These documents officially define cookies as personal data and make provisions for extraterritorial responsibility, as well as imposing huge fines on site owners for illegal use of such files.
Due to the absence of judicial practices and real punishments, business representatives used to have a sense of security; in other words, "while the cat’s away, the mice will play." But the cat is not away. One of the heaviest fines - 30,000 euros - for a violation of the cookie law was imposed on Vueling Airlines in October 2019 by the Spanish Data Protection Authority. The reason was the absence of the possibility to decline to install third-party cookies.
You should comply with them if the site uses any cookies for creating a user profile on the network. However, this does not involve:
- Cookies that are strictly necessary for the correct operation of the website;
- Cookies that are strictly necessary to provide an online service to the user, such as when the user fills out an online form, uses a shopping cart, or authenticates on the site to log in to the online service delivery system.
Let's get back to the rules. Their essence is as follows:
- Cookies must only be installed with the user's prior consent.
- This consent must be given by a clear action confirming the user's choice, and if there is a checkmark in a form, this mark cannot be set by default.
- The user must be provided with clear and understandable information about the purpose of cookies, the purpose of installation, the duration period, and the third-parties to which user data is transmitted.
- The user must be able to change or withdraw consent at any time.
- All cookie consents must be recorded because the site owner, as a controller or handler, must be able to confirm that consent has been obtained.
In this case, we observe the violation of all the above-mentioned rules:
- Cookies are installed automatically when the user accesses the website.
- Continuing to use the website or clicking the "Continue” button is not a clear confirmation, since the user is not given the right to choose, and they cannot refuse to install cookies.
- There is no mechanism for withdrawing cookie consent on the website; instead, you can only uninstall the cookies via your browser settings.
- Since there is no clear mechanism for obtaining consent, it is simply impossible to confirm that such consent was obtained.
Example 2. A banner with the correct consent form that does NOT operate on ALL pages of the website
As an example, let's consider a French online store.
The magic is that a banner that seems to meet all the requirements doesn't actually work. The installation of cookies, other than strictly necessary ones, is not blocked before obtaining consent, which means that the website definitely does not comply with all the rules. In this case, we can say that, out of the five, only the second and third rules have been followed.
It also happens that the company developed a working mechanism for obtaining agreement, but didn’t provide information about the purpose of specific cookies and their storage periods in a transparent way.
These were clear examples of common mistakes in implementing the requirements of European law on data protection and privacy. They also demonstrate that the work of European regulators makes many controllers and handlers worry about compliance issues. Two years ago, the topic of using cookies was not raised on the majority of sites at all, but now the situation is radically changing. This should please the users who are interested in gaining control over their data because, according to the European Commission on data protection, this is what the GDPR has been developed for.
Practice shows that, currently, site owners who are controllers or handlers are left with two options. The first option is to ensure absolute compliance with the established rules independently or with the involvement of third-party specialists. The second one is to refuse to use any cookies except for those that enable the correct website operation and the provision of basic services to customers, as is done on the website of the Spanish Data Protection Agency.
My name is Irek. I am a Head of Cybersecurity at Andersen. We consult for companies from the FinTech, Retail, Healthcare, and other sectors, in the field of cybersecurity. We help organize continuous data protection and identify vulnerabilities in the infrastructure.
If you have any questions, contact me using this button.