Refusing tracking cookies : what were the rules again?

Share
Share on linkedin
Share on facebook
Share on google
Share on twitter

It remains fairly common for internet users to be denied acces to websites when they choose not to accept (tracking) cookies. But are websites actually allowed to do this? In this blog post, we will look at the legal provisions applying to the use of tracking cookies.

We’ve all seen them so many times we lost count, those pop-ups offering us the chance to refuse cookies when visiting a website. For many of us, they are primarily a source of returning annoyance. But they appear to be a fact of life and there really isn’t that much of a choice, is there? You can either accept the cookies a site is going to put on your computer, or you can go and find another website, that’s about as flexible as it gets. As a result, many website visitors simply ‘choose’ to accept whatever cookies a site is about to throw at them. Which is exactly what businesses want.

But did you know that websites only allowing visitors access to their content if they accept so-called ‘tracking cookies’ are in fact acting in violation of the GDPR? In this blog post, we will take a closer look at this specific type of cookies from a GDPR perspective and in the context of the Dutch Telecommunication Act.

What are cookies?

Cookies are small files which are downloaded by website providers to the device used by visitors – their computer or smartphone for instance – for the purpose of collecting and storing information about the visit or about (the device used by) the visitor. In this blog, we will be focusing on the use of ‘tracking cookies’, a special subset of cookies. If you are interested in the legal requirements applicable to other types of cookies, please refer to the website of the Dutch Authority for Consumers and Markets (ACM).

One way of protecting yourself against cookies is to use the incognito mode of your browser which will then refrain from saving history data and non-essential cookies. Do you want to know how to remove cookies? Check the Radar five-step plan.

Tracking cookies

Of all types of cookies commonly used, the most privacy-invasive variant is the category known as tracking or marketing cookies, since they have the ability to trace a visitor’s online behaviour. Tracking cookies are sent to and stored on personal devices in order to identify users of the internet on one or more websites. They not only keep track of sites visited, but they also record other data, like the IP-address and the type of device being used. Storing these data then allows for profiling – the creation of individual consumer profiles which are used for targeted advertising and other commercial activities.

Legal provisions for tracking cookies

In The Netherlands, the Dutch Telecommunication Act applies where websites are using cookies. If, based on the use of cookies, personal data are being processed, the GDPR applies as well.

Telecommunication Act aka ‘Cookie Act’

The Dutch Telecommunication Act includes rules concerning the use of cookies (Article 11.7a Tw) based on EU ePrivacy Guideline 2002/58/EC. In one of our recent blog posts, we discussed the e-privacy directive which in its definitive iteration, to be finalised towards the end of 2021 or early in 2022, is supposed to replace the current guideline. For more information on the e-privacy directive and the changes it is expected to introduce, refer to this previous blog here.

Among the rules listed in Article 11.7a TW of the Telecommunication Act is the requirement of user consent for actual cookie placement (Article 11.7a, 1, b). Also, website visitors have to be informed on the purposes for which cookies are being used (Article 11.7a, 1, a). To both requirements there are exceptions, specified in Article 11.7a, 3. If for instance, cookies are necessary for the website to perform properly or if they serve the exclusive purpose of enabling communication within an electronic communications network, the obligation to inform and the requirement of consent do not apply.

How about the GDPR?

Strictly speaking, the GDPR is primarily about the protection of personal data, which does not necessarily cover cookie placement. However, the GDPR does apply to the use of tracking cookies, since these cookies, whether triggered by a Facebook Pixel or Like button or whatever other mechanism, most definitely or at least usually imply the processing and transfer of personal data. So, what does the GDPR have to say about the use of tracking cookies?

Necessity or consent

Processing personal data is only allowed if a “legitimate basis” can be shown to exist. Article 6,1 of the GDPR lists six of these justifications, among them necessity in the context of business requirements such as the performance of a contract.

If, however, a company wants to follow the online activities of people by using tracking cookies, they always have to obtain prior permission from the data subjects, which must be requested in a legally valid way. Where cookies are not, or not significantly privacy-invasive, consent is not required.

In order for consent to be legally valid in terms of the GDPR, it must be “freely given, specific, informed and unambiguous’’ (Article 4, 11 of the GDPR). Thus, a simple box with a default setting of checked is not sufficient, as explained by the European Court of Justice.

As early as 2019, the Data Protection Authority (DPA) ran an inquiry on the use of tracking cookies which demonstrated that of all the websites using them, almost half did not meet the requirement of consent.

It is, for instance, fairly common for visitors to be denied access to a website when they refuse to accept tracking cookies. When, as a result of this ‘cookiewall’, sites or services are unavailable to consumers, they may yield to the pressure and agree after all. In this case, their consent does not qualify as being ‘’freely given’’ and as such, does not provide a legitimate basis for the placement of tracking cookies.

Obligation to inform

Much like the Dutch Telecommunication Act, the GDPR also specifies the obligation to inform, meaning that data subjects have to be given prior information on the nature of the personal data to be processed, the purposes for which and the manner in which they are to be processed. This information, as mentioned in Article 12, 1 of the GDPR, must be provided in a concise and intelligible form.

Conclusion

If a website uses tracking cookies, visitors should be informed in a timely manner. Websites also need legally valid consent from their visitors in order for the placement of tracking cookies to be allowed. This implies that visitors must have the – real – option to refuse these cookies. Otherwise, they cannot consciously and appropriately exercise their right to protection of personal data. Therefore, websites must remain accessible for people who refuse tracking cookies, or they will be in violation of the GDPR.

Ivy Woanya

Ivy Woanya

Ivy Woanya is a legal counsel at The Privacy Factory. She is currently following the Master Internet, IP and ICT at the Vrije Universiteit Amsterdam. She has a passion for privacy, Big Data and Artificial Intelligence.

Recent publications

Privacy Weekly

Subscribe to Privacy Weekly and stay up to date on recent privacy trends and developments.

In search of

Free GDPR|Check

Connect with us

Subscribe to Privacy Weekly

Subscribe to Privacy Weekly
A privacy alert, blog post or white paper in your inbox every Thursday!
cookie

We use only functional and analytical cookies to ensure that we give you the best experience on our website. This means that our cookies do not collect personal data. Learn more.