Skip to main content

What the games... tricks in cookie banners

 The e-privacy directive and the draft e-privacy regulation prescribe the rules internet sites have to follow in placing cookies. One of the main differences in opinion between the European Parliament and the Council, even within the Council was whether sites can place cookies based on legitimate interest. It is generally accepted that the e-privacy rules  should not be softer than the GDPR requirements. Many data protection experts believe that placing information on the terminal equipment of the user is so intrusive, that it should not be justified by legitimate interest. On the other hand, in case of processing of personal data based on legitimate interest, the user has the right to object - but only based on his/her particular situation.

Cookies sometimes are absolutely necessary to provide the on line service. Most of these, maybe all, do not have to be kept after the session is closed (for example those which indicate that the user has been authenticated, which serve that the user does not have to sign in again during a session, or cookies used to store the content of the purchase basket - in some cases the content of the basket could be retained after the user closed the session but this is risky in case several users use the same machine. The rule is that cookies which are deleted at the end of the session and cookies which are necessary to provide the services, can be placed on the computer of the user without consent. Any other cookie requires consent or the right to object should be provided.

A lot of sites (even sites dealing with the protection of personal data) do not completely comply. The rudest is when the cookie banner, appearing on the first screen when the user visits a website, only inform the user that cookies are used and by continuing to browse, the user accepts that cookies are placed on the computer. This is completely non-compliant as these are either strictly necessary or session cookies, when no consent is needed, or they are not, when the GDPR rules for consent apply: consent must be informed, specific and freely given and implicit consent or consent given by not acting (i.e. leaving a pre-clicked box clicked) is not valid. Other websites only offer the option to accept cookies - these are not any better, as although consent is given actively but not freely and not informed.

Of course the other extreme, giving information in detail about each cookie and then requiring the user to accept them one by one is also not user-friendly and also damaging for the owner of the site as people will not bother to click in dozens of boxes. Therefore even when giving detailed information about the individual cookies and the information they store, usually categories of cookies by purpose are being accepted or refused. Of course all information does not fit onto the banner, therefore usually there is a "more information" button on the banner. A rather user-friendly solution is when the boxes to click and accept the different categories of cookies are on the immediately appearing cookie banner while the details can be accessed by clicking on the "more information" button - which of course has to lead to a page from where it is easy to go back to the landing page with the cookie banner. I have even seen banners where there were three buttons: accept, more information (or settings) and reject all. These I liked.

The cookie categories can be: strictly necessary (no consent is necessary but the user is sometimes informed about them without the possibility to refuse them), functional (remembering the user's choices or the - last - visited sub-pages and thus making browsing more comfortable), analytics and advertising. Sometimes third party cookies are also set or other sites can also read the information in a cookie - mostly partners of the owner of the site. Listing all these partners and asking for consent for them to read the cookies one by one can result in a complicated cookie choice page.

Before showing the tricks some sites use, it has to be noted that withdrawing consent must be as easy as giving it - therefore somewhere on all pages a link should be visible which brings the user back to the choices. Also, the cookie choices have to be retained which is not trivial - before, I have seen cookie banners which offered the choice to reject all cookies except those which remember that cookies were rejected. For people familiar with recursion, this may sound ridiculous and one might also argue that the cookie storing the information that cookies are rejected are necessary cookies.  However, one penalty users refusing cookies can be subject to is that they have to respond to the cookie banner every time they visit a site. Of course the appearance of the cookie banner irrespective of whether consent was given or not and to which cookies, is one way to enable the user to refuse cookies any time.

Often the cookie choices are not on the cookie banner but have to be made on a separate page, in particular if the information and choices given are complex or multiple (like consent for each individual cookie or to cookies for reading of different partners). In this case a "reject all" and an "accept all" button can be useful. The trick some sites use is to have to scroll down the long list of cookies to find the "reject all" button or the "accept all" is in a vivid colour while the "reject all" is grey like the buttons which cannot be chosen (of course it can).

A mean practice is that the page where you can set the cookies is not accessible via a button showing "choices" or "options" but simply "more information" or "learn more". unfortunately in the least compliant cases these links indeed only lead to an information page without the possibility to choose but these are not tricks but simply non-compliant pages.

And then we come back to the different legal bases: those cookies where the basis is consent, are shown in a long list and you also see a "reject all" button, or even more user-friendly, all visible boxes are unclicked (or switches set to "off") and there is an "save choices" or similar button (sometimes grey or in a less prominent place, or smaller than the "accept all" button). You click on it and feel happy. Later you discover, that there is a small third button, called: "legitimate interest". If you click on it, you see a list of further cookies, sometimes accepted by default as their setting is not based on consent, unless the Parliament has its way and the new e-privacy regulation will prohibit this. Hopefully you have the opportunity also here to object to all. If you click on this, the text "objection submitted" appears besides each cookie. Does anyone know what this means? Will all objections be judged individually, whether my specific situation justifies the objection or are now these cookies prohibited?

If anybody knows the answer, tell me, please...



Labels:

Comments

Post a Comment

Popular posts from this blog

Transfer of Personal Data to Third Countries and International Organisations

Legal requirements The GDPR and Regulation (EU) 2018/1725 (the EUDPR) have changed somewhat the rules concerning transfer of personal data to jurisdictions which are not considered to provide adequate protection of personal data. On one hand the conditions are clearer, on the other hand, new types of safeguards have been introduced. It has to be noted, that there are two possible situations: transfer from a European Institution as controller to another controller and transfer to a processor. At the moment these cases are mostly treated together, although there are some differences. One safeguard which is common between the old and new rules is the use of standard contractual clauses approved by the European Commission (the only change is that the approval procedure has been set within the framework of Comitology, namely the investigation procedure) and the EDPS can also adopt contractual clauses but these also have to be approved by the Commission under the same procedure
Post a Comment
Read more

How to prepare for the new GDPR?

If you are completely complying with the "old" data protection rules, you do need have to do a lot about your existing operations processing personal data. Some of the rules were, however open to interpretation and thus some "cutting corners" has been made impossible, like implicit consent. The new "right to be forgotten" also applies immediately to all processing (if there is a request, of course) where the retention was defined too liberally. Different national rules which you followed may be too lenient or too stict so at least a review of what you do amd how you do it is indispensable. Documentation also has to be completed, the "privacy by design" and "privacy by default" concepts and the obligation for data protection impact assessment, however, applies only to newly starting or significantly changed processing. So what about consent? First of all, it has to be noted that - contrary to what you can read sometimes - it is n
1 comment
Read more

Why is there no article about transmission of data to EU controllers in the GDPR?

There is an article, number 9, in the data protection regulation for EU institutions (Regulation (EU) 2018/1725, called EUDPR). The transmission to other EU institutions or to another controller within the same institution is, however, only subject to recital 21. In the GDPR , even the recitals do not mention transmission of personal data to other European organisations. Of course, the use of processors is regulated in both acts, but not the transmission to another controller. It can be concluded that the transmission to entities under the same legislation is not covered while transmission from EU institutions to entities under a regulation which has a wider scope, is. The reason is clear: protection by the EUDPR is intended to be stricter. For example, EU institutions are not allowed to process data based on legitimate interest. Therefore transmission to another controller, who may process data based on legal bases unavailable for EU institutions, is restricted to cases where the sam
Post a Comment
Read more