Cookie consent pop-ups among the ICO’s intended topics of discussion at the recent G7 meeting

Cookie consent pop-ups need to be tackled in order to provide more meaningful consent and a better browsing experience, according to the ICO.

 

At a recent meeting for the data protection authorities of G7 countries, the ICO decided to tackle the topic of cookie consent pop-ups. The ICO has mentioned that there have been complaints among the general population about the need to constantly interact with cookie consent pop-ups when arriving on a website. More importantly, the ICO believes that these cookie consent pop-ups, especially when configured awkwardly, tend to have the effect of causing people to consent to giving more personal information than they would like. The ICO released a statement earlier this month discussing their intent to bring this topic up at a recent G7 meeting.

 

The ICO is of the opinion that currently, cookie consent pop-ups may cause individuals to consent to more use of their personal data than they would have liked.

 

Cookie consent pop-ups and requirements have been a topic of conversation for quite some time, not only among the general population on the interwebs, but also by relevant data protection authorities. Recently we published an article discussing the best practices for cookie consent pop-ups and banners, as outlined by the Malta DPA. In preparation for the virtual meeting on September 7-8, the ICO expressed interest in discussing this with fellow G7 data protection and privacy authorities. The Information Commissioner expressed a belief that, in their current form, some cookie consent pop ups and banners may cause individuals to consent to more access to and use of their personal data than they would have liked.

 

While the current model is already compliant with data protection law, the ICO believes that the G7 authorities have the power to influence further development.

 

The ICO has recently announced several intended changes to their data protection model, and cookie consent pop-ups were one of the key points the authority expressed interest in. While the current model is already compliant with data protection law, the ICO believes that the G7 authorities have the power to influence further development. The ICO holds a vision for the future where web browsers, software applications and device settings allow people to set lasting privacy preferences of their choosing, instead of having to do that through pop-ups each time they visit a website. This may allow individuals to be more intentional in their selections, rather than selecting whatever they feel that they need to, in order to get past a banner. This approach is definitely already technologically possible and compliant with data protection law as well, however the ICO believes that more can be done to effect change and promote more privacy oriented solutions.

 

The current regulations governing cookies are split between the GDPR and the ePrivacy Directive, which together ensure the protection of natural persons with regard to cookie consent pop-ups and banners.

 

The current regulations governing cookies are split between the GDPR and the ePrivacy Directive. There are several types of cookies, which in most cases users can choose from. For example, a user can choose to only allow the storage of necessary cookies, and reject any additional cookies for marketing or preferences. Recital 30 of the GDPR, does make mention of the importance of cookies, insofar as they can be used to identify individuals, especially with the amount of information on a user, which can be stored through the use of cookies. The ePrivacy Directive is sometimes known as the “cookie law” as it has been very instrumental in influencing the current use of cookie consent pop-ups, and ensuring that consent is ethically sourced for the use and storage of cookies. The rules regulating cookies are continuously being set, and cookies themselves are continually evolving, which means maintaining a current cookie policy will naturally be a continuous job.

 

 

Does your company want to collect cookies through a website or app? Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today

Guidance on cookie consent requirements from Malta DPA

The guidance on cookie consent requirements from the Malta DPA gives insight on the applicable legal framework for their use.

 

The Data Protection Authority of Malta has just published guidance cookie consent requirements to aid businesses and organizations in setting them up correctly on their web pages and apps. Cookies are alphanumeric files which are stored on a user’s device for later use. These later uses may include memorising preferences, storing session information or identifying a data subject through a unique identifier. Some cookies, known as tracking cookies, are used for the purpose of behavioral advertising. 

 

The guidance on cookie consent requirements from the Malta DPA heavily emphasizes the notion of consent. 

 

The application of cookieson a website or app is allowed under the applicable laws once they meet certain requirements. The guidance from the Malta DPA focuses on tracking cookies, understood as those used for commercial purposes to deliver behavioural advertising. According to the guidance, for tracking cookies to be lawfully installed on a user’s device, a valid consent mechanism which allows users to take affirmative action giving prior informed consent to the cookies must be implemented. Originally under the ePrivacy Directive, and now also under the GDPR, the notion of consent is very relevant to lawfully obtaining and storing information on data subjects. 

 

The notion of consent in the ePrivacy Directive is linked to that of the GDPR. As a result, in order for stakeholders to obtain valid consent within the scope of the ePrivacy Directive provisions, the elements of valid consent as upheld by Article 4(11) GDPRare applicable in a cumulative manner. This means that consent must  be freely given, specific, informed, and must result from an “unambiguous indication of the data subject’s wishes, by a statement or by a clear affirmative action” and this is what  would signify agreement to the processing of personal data relating to them. This consent must also be withdrawable.

 

According to Regulation 5(1) of the “Processing of Personal Data (Electronic Communications Sector) Regulations” (Subsidiary Legislation 586.01), which transposes article 5(3) of the ePrivacy Directive, the “storing of information or the gaining of access to information stored in the terminal equipment of a subscriber or user shall only be allowed on condition that the subscriber or user concerned has given his consent”.

 

Transparency is necessary in all matters to ensure that the rights and freedoms of data subjects remain protected. 

