Data protection does not like cookies

31.01.2020

Especially confectionery lovers are frequently dealing with the topic of cookies. This article (rather regrettably) is not about delicious cookies, but discusses the small text files containing information that can be stored on the users’ devices via the browser when visiting a website.

The European Court of Justice recently issued two rulings on data protection natters relating to the use of cookies and plug-ins.

The ECJ judgment of 29/7/20191 related to a case brought by the North-Rhine Westphalian Consumer Association, Verbraucherzentrale NRW, against German online retailer “Fashion ID”. The consumer association had complained that “Fashion ID” had embedded Facebook’s “Like” button on its own website without website users having to consent to the data transfer to Facebook or at least being informed about it. Against this backdrop, the ECJ had to decide whether the online retailer is (jointly) responsible for the data transfer and possibly for the processing of the personal data by Facebook.

The website operator uses the Facebook “Like” button to embed a programming code in his website, which starts an application on Facebook’s servers. Facebook is also able to collect data from visitors to the website who do not click on the “Like” button (IP address, data about the device used). The case still had to be decided in accordance with the provisions of the old EU Data Protection Directive from 1995 (Directive 95/46/EC); however, the decision can be applied to the legal situation under the GDPR.

The ECJ ruled that the website operator is not jointly responsible if he has no influence over the actual data processing by another controller, i.e., if he does not participate in the determination of the purposes and means of that processing. In the case at issue, this means that the online retailer is not jointly responsible for all data processing by Facebook. However, the ECJ holds that the retailer exerted a decisive influence over the data processing by embedding and configuring the plug-in on its website and has therefore jointly determined the means of processing with Facebook. With respect to the purposes of the processing, the ECJ expects that the embedding of the plug-in serves to improve the visibility of the retailer’s goods on Facebook and that the retailer and Facebook have therefore also jointly defined a purpose (advertising).

If the mere fact that another data controller is able to collect the data leads to joint responsibility, this would likely be the case with any embedding of third-party content such as videos, images, weather reports, stock market prices etc. Where the data processing is to be based on a legitimate interest, such legitimate interest must exist with each of the joint data controllers. If the processing is based on consent, the operator only needs to obtain it for the operations for which he is the controller, i.e., where he actually decides on the purposes and means.

The decision of the Court of Justice of the European Union of 1 October 20192. entails new information for the specific design of the consent to cookies. Accordingly, a website operator cannot obtain consent to the setting of cookies for advertising purposes by means of a pre-ticked checkbox. Rather, users must actively tick a checkbox to give their consent. The ECJ judgment applies irrespective of whether the data stored in the cookie constitute personal data or not. It is another prerequisite for effective consent for the user to have been informed about the duration of the operation of cookies and whether or not third parties may have access to those cookies.

Regrettably, liability risks are increasing considerably due to the above-mentioned decisions relating to the use of cookies. We therefore recommend to first obtain an overview of the extent of the cookies used on your own website. If external content such as social media plug-ins, map services, videos, images, web fonts etc. are to remain embedded in your website, they should only be reloaded after an active visitor action (e.g., by embedding preview images that load the active content only after a click). In any event, the Privacy Policy should be reviewed and supplemented with references to the storage period of cookies and with statements listing third parties who have access to the cookies.

Published in Newsletter Confectionery Industry Special – 2020 edition.

__________

1 ECJ, Judgement of 29/7/2019, C40/17 – Fashion ID.

2 ECJ, Judgement of 01/10/2019, Az. C-673/17 – Planet49.

Subject fields