Would you like some cookies?
In a nutshell, cookies are small pieces of data that are stored on users' computers during their "visits" to various websites on the World Wide Web, in order to, among other things, enable the website to identify the user for subsequent visits to the same website.
The Office of the Commissioner for Personal Data Protection in Cyprus has received numerous complaints since the implementation of the GDPR against organisations whose websites use cookies without user consent. Accordingly, the Commissioner has issued a statement on 30th July 2019 aiming at settling and clarifying the proper approach when handling cookies.
The Commissioner proceeded with setting out Section 99(5) of the Regulation of Electronic. Communications and Postal Services (Law 112(I)/2004), as amended, which provides that:
"(5) The storage of information or the acquisition of access to already stored information in the terminal equipment of a subscriber or user shall only be allowed if the subscriber or user concerned has given his consent, based on clear and comprehensive information, provided in accordance with the provisions of the Processing of Personal Data (Protection of the Individual) Laws of 2001 and 2003 (as repealed by the Processing of Personal Data and for the Free Movement of such Data of 2018 (Law 125(I)/2018)), inter alia for processing purposes.
Provided that this shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.".
Accordingly, based on the definition provided in the GDPR, consent should be specific and explicit, inter alia, to be obtained prior to processing. Furthermore, the Commissioner also stresses the importance of consent being freely given and being open to withdrawal.
The Commissioner explicitly clarifies that a mere notification from the website addressed to the user that it uses cookies and that by continuing to browse through the site the users accept the cookies, does not qualify as consent.
It becomes evident that no consent is required for the use of cookies which are strictly necessary for the operation of a website to provide a service for which the user has explicitly requested. This exception however does not include cookies that help the site to function better or to serve users better, but only applies to cookies that are absolutely and strictly necessary, meaning that without them the website would not be able to provide a service that the user has explicitly requested.
The Commissioner through published guidelines has provided that cookies can be classified as "session cookies" or "persistent cookies" depending on whether they are maintained when the user closes the browser. Typically, cookies that are exempted from consent are "session cookies" (deleted when the user closes the browser), with some exceptions for which the cookies are kept for a limited time depending on the expectations of the average user. For example, for "shopping cart" purposes, the user's options could remain stored for 1-2 hours if the user accidentally closes the browser and then visits the site again to purchase products in their basket.
Cookies can also be classified as "third party cookies" or not, depending on whether they are stored by the site administrator or by a third party. "Third party cookies" are usually not "strictly necessary" as they relate to a service that is separate from the service explicitly requested by the user.
Cookies that provide analytics for site traffic, although considered a very useful tool for webmasters, are not exempt from consent as they are not "strictly” or “absolutely” necessary since users may receive all the services provided from the site without them.
Through her public statement the Commissioner has made clear the proper procedure which webmasters must follow concerning the use of cookies when users browse through the World Wide Web and it is apparent that mere notifications of the fact that cookies are used are not enough and these types of notifications are not warranted as consent.
The Commissioner’s statement and guidelines concerning cookies are in line with Article 29 Working Party document 02/2013 providing guidance on obtaining consent for cookies, confirming the spirit of uniformity in the application of the principles promoted and enshrined in the GDPR.
Consequently, websites that use cookies should obtain the users' prior consent, after first informing them of how the cookies are used. The only cases where consent is not required are:
(a) for any technical storage or access, the sole purpose of which is to transmit a communication through an electronic communications network, or
(b) when absolutely/strictly necessary to enable an information society service provider explicitly requested by the subscriber or user to provide the service in question.'
Users must always be offered a real choice, not just an informative notification, in relation to the cookies used in the websites they visit during their browsing of the World Wide Web and they must be able to limit, reject or accept the use of cookies in the visited websites. The publishing of clarifying statements and guidelines by the national Supervisory Authorities of EU countries are integral in the proper application of the GDPR and reinforce the uniform application of the GDPR principles throughout the EU.
Article provided by: Constantinos Andronicou (tassos papadopoulos & associates, Cyprus)
Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project
Director CPC project: Dr. Tobias Höllwarth, tobias.hoellwarth@eurocloud.org