The e-privacy directive and the draft e-privacy regulation prescribe the rules internet sites have to follow in placing cookies. One of the main differences in opinion between the European Parliament and the Council, even within the Council was whether sites can place cookies based on legitimate interest. It is generally accepted that the e-privacy rules should not be softer than the GDPR requirements. Many data protection experts believe that placing information on the terminal equipment of the user is so intrusive, that it should not be justified by legitimate interest. On the other hand, in case of processing of personal data based on legitimate interest, the user has the right to object - but only based on his/her particular situation.
Cookies sometimes are absolutely necessary to provide the on line service. Most of these, maybe all, do not have to be kept after the session is closed (for example those which indicate that the user has been authenticated, which serve that the user does not have to sign in again during a session, or cookies used to store the content of the purchase basket - in some cases the content of the basket could be retained after the user closed the session but this is risky in case several users use the same machine. The rule is that cookies which are deleted at the end of the session and cookies which are necessary to provide the services, can be placed on the computer of the user without consent. Any other cookie requires consent or the right to object should be provided.
A lot of sites (even sites dealing with the protection of personal data) do not completely comply. The rudest is when the cookie banner, appearing on the first screen when the user visits a website, only inform the user that cookies are used and by continuing to browse, the user accepts that cookies are placed on the computer. This is completely non-compliant as these are either strictly necessary or session cookies, when no consent is needed, or they are not, when the GDPR rules for consent apply: consent must be informed, specific and freely given and implicit consent or consent given by not acting (i.e. leaving a pre-clicked box clicked) is not valid. Other websites only offer the option to accept cookies - these are not any better, as although consent is given actively but not freely and not informed.
Of course the other extreme, giving information in detail about each cookie and then requiring the user to accept them one by one is also not user-friendly and also damaging for the owner of the site as people will not bother to click in dozens of boxes. Therefore even when giving detailed information about the individual cookies and the information they store, usually categories of cookies by purpose are being accepted or refused. Of course all information does not fit onto the banner, therefore usually there is a "more information" button on the banner. A rather user-friendly solution is when the boxes to click and accept the different categories of cookies are on the immediately appearing cookie banner while the details can be accessed by clicking on the "more information" button - which of course has to lead to a page from where it is easy to go back to the landing page with the cookie banner. I have even seen banners where there were three buttons: accept, more information (or settings) and reject all. These I liked.
The cookie categories can be: strictly necessary (no consent is necessary but the user is sometimes informed about them without the possibility to refuse them), functional (remembering the user's choices or the - last - visited sub-pages and thus making browsing more comfortable), analytics and advertising. Sometimes third party cookies are also set or other sites can also read the information in a cookie - mostly partners of the owner of the site. Listing all these partners and asking for consent for them to read the cookies one by one can result in a complicated cookie choice page.
Before showing the tricks some sites use, it has to be noted that withdrawing consent must be as easy as giving it - therefore somewhere on all pages a link should be visible which brings the user back to the choices. Also, the cookie choices have to be retained which is not trivial - before, I have seen cookie banners which offered the choice to reject all cookies except those which remember that cookies were rejected. For people familiar with recursion, this may sound ridiculous and one might also argue that the cookie storing the information that cookies are rejected are necessary cookies. However, one penalty users refusing cookies can be subject to is that they have to respond to the cookie banner every time they visit a site. Of course the appearance of the cookie banner irrespective of whether consent was given or not and to which cookies, is one way to enable the user to refuse cookies any time.
Often the cookie choices are not on the cookie banner but have to be made on a separate page, in particular if the information and choices given are complex or multiple (like consent for each individual cookie or to cookies for reading of different partners). In this case a "reject all" and an "accept all" button can be useful. The trick some sites use is to have to scroll down the long list of cookies to find the "reject all" button or the "accept all" is in a vivid colour while the "reject all" is grey like the buttons which cannot be chosen (of course it can).
A mean practice is that the page where you can set the cookies is not accessible via a button showing "choices" or "options" but simply "more information" or "learn more". unfortunately in the least compliant cases these links indeed only lead to an information page without the possibility to choose but these are not tricks but simply non-compliant pages.
And then we come back to the different legal bases: those cookies where the basis is consent, are shown in a long list and you also see a "reject all" button, or even more user-friendly, all visible boxes are unclicked (or switches set to "off") and there is an "save choices" or similar button (sometimes grey or in a less prominent place, or smaller than the "accept all" button). You click on it and feel happy. Later you discover, that there is a small third button, called: "legitimate interest". If you click on it, you see a list of further cookies, sometimes accepted by default as their setting is not based on consent, unless the Parliament has its way and the new e-privacy regulation will prohibit this. Hopefully you have the opportunity also here to object to all. If you click on this, the text "objection submitted" appears besides each cookie. Does anyone know what this means? Will all objections be judged individually, whether my specific situation justifies the objection or are now these cookies prohibited?
If anybody knows the answer, tell me, please...
Comments
Post a Comment