What you need to know.

If your company has a website, there is a significant chance it has cookies. Even purely informative websites (ones without a webshop, for example) often have cookies: to keep track of the visitor's language preferences, collect statistics about the way visitors use the site or to personalise advertisements. No matter what your website developer says, in the vast majority of cases these cookies will collect personal data. In practice, the data protection world - unlike the technical world - is much less likely to conclude that cookies are « anonymous ».

The use of cookies therefore falls within the scope of the General Data Protection Regulation. Furthermore, Directive 2002/58/EC (the « ePrivacy Directive »), as implemented in the national legislation of the Member States, applies as lex specialis (thus taking priority over the General Data Protection Regulation). The ePrivacy Directive is currently being revised by the European legislator, but for the time being they have not succeeded in adopting the new ePrivacy Regulation. In the meantime, the national supervisory authorities have not been sitting still. In recent months, several authorities have issued guidelines on the use of cookies, and fines have also been imposed for infringements relating to them. Furthermore, at the end of last year, the Court of Justice ruled in the Planet 49 judgment on the consent and transparency requirement for cookies. Finally, on 4 May 2020, the European Data Protection Board also issued new guidelines on consent, including rules on the placing of cookies.

Doing nothing while awaiting the new ePrivacy Regulation is therefore no longer an option. Time for an update of our previous Privacy Talk on this subject. 

The ePrivacy Directive stipulates that the website visitor's consent is necessary for the placement of cookies, with the exception of the technical storage of information or the provision of a service explicitly requested by the subscriber or end user when placing a cookie is strictly necessary for this purpose. In practice, these two exceptions mean that consent is not required for cookies that are necessary (i) for the functioning of the website (often called « essential » cookies) and (ii) to provide a functionality explicitly requested by the visitor (often called « functional » cookies). These include for example, cookies that are necessary to establish a connection, to remember a login or language preferences, to store selected products in a shopping basket, etc. 

Consent under the ePrivacy Directive must comply with the conditions of the General Data Protection Regulation. This means, amongst other things, that the consent must be informed and unambiguous. Furthermore, website owners must comply with the general transparency requirement (Articles 12 and 13 GDPR). 

What you need to do.

Everything starts with a proper understanding of the cookies your website uses. In practice, this is exactly where the sticking point lies. This information must be provided by the website developer. Possibly you (as a lawyer) can double check this information with the result of a « cookie scan » as provided by online tools. Such tools are certainly not flawless, however: experience has shown that website developers too can overlook cookies. It is therefore often advisable to ask a few additional questions.
 
To play it safe, you should assume that all cookies collect personal data. The threshold to be able to speak of « anonymous » cookies is very high, so you should not run the risk that the supervisory authority would take a different view (than the website developer).

You must inform the website visitor about the use of cookies and ask for his/her consent for cookies that are not essential or functional (e.g. statistical, advertising or social media cookies). You do this by means of a so-called cookie banner:

-     The cookie banner contains a brief description of the types of cookies used by the website and a link to the cookie statement for more information. If the website already has a privacy statement (in accordance with articles 12 and 13 GDPR), that cookie statement only needs to contain the following information: for each cookie, its name, purpose, retention period and possibly the name of the third party that placed the cookie and/or uses the cookie. The cookie statement also has to contain information about changing the browser settings and the possibility of revoking the consent. The cookie statement must be drawn up in the language of the target group and must be easily accessible (i.e. available via a link on every page of the website).

-     You must obtain the visitor's consent for placing the non-essential/non-functional cookies. This too is best done through the cookie banner that appears immediately on the first visit to the website. Obtaining consent should be done granularly, i.e. at least per type of cookie (statistical, advertising and social media). If you provide the possibility of accepting all cookies with a single click, it is also a good idea to provide a button for rejecting all (non-essential/non-functional) cookies. You are not allowed to work with pre-ticked boxes (for non-essential/non-functional cookies), nor is it sufficient to have a message that continued surfing is deemed to be consent. 

Remember that many supervisory authorities and also the European Data Protection Board do not accept cookie walls, i.e. making access to the website dependent on the visitor's consent to the installation of non-essential and non-functional cookies. 

Finally, although the ePrivacy Regulation is likely to amend some of the above, this should not stop you from complying with the current legislation today. The use of cookies is a priority for many supervisory authorities (e.g. in Belgium, France, the UK, Germany and Spain). In any case, we will keep you informed as soon as the legislation changes.