Cookies: The coming revolution
Last year regulators in the EU devoted a lot of attention to cookie files and other tracking technologies used on websites. This interest was generated among other sources by numerous complaints filed by NOYB—European Center for Digital Rights in the last year with data protection authorities, and has resulted in guidance and several decisions issued by regulators in recent months (e.g. in Austria, Belgium and France). Because they may shape the future approach of regulators to the use of cookies, it is worth discussing some of the main conclusions flowing from these decisions.
Cookies and data transfers to the US
A large proportion of tools relying on cookie files and other tracking technologies commonly used by operators of websites in the European Union (e.g. for analytical or statistical purposes) are offered by companies based in the United States—a “third country” for purposes of the EU’s General Data Protection Regulation. This carries certain consequences under the GDPR, as use of such tools may involve the transfer of data to a third country and as such must meet the requirements set forth in Chapter V of the GDPR.
Indeed, the permissibility of transfer of data to the US in connection with the use on various websites of Google Analytics and Facebook Connect tools (relying on cookies and other tracking technologies) was the basis for 101 identical complaints filed by NOYB with 30 supervisory bodies in the European Economic Area.
The complaints have led to the first decisions issued by regulators in the EU examining the permissibility of transfer of personal data from the EEA to Google and Facebook in the US in connection with the use of cookies in these tools.
Austrian decision
In a decision dated 22 December 2021, the Austrian Data Protection Authority (Datenschutzbehörde) found that use by the operator of a website of Google Analytics cookies violated both Chapter V of the GDPR, which imposes rules for the transfer of data to third countries and international organisations, as well as the holding by the Court of Justice in C-311/18, Schrems II (Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems).
In its decision, the Austrian regulator found that use of Google Analytics cookies by an Austrian website involved collection and subsequent transmission of personal data, including unique user identification numbers, IP addresses, and browser settings, to Google in the US.
In the Austrian regulator’s view, the standard contractual clauses concluded between the operator of the website and Google did not ensure an adequate level of protection of data within the meaning of the GDPR, primarily for two reasons:
- Google is a supplier of electronic communications services subject to US regulations involving surveillance by US intelligence agencies (i.e. sec. 702 of the Foreign Intelligence Surveillance Act).
- The supplementary technical, organisational and contractual measures taken by Google as part of its Google Analytics tool are inadequate to limit or prevent the possibility of access by American intelligence services to transferred personal data; that is, they do not ensure an adequate level of protection of personal data transferred to the US.
The regulator also rejected Google’s argument that the data collected using cookies and then transferred to the US do not directly relate to or identify specific natural persons, i.e. do not constitute personal data. In the regulator’s view, IP addresses, particularly when combined with internet identifiers, enable identification of specific natural persons and thus qualify as personal data. In this respect the regulator pointed out that actual and immediate identification is not necessary for such data to be deemed personal data. Moreover, the fact that information enabling identifying of a natural person is held by various entities (and not a single entity) is also irrelevant for finding that the person is identifiable and thus that the information constitutes personal data.
This decision resulted from one of the 101 identical complaints concerning use by various companies of Google Analytics and Facebook Connect filed by NOYB across the EEA concerning the permissibility of transferring personal data from the EEA to Google and Facebook in the US in connection with cookies used in these tools.
EDPS decision concerning the European Parliament website
The European Data Protection Supervisor reached analogous conclusions in the decision of 5 January 2022 issued against the European Parliament. The case involved the use of cookies on an EP website and the related transfer of personal data of MEPs and their staff to a company based in the US (including to Google through its Google Analytics tool).
The EDPS stated that the use of standard contractual clauses does not substitute for the individual, case-by-case assessment of the transfer which must be conducted by the exporter (controller) of the data in accordance with Schrems II “to determine whether in the context of the specific transfer, the third country of destination affords the transferred data an essentially equivalent level of protection to that in the EU.” In this respect, the exporter of the data (here, the administrator of the website), where appropriate in collaboration with the data importer in the third country, must carry out an assessment of the proposed safeguards before the transfer is made, and if necessary implement supplementary measures (contractual, technical and organisational) to ensure an essentially equivalent level of protection of the transferred personal data.
In this case the EDPS issued a reprimand to the European Parliament, based on the finding that the EP had not provided any documentation, evidence or other information concerning the contractual, technical or organisational measures ensuring an essentially equivalent level of protection of personal data transferred to the US in the context of the use of cookies on the website in question.
