We briefly mentioned the cookie policy and how it will need to change in the previous articles. Let’s take a closer look at how cookie consent should look under the GDPR. Changes are due to the fact that cookies can be seen in personal data in many circumstances, as they sometimes can be used to identify an individual. In the GDPR they are addressed in Recital 30 that states:

Natural persons may be associated with online identifiers…such as internet protocol addresses, cookie identifiers or other identifiers…. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

This will affect cookies used for advertising, analytics and other cookies used for functional services like chats and surveys.

So what are the key changes?

  • “By using this website, you accept cookies” will not be enough. The data subject needs to be given a real choice. That type of phrase is not informative as to why cookies are needed and does not give an alternative. Website owners will not be able to constrict users by forcing them to accept cookies if they need an information from their website.
  • Consenting to cookies needs to be a clear affirmative action. We can include here clicking through an opt-in box or choosing certain settings in a menu. As already explained, visiting a website does not imply consent.
  • Websites will need to provide an opt-out option - it must be as easy to withdraw consent as it was to give it. This means users should be able to remove consent through the same type of action as when they gave their consent. For example, if they clicked through some boxes on a form on the website, they need to be able to find the same form to revoke consent.

Cookie law enforcement - example

On February 16th, the Court of First Instance of Brussels has convicted Facebook for non-compliance with the Belgian privacy and cookie rules. The issues had started long before that, on the 13th of May 2015 when the Privacy Commission publish a recommendation urging Facebook to implement several corrective measures. Since no agreement could be reached, the issues were taken to court.

Besides the financial penalties, Facebook should cease placing specific browser-identification and tracking cookies without properly informing the data subject. They should also cease collecting data-cookie through social plugins placed on third-party websites, as their use can result in a violation of the fundamental right to privacy. Furthermore, the court ordered Facebook to delete all personal data from data subject’s on Belgian territory if that data was obtained via the cookies found to violate regulations.

It is expected that Facebook will appeal the decision. However, in order to avoid incremental penalties, it should also address the concerns raised by Belgian authorities. While the case is not directly related to the GDPR as it began before the new Regulation was in place, it creates a precedent for enforcing such laws. For a long time, few people thought about the risks using cookies implied. The penalties imposed on Facebook will hopefully help raise awareness and create a precedent that will be used once the GDPR is enforced.