The Cookie Question redux

I’m hearing a bit of confusion regarding “cookies” on websites (again), so it’s time to walk through The Cookie Question in some detail.

It’s not all about GDPR!

First of all, this isn’t all about GDPR, and the laws about cookies and consent predate GDPR. The law regulating use of “cookies” in Ireland is S. I. 336 of 2011, which implements the EU ePrivacy directive (Directive 2002/58/EC  amended in 2009) (That’s right, it’s not actually a GDPR thing!)

If you search SI336 for the word “cookie”, you won’t find it. But, Regulation 5(3)-5(5) on the Confidentiality of communications has this requirement: 5(3) functionally describes cookies, tracking pixels, and other tech tools that act like “cookies” do. “Cookies” is a broad shorthand.

(3) A person shall not use an electronic communications network to store information, or to gain access to information already stored in the terminal equipment of a subscriber or user, unless

      (1) The subscriber or user has given his or her consent to that use, and

     (2) the subscriber or user has been provided with clear and comprehensive information in accordance with the Data Protection Acts which
           (i) Is both prominently displayed and easily accessible, and
          (ii) Includes, without limitation, the purposes of processing of the information.

(4) For the purpose of paragraph (3), the methods of providing information and giving consent should be as user-friendly as possible. Where it is technically possible, and effective, having regard to the relevant provisions of the Data Protection Acts, the user’s consent to the storing of information or to gaining access to information already stored may be given by the use of appropriate browser settings or other technical application by means of which the user can be considered to have given his or her consent.

(5) Paragraph (3) does not prevent any technical storage of, or access to, information for the sole purpose of carrying out the transmission of a communication over an electronic communications network or which is strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.

The Cookie Source…

If you are wondering what the text of the Directive SI336 implements in this section is, here Article 5(3) in its full glory:

3. Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.

This has been a source of great confusion, because a lot of Tech and Advertising folks keep focusing on the word “cookie”, in the hopes that they can use —for instance— Facebook Like buttons with tracking pixels because they’re not technically “cookies”. Back when the ePrivacy Directive was new, people saw the description and said, ‘Oh! That describes a cookie!” because that was the dominant technology at the time. So, the entire directive got nicknamed the “Cookie Directive”. And then people who wanted the law to not apply to them focused on the word “Cookie” as if it was a magic talisman to ward the law away from any other use of technology that writes to or reads from a device remotely.

Function not Form is KEY!

But, the law doesn’t care if it isn’t technically called a cookie! It cares what it does.  Essentially, whether you call your moderately sized edible treat a cookie, a biscuit, a bun, a little cake, or koekje. It’s what your bite-sized non-edible treat does that matters, not its name.  So, does your pixel, beacon, tracker, persistent shared object, script, HTML5 local storage, canvas fingerprinting, device fingerprinting, plug-in, thingy or tech function that hasn’t been named yet store information to or access information already stored in a user’s device? If so, it’s a technology covered by the ePrivacy (or “cookie”) directive and SI336. (I’m just going to use “cookie” in scare quotes for the rest of this blog, because “action of /tech that that reads to or writes from the device” is even clunkier to read than it is to type.)  This also gets covered by GDPR, because the data processed by “cookies”/trackers tend to process data to and from devices connected to an individual, including information about their behaviour, use of that “terminal equipment”, website navigation, etc. For an example of the European Courts of Justice ruling on “cookie” use and the processing of personal data, the Fashion ID case (Case C-40/17) looks specifically at the respective roles and responsibilities of Joint Controllership between a website operator and Facebook because the website allowed a Facebook “Like Button” to be placed.

“Cookie Consent” Confusion

The next great area of confusion is the requirement for consent. If the “cookie” isn’t NECESSARY for the functioning of the website/ provision of service, you need consent.  The standard for valid consent is described in the relevant Data Protection Legislation (originally Directive 95/46/EC, now GDPR).

First of all, “pre-ticked boxes” ARE NOT CONSENT. This is consistent in GDPR, Data Protection legislation before GDPR, the Consumer Rights Directive, regulatory guidance from national Data Protection Authorities and the Article 29 Working Party/European Data Protection Board, and CJEU rulings like the Planet 49 decision (Case C-673/17). Second of all, as I mentioned earlier, this is ePrivacy legislation we’re looking at, not GDPR. “Legitimate Interests” may be a way you can process data lawfully without relying on consent in GDPR, but it doesn’t exist as a lawful basis in the ePrivacy Directive and SI336. Because ePrivacy specifically requires consent unless the “cookie” is NECESSARY for the functioning of the website or providing the service, consent is the only lawful basis by which you can write information to or read information form the device.  And strictly necessary definitely does not include measuring add performance or tracking users across websites.

What is consent? Okay, it’s not a pre-ticked box. That’s clear. The reason for this is defined clearly in GDPR. In order to be valid, consent must be fully informed, freely given, specific to the purpose for processing, and UNAMBIGUOUS. A pre-ticked box isn’t unambiguous.  Think of how many times you’ve scrolled past pre-ticked boxes without seeing them. There’s no way you can point to a pre-ticked box and say, “yes, they knew what they were agreeing to and said yes”. Thus “continuing to use this page is consent” notices don’t fly either.

That’s right, any website you go on that has a whole bunch of pre-ticked boxes or defaulted to “yes” toggles citing “Legitimate Interests” to set trackers is relying on a basis that doesn’t exist for that thing because ePrivacy says they must get consent.

But what about NECESSARY “cookies”?

So, Regulation 5(5) of SI336 says consent isn’t required for NECESSARY cookies. What does that mean?  The Data Protection Commission’s guidance on use of cookies gives an example of cookies necessary to provide you with a functioning website. Clear language, if not very detailed.

The European Data Protection Supervisor has written Guidelines on the protection of personal data processed through web services provided by EU institutions that has some more detailed examples.

Cookies that generally DO need consent:

• Social plug-in tracking mechanisms.
• Third party advertising cookies.
• Analytics cookies (except for the exemption described further on in this section)

Cookies that generally do NOT need consent:

• User input cookies, for the duration of a session
• Authentication cookies, for the duration of a session
• User centric security cookies, used to detect authentication abuses and linked to the functionality explicitly requested by the user, for a limited persistent duration
• Multimedia content player session cookies, such as flash player cookies, for the duration of a session
• Load balancing session cookies, for the duration of session.
• User interface customisation cookies, for a browser session or a few hours, unless additional information in a prominent location is provided (e.g. “uses cookies” written next to the customisation feature)

So, if your web shop uses Stripe for payments and it sets security cookies for fraud prevention, that is likely to be a necessary cookie according to the EDPS.  Again, these are just examples provided by the EDPS to European Institutions. But, they’re a good example of what kinds of things the regulator may consider necessary or not, whether they are first party or third party cookies.

Telling people about your cookies

Is the cookie being set necessary or not? What is the purpose for reading information to and from the device? Is it a “first party cookie” or a “third party cookie” (are you sharing data to third party recipients)? You need to tell the data subject.  GDPR and ePrivacy interact in more than just what constitutes valid consent. Of course, a lot of the data processed by setting cookies/using trackers is personal data, so all the Data Protection principles apply, including Lawfulness Transparency and Purpose Limitation. GDPR standard requirements for transparency apply in both the ePrivacy requirements for using “cookies”, and Article 13 and 14 requirements for informing people that you are processing their data.