 

The GDPR maintains that data subjects must be informed, and have at the very least, a basic understanding of the state of play, allowing them to decide whether or not to give consent and how to exercise the right to withdraw consent. Pursuant to article 7(3) of the GDPR, data subjects should be able to withdraw their consent at any time and it should be as easy to withdraw their consent as it is to give it. With regards to cookies, transparency refers to the provision of adequate information regarding the processing operation, including how data subjects can exercise their rights. Accordingly, the GDPR stipulates that individuals must also be informed on how to withdraw their consent before it is given. The failure to provide data subjects with a permanent withdrawal option, including the relevant information on withdrawal, infringes several articles of the GDPR.

 

According to the guidance on cookie consent, cookie walls, pre-ticked boxes and scrolling infringe on the regulations governing cookie consent. 

 

In order to fairly and transparently obtain informed consent from users, there are some features which must be avoided as they compromise the rights and freedoms of users. The Malta DPA, in their non-exhaustive list of practices deemed non-compliant, makes mention of cookie walls, pre-ticked boxes and necessary scrolling. 

 

Cookie Walls

 

Cookie walls are banners linked with a website or a mobile app which only allow users to access the site or app after the user grants consent to the use of all cookies and to the purposes for which they are processed. In these cases, access to the website or mobile app is not possible by other means. Indiscriminately collecting personal data through this approach, essentially denies users a  genuine choice, falls foul of the consent requirements as set out in the applicable laws and it is considered to be an unlawful practice. In these cases, consent is in fact not “freely given”. For consent to be freely given, access to services and functionalities should not be made conditional upon the user’s consent for storing information, or gaining access to information already stored, in the device. 

 

Pre-ticked Boxes

In some cases, users’ consent for installing exempt cookies on their devices is sought by using pre-ticked opt-in boxes. According to  recital 32 of the GDPR, “silence, pre-ticked boxes or inactivity should not […] constitute consent”.  As a result, pre-ticked boxes are not a valid tool to obtain consent under the GDPR, specifically with regard to cookies. The approach of using pre-ticked boxes is considered unlawful. 

 

Scrolling  

 

The practice of obtaining consent through a user’s action, such as scrolling or swiping through a web page or pages, does not count as “clear and affirmative”, in terms of the requirements of article 7 of the GDPR and as well as recital 32. As a result, this approach does not satisfy one of the core requirements of valid consent. In addition, this practice makes it extremely difficult to inform, as well as provide the user with his right to withdraw their consent, as easily as it was initially obtained.

 

Does your company want to collect cookies through a website or app? Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today

Vienna based company fined for unlawful data collection and processing under GDPR

A Vienna based company incurred a GDPR fine of €2 million for the unlawful collection and processing of user data. 

 

A GDPR fine of €2 million was recently imposed on the Vienna based loyalty program operator, Unser Ö-Bonus Club GmbH, for unlawfully processing user data. The company was accused of collecting user data without making the users sufficiently informed of the intended use of their data. Data subjects whose personal data is processed, must be specifically informed of the intended use of their data and be allowed to opt out of the arrangement if they choose to do so. However, businesses that allow users to accept their privacy policy without giving them adequate opportunity to fully read and understand the terms are liable to be fined, according to this latest decision by the Austrian Data Protection Authority. It should also be noted that data subjects should be asked whether they have read and understood the Privacy Policy rather than prompting them to ‘accept’ it, as the latter should be applicable only where the lawful basis for processing is consent.

 

While the company provided users with a privacy policy, it was considered improperly placed, and therefore unable to adequately inform users. 

 

Unser Ö-Bonus Club GmbH was found to have provided a form for registration for their service which collected user data, and created profiles for users using this data. The data was then passed on to advertising partners for marketing purposes. While the company provided new users with a privacy policy, it was found to have been improperly placed, at the point where a user is issuing consent when signing up for their service. Users who were signing up would have had to scroll past the option for clicking yes or no to give their consent, down to the privacy policy. Their format was therefore not seen as appropriately able to inform users of the terms of usage of their data. 

 

The Vienna based company was found to have violated several GDPR guidelines. 

 

Unser Ö-Bonus Club GmbH was found to have violated a number of guidelines, including unlawful user data collection, insufficient acquisition of  consent, unlawfully processing personal data for profiling consumers, and continuation of violation after admission. The violations concern Articles 6, 7, 12, and 13 of the GDPR. According to the GDPR, businesses processing personal data can do so only if the processing and its purposes are legal. Also, companies collecting personal data after consent should be able to demonstrate – whenever required – that they have obtained consent for the specific purposes for which the data was collected. GDPR further requires that notice of collection should be given at the data collection point and that nothing should be hidden from the users with regards to their data.

 

The company incurred a heavier fine because it continued to use unlawfully collected data after admittance to the violations. 

 

After the company admitted to the violations during the investigation, they continued to handle the data which was unlawfully collected. Although the company amended the form, it continued to unlawfully use the collected personal data, from the previous form, which was deemed inadequate. The company blamed the Austrian Data Protection Authority for not informing them that their continued use of that data was deemed unethical and unlawful. However, the Authority concluded that an additional fine would be applied for that violation as well, bringing the total fine to €2 million. 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.