Whilst the GDPR is turning six this year, the EU’s legislative bodies have yet to iron out the contentious points of the ePrivacy Regulation - the rules aimed to regulate cookies and similar tracking technologies across the internet.
The European Commission adopted the ePrivacy Regulation proposal in 2017 to remain up-to-date with the fast-paced developments in internet technology. Recently, it shifted its focus to the adoption of wider-ranging data related regulations such as the Digital Services Act. Nonetheless, website operators are still subject to important obligations under the current ePrivacy Directive (transposed into Maltese law through Subsidiary Legislation 586.01 - Processing of Personal Data (Electronic Communications Sector) Regulations) as well as the GDPR.
The ePrivacy Directive aims at ensuring the confidentiality of electronic communications and requires website operators to collect the consent of their visitors before placing cookies on their devices. The Directive allows cookies to be exempted from obtaining consent if one of the following conditions applies:
In its Opinion 04/2012 on Cookie Consent Exemption, the Article 29 Data Protection Working Party, which is the predecessor of The European Data Protection Board (EDPB), provided that a cookie should be considered as ‘strictly necessary’ within the definition of the ePrivacy Directive in instances where it simultaneously satisfies the two conditions below:
The strains for businesses to correctly classify cookies and to adequately rely on the above exception remain evident in the EDPB’s 2023 report on ‘the work undertaken by the Cookie Banner Taskforce’. As reported by the EDPB, one of the top challenges for stakeholders is the technology’s changing features, which raises practical difficulties for such classification.
As ruled by the CJEU in Case C-673/17 (the ‘Planet49 case’), the regime of consent under the ePrivacy Directive is governed by Articles 4(11) and 7 of the GDPR. So, for cookie consent to be valid, one should ensure that it is freely given, specific, informed, and an unambiguous indication of an individual’s wishes, by means of an affirmative action. Recital 32 of the GDPR provides in this respect that ‘silence, pre-ticked boxes or inactivity should not therefore constitute consent’.
Just as important is to provide individuals with the required information in terms of Article 13 of the GDPR. Specifically, website users should be informed of the types of cookies being placed on their devices, the purposes of such cookies, and the corresponding retention periods of the cookies. The completeness, timeliness and quality of information provision are critical in terms of respecting the rights of the data subjects under the GDPR.
However, whilst the GDPR concerns the processing of personal data only, the ePrivacy Directive significantly broadens the remit as Article 5(3) applies to ‘the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user’. The EDPB (in its ‘Guidelines 2/2023 on Technical Scope of Art. 5(3) of the ePrivacy Directive’) points out in this regard that the definition of the term ‘information’ should not be limited to the property of being related to an identified or identifiable natural person.
Consequently, the EDPB argues that the use of routing identifiers such as the MAC or IP address of a device, session identifiers, authentication tokens or caching mechanism (such as ETag) can potentially lead to the application of the ePrivacy Directive.
Oversight from regulators has also increased on this front. On 18 January 2024, the French supervisory authority (CNIL) reported that it had fined Yahoo EMEA Limited €10 million for its alleged violation of the ePrivacy Directive, namely, for placing non-essential cookies on the users’ devices without their consent and making it difficult for users to withdraw their consent.
Their German counterpart, the Bavaria data protection authority, issued a press release in February 2024 to communicate the results of its investigation on cookie banners. According to the regulator, an estimated 350 websites are in infringement of EU law by placing cookies on users’ devices without their consent.
Cookie banners are now a widespread practice on the internet for providing cookie information. However, as mentioned above, not all cookie banners guarantee a website’s compliance with EU data protection laws. In certain instances, a cookie banner can have an adverse impact, and increase risk and exposure to user complaints and regulatory action. At a minimum, it is useful for website operators to have in place:
At PwC Malta, our Privacy & Data team has the expertise to guide your organisation on cookie compliance. For more information on our GDPR compliance and regulatory digital readiness services, please reach out to our sector leaders below.