Guidance Note on Cookies Consent Requirements
Guidance Note on Cookies Consent Requirements
A cookie is a short alphanumeric text file which is stored (and later retrieved) on a user’s terminal equipment by a network provider, where its alphanumeric text files could be used for a variety of purposes, such as memorising preferences, storing session information or identifying a data subject through a unique identifier [i]. Cookies are often used for commercial purposes to deliver behavioural advertising. In such cases, they are generally referred to as tracking cookies.
The Applicable Legal Framework
Under the applicable laws, the installation of tracking cookies on users’ devices is lawful insofar as the prior informed consent of the user is obtained. This requires that stakeholders implement a valid consent mechanism, by means of which, an affirmative action is provided by the data subjects indicating their willingness to receive tracking cookies.
This obligation derives from the provisions of the ePrivacy Directive [ii], which law aims to ensure confidentiality of communications and accordingly, its provisions particularise and complement the general rules of the protection of personal data. At the time of the adoption of the ePrivacy Directive, the requirements of consent were governed by the provisions of Directive 95/46/EC [iii], which have now been replaced by the consent regime of the General Data Protection Regulation [iv] (“GDPR”). Having said that, article 95 of the GDPR establishes that the GDPR should not impose additional obligations on natural or legal persons in relation to the processing activities contemplated by such Directive, being the lex specialis in this area.
Regulation 5(1) of the “Processing of Personal Data (Electronic Communications Sector) Regulations” (Subsidiary Legislation 586.01), which transposes article 5(3) of the ePrivacy Directive, provides that “[t]he storing of information or the gaining of access to information stored in the terminal equipment of a subscriber or user shall only be allowed on condition that the subscriber or user concerned has given his consent, having been provided by the controller with clear and comprehensive information in terms of article 19 [v] of the Act”.
Regulation 5(2) introduces an exemption to the afore-said general rule by stipulating that “[t]he requirements contained in this regulation shall not prevent the technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network or as may be strictly necessary in order for the service provider to provide an information society service explicitly requested by the subscriber or user to provide the service”, thus exempting certain categories of cookies from the requirement of consent [vi] (“exempt cookies”).
In one of its rulings [vii] delivered under Directive 95/46/EC, the Court of Justice of the European Union stressed that “[…] Article 5(3) of Directive 2002/58 requires that the user concerned has given his or her consent, having been provided with clear and comprehensive information, ‘in accordance with Directive [95/46]’, inter alia, about the purposes of the processing”.
The notion of consent in the ePrivacy Directive is linked to the notion of consent in the GDPR [viii]. Consequently, for stakeholders to obtain valid consent within the scope of the ePrivacy Directive provisions, the elements of valid consent, as enshrined in Article 4(11) GDPR, shall apply in a cumulative manner. Thus, when seeking cookie consent, the stakeholders shall ensure, that consent is freely given, specific, informed, resulting from an “unambiguous indication of the data subject’s wishes, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” and withdrawable.
Evidently, transparency is key to ensure that the rights and freedoms of the data subjects are safeguarded. The transparency principle in terms of article 5(1)(a) of the GDPR aims to provide the data subjects with at least a basic understanding of the state of play and thus allowing them to determine, for instance, whether or not to give consent and how to exercise the right to withdraw consent pursuant to article 7(3) of the GDPR. In relation to cookies, the requirement of informed consent translates into the provision of adequate information regarding the processing operation, including how data subjects can exercise their rights.
It is remarked that in terms of article 7(3) of the GDPR, data subjects shall have the right to withdraw consent at any time, and that it shall be as easy to withdraw as to give consent. The GDPR further stipulates that prior to obtaining consent, individuals shall be informed on how consent can be withdrawn. Failing to provide users with such permanent withdrawal option, including the relevant information surrounding such withdrawal, infringes articles 5(1)(a), 7(3), 13(2)(c) and 14(2)(d) of the GDPR.
Stakeholders are invited to consult the guidelines developed by the EDPB on consent [ix] to obtain further information and guidance about the requirements thereof.
