GDPR Cookie Fines Explained

GDPR Cookie Fines Explained

The General data protection regulation (GDPR) is an EU law that helps protect data subjects personal data by ensuring user privacy and honouring their rights. The ePrivacy Regulation (also known as the EU Cookie Law) sets out guidance on protecting the personal data of users online, especially around the use of cookies on websites where personal data is processed.

Both the General Data Protection Regulation (GDPR)and ePrivacy Directive go hand in hand in ensuring the protection of data subjects rights and their data online in the EU through the use of cookie consent. GDPR is enforced by data protection authorities in the 27 EU member countries.

If your site operates using cookie you need to comply with GDPR and the ePrivacy Regulation (EU cookie law) and how you should be using cookies and the right of the data subjects to decide how their personal data will be processed online.

The guidance on the use of cookies are as follows:

  • obtain prior consent from the data subject to allow the placement of cookies on their device (consent must be unambiguous and clearly given)
  • you must show what cookies are active on the page, their purpose, what personal data they collect from data subject, and how long the cookie is stored on the users device (this is were a Cookie Notice is to be used)
  • consent can be withdrawn at any time. You must make this easy for the user to do.
  • be able to document and clearly demonstrate when consent was given
  • the user must still be able to operate the site without giving any cookie preferences or consent, consent cannot be assumed

Non compliance with these guidelines can result in warnings or even fines in serious cases.

The cookies are normally categorised into four main headings. Necessary or Essential. These cookies are needed by the website to perform its given function. Without these cookies the website would not be able to operate and show you the topic of the site. These cookies do not need consent by the user, they will always be placed on the users devices.

Then you will have Marketing cookies, Statistical cookies and Preference cookies. These all need prior consent before being placed on the users device. The only other category that should be displayed is the Unclassified cookies. There are a lot of cookies being used that have no description of their purpose, so it is very hard to know what category to place these into.

Some cookie management systems will place these into the Necessary category, so consent is not needed. CookieScan will not do this, they are separately categorised and consent will be asked for the place them on the users device.

One could argue that this would not be true consent as no information is give about the cookie or whether it is a Marketing or Statistical cookie. CookieScan leave that decision to the site user to make.

Why are GDPR cookie fines issued?

When a company does not comply with the rules and regulation around the use of cookies within the ePrivacy Regulation or PECR in the UK they will receive an enforcement notice by the supervisory authorities in various ways, some more severe than others, including:

  • a warning to the organisation
  • administrative fines – up to 20 million or 4% of annual global turnover (whichever is higher) for more serious offenses, or 10 million or 2% of the annual global turnover (whichever is higher) for less serious breaches.
  • Data Protection inspections on an organisation
  • temporary or permanent restrictions on data collection and processing
  • or even a ban from working within or for the European union

The most common enforcement are warning for minor cases and fines for more serious breaches. Bear in mind that fines are worst case scenario and the supervisory authorities will consider mitigating factors such as the severity of the breach and a companies effort to comply with the ePrivacy Regulations.

The ePrivacy Regulation has now been aligned with the GDPR for the level of fine it can issue. It was capped at €500,000 as is the PECR, it is still capped at £500K for fines relating to the misuse of Cookies

What is the current guidance on cookies?

Your organisation’s website must comply with cookie requirements within the jurisdiction you operate and the cookie laws where the site is being viewed, this makes it a global problem and very difficult for the website owners to keep up with. If your data subject is located in other jurisdictions then you need to ensure your website cookies are compliant with these laws. The best option is to ensure your website has a Cookie Notice and Cookie Banner to comply with cookie consent.

Let’s look at cookie requirements in some other Jurisdictions set out by the data protection authorities.

UK guidance on cookies

UK Information Commissioner issues guidance on the use of cookies in 2020 and set out the requirements for organisations using websites to promote their produces o services. The guidance stated that;

  • No non-essential cookie can be set on a users device without prior consent.
  • Information must be given to the user about the purpose of the cookie. Without this information consent will not be informed and could be deemed to be invalid.
  • A clear time frame or expiry date given for the time the cookie will remain active on the users device.
  • It must be as easy for the user to withdraw consent as it was to give it.
  • A clear updated cookie notice must be available on the website for users to read.
  • Consent must be verified every 6-months, so the user will be asked again what their preferences are for the use of cookies.
  • There must be a clearly labelled ‘reject all’ and ‘accept all’ button available.

Read the full guidance here: Guidance on the use of cookies and similar technologies | ICO

CookieScan will do all of this for you and the users of your website. It is as easy as putting a line of code into the header of your site, and CookieScan will do the rest.

Irish guidance on cookies

The Data Protection Commission in Ireland issued the Guidance to serve as a starting point for Irish controllers to assess their own compliance with the law on cookies and similar tracking technologies. In addition to cookies consent requirements on which we have previously commented, we have set out a number of key points raised in the DPC’s Guidance below: 

