You are here: Home / News & more / News / Do cookies burn?

Do cookies burn?

Illustration de l'actualité - cliquer pour agrandir
Are you up to date on cookies? Laura Cerrato, DPO of the Brussels Regional Informatics Centre, gives you some advice.

The legal framework

The cookie industry is regulated! Cookies? Cookies (and other tracking technologies) analyse the behaviour of users of websites and other mobile apps. They come in different flavours: third-party cookies, functional cookies, so-called analytics cookies, etc. Third-party cookies are under the microscope.

The legal framework:

  • The European ePrivacy Directive (in the process of becoming a Regulation) transposed into the Belgian code in 2012 which requires the absolute consent of the data subjects before downloading trackers;
  • The European Data Protection Regulation (GDPR) which requires that any processing of personal data directly or indirectly identifying a data subject must have a legal basis (e.g. explicit and specific consent) without which no processing can take place.

A burning situation

Who hasn't heard of the "Planet49" case? In 2020, the Court of Justice of the European Union (CJEU) issued a final judgement in this case referenced C-673/17. The ruling essentially states that pre-checking boxes on a cookie banner is prohibited, holding that valid consent could only be based on a positive, affirmative action by the user. This decision had a domino effect on the entire advertising industry, which led the Interactive Advertising Bureau Europe (IAB Europe) to update its Transparency and Consent Framework (TCF) at the time.

On 2 February 2021, the Belgian Data Protection Authority (DPA) deemed the "Transparency & Consent Framework (TCF)" of the same IAB non-compliant with the GDPR and issued a fine of €250,000.

Since 2021, NOYB - None of Your Business - Max Schrems' NGO that succeeded in having Privacy Shield  invalidated, has targeted European websites and the compliance of cookie banners. NOYB launched its offensive under Article 80.1 of the GDPR. The NOYB organisation works by sending draft complaints to webmasters identified as non-compliant, urging them to comply with cookie legislation. If they do not respond, the association forwards these complaints to the relevant data protection authorities. 

Then more recently, the Austrian Data Protection Authority ruled that Google Analytics violates Chapter V of the GDPR regarding international transfers. Explaining the factors of non-conformity in detail would take too long. Your DPO can assist you with this.

What to do about this fire?

  • Check that your cookie banner is technically compliant with the legal standards (contact your web developer): 
    • no cookie can be downloaded without an action from the website visitor;
    • the visitor cannot be prevented from continuing to navigate the website even if they refuse cookies or ignore the cookie banner. There is no implied consent!
  • Check that your privacy policy or dedicated cookie webpage is as transparent as possible and includes the information collected by the installed cookies, the associated legal basis ... and the international transfers made (if any) with the associated risks (Art. 49 GDPR). Your Data Protection Officer (DPO) will be able to assist you with this compliance.
  • If you receive an email from the NYOB, you will have 1 month to comply or a complaint will be filed against your organisation.

With or without Google?

The Austrian judgement is limited to the Austrian territory. The decision therefore does not prevent the use of Google Analytics in other countries.
However, the different DPAs have a uniform interpretation of the European Regulation. Therefore, they will take a similar position. It is important to remember that an Austrian visitor can complain to their own DPA about your website.

If you decide to continue with Google Analytics, in order to improve your compliance (which is not guaranteed) as a Data Controller:

  1. activate the Google Analytics "IP anonymisation" function;
  2. request specific consent for the use of Google Analytics and associated international data transfers (to the United States) in the cookie banner;
  3. conduct and document an appropriate transfer impact assessment regarding (TIA - in accordance with EDPB recommendations 01/2020) the use of Google Analytics;
  4. disable Google Analytics for Austrian users and monitor developments in other EU member states.

There are also alternatives to Google. One example among many is Matomo.

In conclusion

In addition to the legal obligations, cookies raise a fundamental debate: compliance with Articles 7 "Respect for private and family life" and 8 "Personal data protection". The public sector must guarantee these rights. The ethical nature of these fundamental rights must also be part of the decision-making process. As these are not absolute rights, the Data Controller must strike a balance.

How will you respond to a data subject who files a GDPR/e-Privacy request on this issue of cookies? If a compliant response is not received, the individual may file a complaint with the DPA. The fact that a tool is easy to use or free, the absence of a legal basis for processing or legitimate interest ... will not be the right arguments to provide.