Actions by other regulators
Similar doubts as to the use of Google Analytics were signalled by the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), which issued a warning on the use of Google Analytics. And the French Commission Nationale de l'Informatique et des Libertés (CNIL) issued a decision on 10 February 2022 finding that transfers of personal data via Google Analytics are unlawful, and ordering a French operator to bring its website into compliance with the requirements of the GDPR, and if necessary to cease using Google Analytics under the current terms and instead use a tool that will not involve the transfer of data outside the EU. The CNIL stated that other tools used on websites (cookies and other tracking technologies) leading to the transfer of personal data of users from the EU to the US would also be examined.
Decisions involving the use of Google tools could have a major impact on administrators of websites in the EU, because for analytical and statistical purposes most of them use Google Analytics or other tools using cookies or tracking technologies offered by entities from the United States.
Consent to cookies
Alongside the decision by the Belgian authority in the IAB Europe case, French decisions on cookie banners may also be highly instructive on obtaining valid consent to cookies.
Since May 2021, the CNIL in France has issued over 90 orders against entities guilty of various irregularities in the use of cookies. The most often identified irregularities include the following practices:
- Cookies requiring the user’s consent were automatically placed on the end user’s device before they were accepted, as soon as the user entered the page.
- The cookie banners did not allow the user to reject the cookies as easily as accept them.
- The cookie banners did enable the user just as easily to reject the cookies, but the mechanism used was not effective because cookies requiring consent were still being stored even after the user had rejected them.
Continuing its proceedings involving cookies, in early January 2022 the CNIL imposed further fines for infringements related to the use of cookies: EUR 150 million against Google (EUR 90 million for Google LLC and EUR 60 million for Google Ireland Ltd) and EUR 60 million against Facebook Ireland Ltd. It also ordered these companies to bring their websites into compliance with data protection requirements within three months.
In these proceedings, the CNIL found that these websites offered an easy way to consent to all cookies immediately upon entering the site, but did not make it just as easy to reject cookies. It took just a single click to accept cookies, but rejecting all cookies required several clicks. The CNIL found that the way of structuring acceptance and rejection of cookies impacted the voluntariness of the user’s consent. Internet users care about speed, so the inability to reject cookies as easily as accepting them inclined users to accept cookies. The CNIL also found that Facebook provided users unclear instructions on rejection of cookies, which misled them as to the actual possibility of rejecting cookies.
These decisions are consistent with the CNIL’s guidance on cookies and similar technologies issued in October 2020 and recommendations on acceptable methods of obtaining users’ consent to storage or reading of cookies and similar technologies which do not qualify as essential.
Key conclusions
Based on the decisions discussed above, it is incumbent on every website operator to check the following issues:
- Whether non-essential cookies are installed on the end user’s device before the user consents.
- Whether the user can just as easily reject cookies, or withdraw consent to cookies, as accept the cookies.
- Whether information on cookies contained in the cookie banner and the cookie policy is transparent and understandable. It must be clear to the user how the user can withdraw consent or reject all cookies.
- Whether the use of Google Analytics includes processing of personal data, and if so, whether the settings for Google Analytics can be modified to ensure compliance with data protection regulations. If it is not possible to change the settings in this way, it is recommended to use alternative solutions not involving the transfer of data outside the EEA.
- Whether the operator uses other tools on its site that could involve data transfers to the US. In that case, the operator should either cease using those tools, or begin anonymising the data, unless the supplier of the tools can demonstrate that additional measures have been taken to ensure an adequate level of protection. But it should be borne in mind that currently data protection authorities tend to regard such additional measures as generally inadequate—even if the supplier declares that the servers are located in the EU—if there is a potential for transfer of the data to the United States.
The future of cookies
Cookies are not a new technology, but regulators are still framing their approach to their use and assessment of their compliance with data protection regulations. As a result of complaints filed by NOYB in the last year, it should be expected that soon regulators in various member states will issues a number of decisions further shaping the approach to cookies across the EU. And at the beginning of March 2022, NOYB announced that it has filed another round of complaints to website operators whose cookie banners do not meet GDPR requirements.
To avoid discrepancies in the decisions issued by regulators and to develop a joint approach at the EU level in this regard, in September 2021 the European Data Protection Board established a cookie banner taskforce. Thus we should soon expect to see EDPB guidance on the use of cookies. The actions of data protection authorities and the EDPB will undoubtedly be vital for administrators of websites using cookies, prior to adoption of the long-awaited e-Privacy Regulation.
Iga Małobęcka-Szwast