Guidance on cookie consent requirements from Malta DPA

The guidance on cookie consent requirements from the Malta DPA gives insight on the applicable legal framework for their use.


The Data Protection Authority of Malta has just published guidance cookie consent requirements to aid businesses and organizations in setting them up correctly on their web pages and apps. Cookies are alphanumeric files which are stored on a user’s device for later use. These later uses may include memorising preferences, storing session information or identifying a data subject through a unique identifier. Some cookies, known as tracking cookies, are used for the purpose of behavioral advertising. 


The guidance on cookie consent requirements from the Malta DPA heavily emphasizes the notion of consent. 


The application of cookieson a website or app is allowed under the applicable laws once they meet certain requirements. The guidance from the Malta DPA focuses on tracking cookies, understood as those used for commercial purposes to deliver behavioural advertising. According to the guidance, for tracking cookies to be lawfully installed on a user’s device, a valid consent mechanism which allows users to take affirmative action giving prior informed consent to the cookies must be implemented. Originally under the ePrivacy Directive, and now also under the GDPR, the notion of consent is very relevant to lawfully obtaining and storing information on data subjects. 


The notion of consent in the ePrivacy Directive is linked to that of the GDPR. As a result, in order for stakeholders to obtain valid consent within the scope of the ePrivacy Directive provisions, the elements of valid consent as upheld by Article 4(11) GDPRare applicable in a cumulative manner. This means that consent must  be freely given, specific, informed, and must result from an “unambiguous indication of the data subject’s wishes, by a statement or by a clear affirmative action” and this is what  would signify agreement to the processing of personal data relating to them. This consent must also be withdrawable.


According to Regulation 5(1) of the “Processing of Personal Data (Electronic Communications Sector) Regulations” (Subsidiary Legislation 586.01), which transposes article 5(3) of the ePrivacy Directive, the “storing of information or the gaining of access to information stored in the terminal equipment of a subscriber or user shall only be allowed on condition that the subscriber or user concerned has given his consent”.


Transparency is necessary in all matters to ensure that the rights and freedoms of data subjects remain protected. 


The GDPR maintains that data subjects must be informed, and have at the very least, a basic understanding of the state of play, allowing them to decide whether or not to give consent and how to exercise the right to withdraw consent. Pursuant to article 7(3) of the GDPR, data subjects should be able to withdraw their consent at any time and it should be as easy to withdraw their consent as it is to give it. With regards to cookies, transparency refers to the provision of adequate information regarding the processing operation, including how data subjects can exercise their rights. Accordingly, the GDPR stipulates that individuals must also be informed on how to withdraw their consent before it is given. The failure to provide data subjects with a permanent withdrawal option, including the relevant information on withdrawal, infringes several articles of the GDPR.


According to the guidance on cookie consent, cookie walls, pre-ticked boxes and scrolling infringe on the regulations governing cookie consent. 


In order to fairly and transparently obtain informed consent from users, there are some features which must be avoided as they compromise the rights and freedoms of users. The Malta DPA, in their non-exhaustive list of practices deemed non-compliant, makes mention of cookie walls, pre-ticked boxes and necessary scrolling. 


Cookie Walls


Cookie walls are banners linked with a website or a mobile app which only allow users to access the site or app after the user grants consent to the use of all cookies and to the purposes for which they are processed. In these cases, access to the website or mobile app is not possible by other means. Indiscriminately collecting personal data through this approach, essentially denies users a  genuine choice, falls foul of the consent requirements as set out in the applicable laws and it is considered to be an unlawful practice. In these cases, consent is in fact not “freely given”. For consent to be freely given, access to services and functionalities should not be made conditional upon the user’s consent for storing information, or gaining access to information already stored, in the device. 


Pre-ticked Boxes

In some cases, users’ consent for installing exempt cookies on their devices is sought by using pre-ticked opt-in boxes. According to  recital 32 of the GDPR, “silence, pre-ticked boxes or inactivity should not […] constitute consent”.  As a result, pre-ticked boxes are not a valid tool to obtain consent under the GDPR, specifically with regard to cookies. The approach of using pre-ticked boxes is considered unlawful. 




The practice of obtaining consent through a user’s action, such as scrolling or swiping through a web page or pages, does not count as “clear and affirmative”, in terms of the requirements of article 7 of the GDPR and as well as recital 32. As a result, this approach does not satisfy one of the core requirements of valid consent. In addition, this practice makes it extremely difficult to inform, as well as provide the user with his right to withdraw their consent, as easily as it was initially obtained.


Does your company want to collect cookies through a website or app? Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today

Case between Schrems and Facebook

Case between Schrems and Facebook intensifies as further questions are raised

Case between Schrems and Facebook intensifies as questions are forwarded from Austrian Supreme Court to CJEU.


