuse to install cookies.
  3. The information provided in the cookie policy does not contain specific storage periods for certain cookies.
  4. There is no mechanism for withdrawing cookie consent on the website; instead, you can only uninstall the cookies via your browser settings.
  5. Since there is no clear mechanism for obtaining consent, it is simply impossible to confirm that such consent was obtained.

As an example, let's consider a French online store.

The consent banner displayed on the main page of the website complies with the rules and the data protection guide, which is referenced in the text, provides a detailed description of the company's cookie policy. However, if you dig deeper and try to open any other page, magic happens.

The magic is that a banner that seems to meet all the requirements doesn't actually work. The installation of cookies, other than strictly necessary ones, is not blocked before obtaining consent, which means that the website definitely does not comply with all the rules. In this case, we can say that, out of the five, only the second and third rules have been followed.

It also happens that the company developed a working mechanism for obtaining agreement, but didn’t provide information about the purpose of specific cookies and their storage periods in a transparent way.

The website has a cookie consent banner to manage specific cookies and, most importantly, the blocking mechanism works. However, the information about the cookie use contains too few specifics; neither a list of companies whose third-party cookies are installed by the website nor the storage period for at least certain types of cookies on the website is provided. In such cases, one of the main principles of GDPR, transparency of processing, is violated, and therefore the third rule is also violated. An example of a completely transparent cookie policy is the policy published on the website of the European Commission.

These were clear examples of common mistakes in implementing the requirements of European law on data protection and privacy. They also demonstrate that the work of European regulators makes many controllers and handlers worry about compliance issues. Two years ago, the topic of using cookies was not raised on the majority of sites at all, but now the situation is radically changing. This should please the users who are interested in gaining control over their data because, according to the European Commission on data protection, this is what the GDPR has been developed for.

Practice shows that, currently, site owners who are controllers or handlers are left with two options. The first option is to ensure absolute compliance with the established rules independently or with the involvement of third-party specialists. The second one is to refuse to use any cookies except for those that enable the correct website operation and the provision of basic services to customers, as is done on the website of the Spanish Data Protection Agency.