Tracking cookies as part of a revenue model

Tracking cookies as part of a revenue model

Recently, on its website, the Dutch Data Protection Authority published a standard explanation entitled: “Websites have to remain accessible when users refuse tracking cookies”. But what if tracking cookies are an essential component of your site’s revenue model? There are two ways to go, as I will discuss in this blog.

Data Protection Authority
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) rules that, based on the GDPR, the use of tracking cookies cannot result in websites being inaccessible to the user. In its standard explanation, the AP states that this would create a ‘take it or leave it’ situation, which is incompatible with the principle of freedom of choice.

Authority for Consumers and Markets
What makes this AP ruling particularly interesting is that use of this type of cookies is not regulated by the GDPR, but by the Dutch Telecommunications Law, which is the province, not of the Data Protection Authority, but of the Authority for Consumers and Markets (ACM). And the ACM, in contrast to the position taken by the AP, has ruled that it is okay for websites – with the exception of government sites – to use tracking cookies on condition that they ask for the user’s permission. In doing so, the ACM is aligning itself with the argument made by the Dutch government when it amended the Telecommunications Law in 2014, stating, at the time, that if users are not prepared to pay for access to specific websites, the allowability of using tracking cookies is to be related to consent given or withheld by such users.

ePrivacy Regulation
It is to be expected that the position taken by the ACM in alignment with the Telecommunications Law, will also be adhered to in the upcoming ePrivacy Regulation which will establish rules for the use of cookies on a European level. In its current proposed form, this regulation does not include a ban on tracking cookies if consent has been given by the user. To all likelihood, the final ePR will not deviate from this position.

So, what to do?
The least that can be said about the different rulings outlined above, is that the AP’s publication raises a number of questions. What to do under the circumstances, for instance. One option would be to simply ignore the statement made by the AP. Following the letter of the GDPR, the AP is justified to rule that consent does not qualify as a legal basis. You could choose to solicit a court ruling on this, but there is no way of predicting the outcome.

The second option is more pragmatic in nature. What the AP is saying is that initial accessibility of a website must be governed by freedom of choice.
Accessibility, in this context, can be defined as the availability of a website’s main or home page regardless of whether the user agrees to the use of tracking cookies. This rules out the existence of a ‘take it or leave it’ proposition. Then, if a user clicks on a link to some other page of the site, that is when your site has to ask permission for the use of tracking cookies.

Your website, in other words, is initially, principally accessible to all users, who then have the freedom of choice to continue to its further content or stay on the main page.

Their choice. As it is your choice to decide which way you want to go.

Antoine Boulanger trainer at The Privacy Factory

Leave a Reply

Close Menu