Practices which are not considered to be compliant with data protection rules
A non-exhaustive list of practices deemed non-compliant encountered by this Office in the course of its regulatory function has been complied below and it is brought to the attention of the stakeholders.
1. Cookie Walls
A “cookie wall” is a banner linked with a website or a mobile app which only allows users to access the latter after the user grants consent to the use of all cookies and to the purposes for which they are processed. In these cases, access to the website or mobile app is not possible through any other means.
Figure 1: example of cookie wall.
The indiscriminate collection of personal data through this approach, which essentially presents the user with no genuine choice, falls foul of the consent requirements as set out in the applicable laws and it is considered to be an unlawful practice.
In fact, access to the service is subordinate to the provision of consent, and this makes such consent not “freely given”. It is hereby remarked that for consent to be freely given, access to services and functionalities should not be made conditional upon the user’s consent for storing information, or gaining access to information already stored, in the terminal equipment.
2. Pre-ticked boxes
In certain instances, users’ consent for installing exempt cookies on their devices is sought by means of pre-ticked opt-in boxes. In terms of recital 32 of the GDPR, “silence, pre-ticked boxes or inactivity should not […] constitute consent” [emphasis has been added]. As a consequence, pre-ticked boxes are not a valid tool to obtain consent under the GDPR specifically regarding cookies. The approach of using pre-ticked boxes is considered to be an unlawful practice; such principle has also been upheld by the Court of Justice of the European Union in one of its rulings [x].
Figure 2: example of pre-ticked boxes
The practice used to obtain consent by means of a user’s action, such as scrolling or swiping through a webpage, does not constitute a “clear and affirmative” act in terms of the requirements of article 7 of the GDPR and as further elaborated in recital 32. Consequently, this approach does not satisfy one of the core requirements of valid consent.
Stakeholders must be able to demonstrate that consent was obtained by means of an explicit and unambiguous positive action. Given the impractical nature of separating the precise action, by means of which the user would have given his or her consent from the other user’s interactions, such mechanism does not enable the stakeholder to effectively demonstrate that explicit and unambiguous consent has been obtained.
Furthermore, this practice makes it extremely difficult to grant the user with his right to withdraw the previously given consent, as easily as consent was initially obtained.
Figure 3: example of cookie banner seeking consent by scrolling.
An example of a good-practice approach to ensure compliance
Figure 4: cookie banner providing users with the options to accept or refuse all cookies on the same layer.
On a closing note, this Office stresses that the banner by means of which consent is sought should be configured to ensure that cookies that classify as non-exempt shall not be in use as soon as the user lands on the webpage, but are installed only after the user interacts with the banner and duly consents to the use of such cookies.
[i] Article 29 Working Party, Opinion 2/2010 on online behavioural advertising, 00909/10/EN WP 171, section 2.2.
[ii] Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector, as amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009.
[iii] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
[iv] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
[v] Article 19 of the former Data Protection Act (Chapter 440 of the Laws of Malta), which transposed article 10 of Directive 95/46/EC, has been repealed by Article 13 of the GDPR.
[vi] Article 29 Working Party, Opinion 04/2012 on Cookie Consent Exemption, 00879/12/EN WP 194.
[vii] ECJ Judgement of the Court, Grand Chamber of the 1st October 2019, Bundesverband der Verbraucherzentralen und Verbraucherverbände — Verbraucherzentrale Bundesverband eV v. Planet49 GmbH, Case C-673/17 (“C-673/17”), ECLI:EU:C:2019:801, paragraph 73.
[viii] European Data Protection Board (“EDPB”), Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR, in particular regarding the competence, tasks and powers of data protection authorities, Adopted on 12 March 2019.
[ix] EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, V. 1.1, section 3.3.
[x] C-673/17, paragraph 65: “consent referred to in those provisions is not validly constituted if, in the form of cookies, the storage of information or access to information already stored in a website user’s terminal equipment is permitted by way of a pre-checked checkbox which the user must deselect to refuse his or her consent”.