By Charlotte Halford and Stuart Hunt

|

Published 07 February 2024

Overview

As we have written in our previous newsletters, across the continent, European regulators are taking an increasing hard line on companies who fail to ensure that their websites are compliant with cookies regulations. Efforts also continue to encourage businesses to get their own houses in order

The latest signal in this campaign comes from France, where the French data protection authority (CNIL) has fined Yahoo! €10 million for failings identified with the company's use of cookies, which included:

  • Cookies being applied without the user's consent. When accessing the Yahoo.com website, in the absence of any express consent, approximately twenty cookies for advertising purposes were deposited.
  • Offering an incentive not to withdraw consent. When users of the Yahoo! Mail messaging service sought to withdraw the consent given for the application of cookies, they were informed that access to both the messaging service and other services offered by the company. Linking the registration of cookies not strictly necessary to the use of a service is not illegal. However, consent must be freely given, and the company did not offer an alternative to those users withdrawing consent. With the only option presented being to give up the service, the withdrawal of consent could not be exercised freely.

This decision is consistent with other recent developments in Europe which highlight an increasingly robust approach being taking by European regulators regarding cookie compliance.

Furthermore, the Dutch data protection authority was provided with extra funds1 in late 2023 for supervision activities in relation to cookies and online tracking, and the Spanish data protection authority, AEPD, released updated guidance for organisations using cookies in January 20242.

As we set out in our update in December, the European Data Protection Board recently concluded a consultation on new draft guidelines on the ePrivacy Directive, which could also potentially extend the legislation's application to emerging technologies.

The EDPB has also engaged with the European Commission's Cookie Pledge (the Pledge), an initiative to create a voluntary business pledge to simply the choices faced by consumers when encountering cookies and personalised advertising choices. The initiative has emphasised issues with 'cookie fatigue', with consumers facing lengthy and technical requests, along with the rejection of cookies not recorded and needed to be repeated each time a website is visited.

Draft pledging principles were published in December 2023, proposing the following measures for those companies willing to commit to the pledge:

  1. The consent request will not contain information about essential cookies or reference data collected on the basis of legitimate interests.
  2. It will be explained upfront when content is financed at least partially by advertising when users access the website/app for the first time.
  3. The use of cookies is usually attached to a specific model of business, whether accepting advertising based on tracking, accepting other types of advertising or agreeing to pay a fee. Each business model will be presented in a succinct, clear and easy to choose manner. This will include clear explanations of the consequences of accepting or not-accepting trackers.
  4. If tracking based advertising or paying a fee option are proposed, consumers will always have an additional choice of another less privacy intrusive form of advertising.
  5. Consent to cookies for advertising purposes should not be necessary for every single tracker.
  6. No separate consent for cookies used to manage the advertising model selected by the consumer (e.g. cookies to measure performance of a specific ad or to perform contextual advertising) will be required as the consumers have already expressed their choice to one of the business model.
  7. The consumer should not be asked to accept cookies more than once in a one year period, to ensure refusal of consent is appropriately reflected.
  8. The consumer should be able to decide they wish to refuse certain types of advertising model, which may include empowering them to refuse cookies from websites through software settings.

Following a meeting in December 2023, the European Commission indicated that it is aiming to present a final version of the Pledge and documents on the practical aspects of the Pledge and its governance by April 2024.

 


[1]https://open.overheid.nl/documenten/4835821b-a892-4ec5-8cce-878f0644703e/file (Dutch language)

[2]https://www.aepd.es/guias/guia-cookies.pdf (Spanish language)

Authors