Austrian lawyer and activist, Maximilian Schrems is once again making headlines, as Austrian Supreme Court accepted his request to refer key questions regarding his Facebook case to the CJEU. The focal point of this privacy case is Schrems claim that Facebook violates user rights under EU GDPR with regards to consent, and the fact that the company uses consent as contract permission to push targeted ads. According to recent reports, in this long standing case between Facebook and Maximilian Schrems, questions are being raised about the legal basis of Facebook’s data use of its EU customers. 

Facebook has been processing user data under the EU GDPR on the basis of a contract, as opposed to user consent. 


Ever since the EU GDPR came into effect in 2018, Facebook has, instead of relying on consent or user data processing, claimed that users were now under contract to receive personalized advertising. The EU GDPR had raised the requirements for consent, and this move was seen as a way for Facebook to undermine the EU GDPR and avoid obtaining informed and freely given consent from its users. 

Mr Schrems was quoted as saying “Facebook tried to strip users of many GDPR rights by simply ‘reinterpreting’ consent to be a civil law contract.” 


Facebook was also accused of failing to adhere to the GDPR principle of data minimisation. 


Facebook was accused of collecting more data than deemed necessary, particularly through its ‘like’ feature, present on as well as several other websites and sources. Questions regarding this matter, as well as Facebook’s use of sensitive user data (for example a user’s political opinion or affiliation or their sexual orientation) for the purposes of personalized advertising, we’re forwarded to the CJEU. Schrems claims that these questions are crucial. According to Schrems “ Facebook may not be allowed to use all data for advertisements anymore, even when I got valid consent. Equally, it may have to filter sensitive data from political opinions or data on sexual orientation.“


Maximilian Schrems was awarded €500 in symbolic damages for obstructive tactics used against him by Facebook. 


Facebook was accused of creating an “Easter egg” hunt when asked by Max Schrems to provide him full access to his data. According to the court, Mr. Schrems got neither his raw data in it’s totality, nor did he receive very crucial information like the legal basis for the processing of his data. As a result he was awarded €500 in symbolic damages, due to Facebook’s obstructive tactics. Several questions have now been forwarded from the Austrian Supreme Court to the Court of Justice of the European Union regarding Facebook’s alleged non compliance with the EU GDPR. 


Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Facebook and WhatsApp data sharing

Facebook and WhatsApp data sharing requires further investigation, says EDPB

Further investigations are  required by the Irish Supervisory Authority before making a final decision regarding Facebook processing WhatsApp user data. 


The EDPB had adopted an urgent binding decision pursuant to Article 66 of the GDPR, requiring the Irish Supervisory Authority to carry out an investigation, rather than taking final measures, following a recent change in WhatsApp’s Terms of Service and Privacy Policy. The Supervisory Authority has adopted provisional measures towards Facebook Ireland, ordering a ban on the company processing user data from WhatsApp for their own purposes. However, the EDPB believes that further investigations are required to gain clarity on the processing activities in question. 


The EDPB concluded that the situation does not require any final measures as the conditions to demonstrate the existence of an infringement or an urgency have not been met. 


 The conclusion from the EDPB based on the evidence presented was that no final measures needed to be taken by the Supervisory Authority at this time. For one, the EDPB believes that there is a high likelihood that WhatsApp user data is already being processed by Facebook Ireland on the basis of joint controllership. The data is likely being processed in this way for the purpose of safety, security and integrity of all Facebook Companies including WhatsApp. Nonetheless, the EDPB is unable to determine with certainty what processing operations are indeed being carried out and in what capacity they are being carried out. This is due to various uncertainties and ambiguities in information provided to WhatsApp users. That being established, further investigations are required into those conditions before making any final decisions, especially considering the absence of any indication of a clear infringement or a need for urgency in this matter. 


The EDPB says further investigations are required by the Supervisory Authority to determine whether Facebook Ireland acts as a processor or joint controller with WhatsApp Ireland. 


While it is likely that Facebook is operating as a joint controller with respect to the processing of WhatsApp user data, the EDPB considers this to be unclear at this time and would like the Irish Supervisory Authority to further investigate and clarify whether Facebook Ireland is indeed acting as a joint controller or a processor. Currently, there is a lack of sufficient information regarding how data is processed for marketing purposes among the various Facebook Companies. Further investigations are required to also determine whether there is proper legal basis for those processing activities under the GDPR. 


The official binding decision will be published on the EDPB’s website once it has been properly assessed to ensure that any confidential information is redacted. However all relevant Supervisory Authorities, as well as Facebook Ireland and WhatsApp Ireland have been informed of the EDPB’s decision. 


Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Colorado Privacy Act written into law

Colorado Privacy Act has been written into law, making Colorado the third US state with comprehensive privacy laws. 


