Aleksandra Maciejewicz
Aleksandra Maciejewicz
12 May 2021

Cookie Q&A

What is the law regarding cookies and why do we have to click those consents on and on?


 Well, the law in this area is quite a chaos. Currently, the use of cookies is primarily regulated by the GDPR and the Act – Telecommunications Law, which in this regard implements the EU Directive on privacy and electronic communications. On the other hand, the EU E-privacy regulation and the national Electronic Communications Law are being developed. What is more, we have various authorities that interpret the above-mentioned regulations more or less bindingly, these include EDPB (i.e., the European Data Protection Board), the Polish President of the Personal Data Protection Office (PUODO), the CJEU (Court of Justice of the European Union), and our Polish courts.


Why do we constantly have to click consents? I think that in this regard the CJEU’s ruling of October 2019 has messed up the most, namely, it equated cookie consent with the consent to process personal data under the GDPR. Earlier, EU entities had to ‘simply’ ensure that storing information or gaining access to information already stored on a user’s end device is permitted only where the user has given his or her consent, after receiving clear and comprehensive information about, among other things, the purposes of the processing. This expression of consent, however, was interpreted differently, as the provision itself provides no guidance on how to express consent. Thus, interpretations varied, also in practice the so-called implied consent was allowed, which was expressed, e.g., by starting to use a website that had a bottom bar with information on all cookies.


On the other hand, the abovementioned ruling of the CJEU, apart from stating that in such cases we are talking about consent within the meaning of the GDPR – which, consequently, must be a free, specific, and informed expression of the user’s will – also made the interpretation of such consent even narrower. Among other things, it ruled out the possibility of giving consent through silence (continuing to browse the website), boxes checked by default, or inaction.


What are the types of cookies? Which consents apply to which cookies?


As a lawyer, I probably have limited knowledge of the types of cookies, I think a more technical person could provide a comprehensive list. For me, cookies are divided into those technically necessary for the functioning of a website and all others. Because only these essential cookies can work before the user gives consent. All others require consent. Still, I would also add that I’ve heard of the interpretation that functional cookies do not require consent either.


Moreover, please note that here I did not divide cookies into anonymous cookies and those that may constitute our personal information. That is, it is currently considered that any information stored on the end device of a user of an electronic communications network belongs to that user’s private sphere, which is subject to protection under the European Convention for the Protection of Human Rights and Fundamental Freedoms. This protection applies to any information stored on such end devices – irrespective of whether it is personal data – and is intended, in particular, as stated in the same recital, to protect users against the risk of introducing hidden identifiers or other similar tools into users’ end devices without their knowledge (and this is a quote from a ruling of the CJEU, not my individual interpretation).


Why aren’t consents saved and have to be ‘unclicked’ each time?


I don’t know, I would have to ask the owner or administrator of a website where such a practice is followed. I can only guess that this could result from a number of reasons, among other things, the purpose or scope of the cookies has been changed, so the previous consent no longer covers such a change, or the browser automatically ‘cleans’ cookies from time to time, so it is necessary to renew the consent.


What are the cookie-related duties of the website publisher?


As I mentioned at the beginning, these are primarily information obligations that include, among other things, indicating the purpose and period (or, if that is not possible, the criteria for determining that period) of cookies, as well as whether third parties can access them. In addition, the information must be presented in a clear and comprehensive manner.


Another issue is to ensure that the form of consent is appropriate, as well as to put in place appropriate technical solutions that will enable the user to use the website in accordance with his or her consent. What is important, even if consent is only given to set technically necessary cookies, the user must have access to the website.


Why is it that some sites are riddled with tabs we need to un-click, while others are much more user-friendly, e.g., we only need a few clicks to opt out of all tracking cookies?


Probably it depends on their own interpretation of the above-mentioned regulations and the related guidelines. If the method used by a given administrator makes it possible to determine objectively whether a website user has actually consented to the processing and whether the consent was given in an informed manner, then it should be considered valid. And the form in which this method is implemented should be considered a more or less creative approach of the website administrator or owner.


Thus, it is not valid with regard to the number of clicks, it should be pointed out that the expression of intent must be ‘specific’ in particular – that means that it must refer precisely to specific data processing and cannot be implied from the content of the expression of intent having a different purpose. In other words, theoretically, every purpose needs separate consent.


And if you add to this that consent is thus not valid if the storage of information or access to information already stored on a website user’s end device has been accepted by means of a checkbox checked by default by the service provider (which the user must uncheck in order to deny consent), exactly this gives us that number of clicks.


What are the reasons for the discrepancies in interpreting the cookie regulations?


These are different regulations and different authorities interpreting them. For instance, the French data protection supervisory authority (Commission nationale de l’informatique et des libertés), stands out in this field, having fined Google (€100 million) and Amazon (€35 million) for cookies in December 2020. Earlier that year, it also imposed fines of multiple millions on Carrefour.


Certainly, this issue will be unified by the E-privacy regulation, yet until it is implemented, let’s hope for comprehensive EDPB guidelines devoted entirely to cookie practices, or at least guidelines in this regard by the President of the Polish Personal Data Protection Office.


Is there such a thing as good publisher practices?


Good practices are internal recommendations of various entities or groups of them, these are the so-called private acts and are not commonly binding legal regulations. Another thing is approved codes of conduct or approved certification mechanisms that are sanctioned by the GDPR. In its preamble, the GDPR directly states that associations or other bodies representing categories of controllers or processors should be encouraged to draw up codes of conduct, so as to facilitate the effective application of the GDPR, taking account of the specific characteristics of the processing carried out in certain sectors and the specific needs of micro, small and medium enterprises. In particular, such codes of conduct could calibrate the obligations of controllers and processors, taking into account the risk likely to result from the processing for the rights and freedoms of natural persons.


What is a ‘legitimate interest’ in terms of cookies?


Before the CJEU ruling I mentioned above and the EDPB guidelines (namely Guidelines 05/2020 on consent under Regulation 2016/679 of 4 May 2020), it was thought that consent for cookies was not necessary if the basis for their use was a legitimate interest mentioned in the GDPR. Such a legitimate interest was deemed to include marketing one’s own services or improving them on the basis of user profiling. Currently, with regard to cookies, it is considered whether or not it will be technically possible to use a website without the cookie data. Some also believe that we can talk about legitimate interest in the case of functional cookies that facilitate the use of a given website by, among other things, remembering passwords or settings of a user. At the same time, there are equally frequent opinions that in such cases consent is necessary.


Can access to a website be made conditional on consent?


No, and the EDPB clearly confirmed that then, namely by stating that setting a so-called cookie wall is not allowed. Consent must be voluntary, and there is no denying that cookie walls enforce it.

Share article


Stay up to date with changes in the law

Subscribe to our newsletter

facebook twitter linkedin search-icon close-icon