The Colorado Privacy Act has recently been signed into law, giving comprehensive privacy laws to the residents of Colorado for the first time. Colorado is now the third US State to enact such laws, with theirs being very similar to those which came before it, with a few key differences. Unlike the California Consumer Privacy Act (CCPA), the CPA has adopted a WPA-like controller / processor approach, instead of a business / service provider perspective. This new law is said to look very familiar to this year’s Consumer Data Protection Act (CDPA) in Virginia, with a slightly broader scope. 


The Colorado Privacy Act is intended to apply to businesses trading with Colorado residents acting only in an individual or household context. 


The CPA applies to any data controller that conducts business in Colorado, as well as delivers commercial products targeted at the residents of Colorado, that meets the following requirements:


  • The business controls or processes personal data of at least 100,000 consumers during a single calendar year.
  • The business derives revenue or receives a discount from the sale of personal data, and processes all controls the personal data for at least 25,000 consumers.


According to the CPA, “consumer” refers to a Colorado resident, acting only as an individual or in a household context. This omits individuals acting in a commercial or employment context or a beneficiary thereof, or as a job applicant. Like the CDPA controllers, operating under the CPA do not need to consider employee personal data as applicable under this law.

The CPA applies to the exchange of personal data for monetary or other valuable consideration by a controller to a third party. 


Under the CPA, both monetary consideration and any other valuable consideration exchanged for personal data is considered the sale of personal information. Unlike the CDPA, the sale is not only defined by the exchange of monetary considerations. The sale described here excludes several types of disclosures. These include disclosures to a processor that is processing personal data on behalf of a data controller, disclosures to a third party for the purpose of providing a product or service requested by a customer, disclosures to an affiliate of the controller’s, as well as disclosures to a third party as part of a proposed or actual merger, acquisition, bankruptcy or another transaction in which the third party controls some or all of the controller’s assets. 

Deidentified data and publicly available information are not covered by the scope of the CPA’s definition of personal data. 


The CPA does not cover any publicly available information or deidentified data. The CPA defines publicly available data as “any information that is lawfully made available from … government records and information that a controller has a reasonable basis to believe the consumer has lawfully made available to the general public.” These are both explicitly excluded from the CPA as is the case with the CDPA. Other exempt data under this law falls under two categories, entity-level exemptions and data-level exemptions. The entity level exemptions are broader and exempt controllers from the need to comply with CPA obligations and rights on data collected, even when the data would otherwise be included. For example the primary entity level exemption under the CPA applies to entities which are already regulated by the Gramm-Leach-Blilet Act for financial institutions. 


The Colorado Privacy Act provides five main rights to the consumer. 

The CPA provides five main rights for the consumer. These include the right of access, right to correction, right to delete, right to data portability, and the right to opt out. The right of access gives consumers the right to confirm whether a controller is processing personal data concerning them and the right of access to that personal data. Under the CPA consumers are also given the right to correct inaccuracies in their personal data, taking into account the nature of the personal data and the purpose of the processing. Consumers also have the right to delete their  personal data. According to the right to data portability, consumers must be able to obtain their personal data in a portable and readily usable format which allows them to transmit the data to another entity without hindrance, where technically feasible. The CPA also gives consumers the right to opt out of the processing of their personal data for the purposes of targeted advertising, the sale of personal data, or profiling for decision-making that may produce legal or similarly significant effects concerning them.


There are several obligations to be fulfilled by controllers and processors under the CPA. 


The CPA imposes several obligations on controllers. These include the duties of transparency, purpose specification, data minimization, care, avoidance of secondary use, avoidance of unlawful discrimination, data protection assessments, data processing contracts, and specific duties regarding sensitive data. The CPA requires a controller to provide consumers with a reasonably accessible, clear and meaningful privacy notice. If their data is sold to a third-party or processed for targeted advertising, the controller will have to clearly and conspicuously disclose the sale of processing as well as give consumers the means to opt out. Controllers must specify the express purposes for which they are collecting and processing personal data at the time of the collection of this personal data. The CPA also institutes a policy of data minimization requiring controllers to only collect personal data that is adequate, relevant and limited to what is reasonably necessary for the specified purposes of the collection and processing. In addition, Data controllers are not allowed to process personal data for purposes that are not reasonably necessary to, or compatible with the specified purposes for which it was collected, neither are controllers allowed to process sensitive data without consent. Data protection assessments and contracts are a necessary part of a controller’s obligations under the CPA. The CPA requires that processing must be governed by a contract between the controller and the processor.


Does your company have all of the mandated safeguards in place to ensure compliance with the CCPA, CPA, GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides GDPR ,Data Protection Act 2018 and comparative law consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.