  • Cookie lifespan: the DPC stressed that the expiry date of any cookie should always be proportionate to its purpose. For instance, a cookie required for remembering information in a user’s online shopping cart should not have an indefinite expiry date and should be set to expire once it has served its function (or very shortly afterwards).
  • Periodic renewal of consent: For controllers who keep a record of users’ consent to the use of cookies, the DPC considers the appropriate length of time after which this consent should then be re-obtained should be no longer than six months after they have recorded the users’ last consent status. Equally, where users initially declined to give consent, their consent to cookies could be sought again at this time. The six month period is, in the DPC’s view, the outer timeframe for storing a user’s consent status and storage of a record of valid consent for a longer period would need to be justified on a case-by-case basis. Since publication of the Guidance, the European Data Protection Board, has issued updated guidelines on valid consent, that clarify that websites that block access to content until a user accepts cookies, so called “cookie walls”, do not present the user with a genuine choice and are not therefore compliant.
  • Consent Management Platforms: The DPC acknowledged the use of consent management platforms (“CMPs”) i.e. systems provided by third parties designed to help organisations record and manage cookie consent and demonstrate compliance with the ePrivacy Regulations and GDPR.
  • Analytics cookies: The DPC re-iterated that analytics cookies (such as those that measure the number of visitors to a website and the pages they visit) require the consent of the user before being placed on their device. The DPC states that first-party analytics cookies are not likely to create a privacy risk when they are strictly limited to first-party aggregated statistical purposes and are unlikely to be considered a priority for enforcement action. However, third party analytics i.e. those carried out by parties other than the controller, sometimes for their own purposes, may be considered to represent a greater privacy risk to the user.
  • Third party buttons and widgets: Where controllers allow third parties to deploy ‘like’ buttons, plugins, widgets, pixel trackers or social media-sharing tools, they should be fully aware of what data is being transferred to those third parties. Further to the Court of Justice of the EU’s judgment in Fashion ID, website operators may be considered to be joint controllers in respect of personal data that is collected and disclosed to those third parties. Other third parties, such as payments processing services, may potentially act as processors on a controller’s behalf; thereby requiring a data processing agreement to be in place with the controller under Article 28 GDPR. Accordingly, website operators should take steps to ascertain the data processing relationships with all third parties involved in their website, and determine the responsibilities and liabilities arising from such relationships.
  • Systemic tracking or profiling: Finally, the DPC stated that where a website’s processing operations involve (through cookies or otherwise): (i) the systematic monitoring, tracking or observing of individuals’ location or behaviour or the profiling of individuals on a large scale; or (ii) the combination, linking or cross-referencing of separate datasets that significantly contributes to or is used for profiling or behavioural analysis of individuals (particularly where different controllers are involved), then the controller must carry out a data processing impact assessment (“DPIA”) under Article 35 of GDPR.

Read the full guidance here: Guidance note on cookies and other tracking technologies.pdf (dataprotection.ie)

Recent cookie fines:

Lets have a look at some recent fines that have been issued in Europe and the reasons these fines were issued.

France:

At the end of 2020, the Commission Nationale Informatique and libertes (CNIL) fined Amazon France Core 35 million euros and google LLC and google Ireland Limited 100 million euros. Various investigations indicated that Google and Amazon had been placing cookies for advertising purposes on users devices without informing the user or asking for prior consent.

In both cases these organisations failed to collect the consent from the data subject before putting advertising cookies on their device. Cookies consent for advertising/marketing cookies must be obtained form the user, as these cookies are not essential for the running of the website. The action of continuing to browse the site is not constitute valid consent. Not only did they not get consent, but the user was not informed on arrival to the site that cookies were operating on it or how they could refuse them, with no clear mechanism allowing users to reject the use of non-essential cookies.

Spain:

The Spanish Data Protection Authority (AEPD) fined Twitter 30,000 euros for non-compliance with Spanish Data Protection Law. Twitter’s Cookie banner stated that by using their site the user was accepting the cookie policy. The banner did not give the user any guidance on how to reject cookies or any information on how to manage their cookie preferences on the platform.

Italy:

The Italian Data Protection Authority imposed a fine of 12 million euro’s on Vodaphone for the processing of personal data on millions of users for marketing purposes unlawfully.

An investigation showed that Vodaphone had violated the rules on consent and many other data protection principles.

How can I make sure my website is cookie compliant?

CookieScan is your complete cookie management system, taking control of all your legal requirements under the ePrivacy Regulation and PECR. Firstly CookieScan will scan you site and identify all the cookies used, first party and third party. Once this is done, CookieScan will create a Cookie Notice.

The Identified cookies are then placed into categories. These categories are,

  • Necessary
  • Preference
  • Marketing
  • Statistics
  • Unclassified

Necessary cookies, or essential cookies do not require you to collect consent from the site users. These cookies are always on and uploaded to the users device. Necessary cookies are the cookies needed to run the functionality of the site. As the site owner you are responsible to justify the use of necessary cookies. CookieScan will give you the ability to move the cookies into the category you believe is more appropriate. A note of caution, because CookieScan blocks from a domain level, you will also move the other cookies from that same domain.

CookieScan gives you the option of three banners to display on your site. There is also a Geo-Location feature so the correct banner will be displayed to comply with the cookie laws according to the country where the site is being viewed.

The user is asked to consent to the required cookies, is given a simple description of the cookies function, who provided the cookie and how long it will be displayed on the device, for example a session cookie.

You can change the colour settings of the CookieScan banner to match the colour theme of your site. CookieScan is also the only cookie management system to allow the site user to enforce one of their data privacy rights, like submit a data subject access request. This will show your commitment to compliance and your accountability to data protection rights.

CookieScan will take your compliance worries away and help you to stay on the right side of the law.

What will CookieScan do for me as a website user?

As a website user CookieScan will look after your rights and your privacy. By telling you about all the cookies the website uses, what they do, who wants to put them on your device and how long they will stay there. CookieScan gives you a clear ‘Reject all’ or an ‘Accept All’ choice to the cookies used, setting them all off as a default.

CookieScan has recently added a data rights function. You can now enforce one of your data protection rights and contact the website owners directly, submitting a data subject access request, object to processing, ask for data to be corrected and so on. CookieScan is the first to offer this and combine both the data protection laws and the ePrivacy Regulations, or your own local laws.

Once submitted the website owner will put in place their own processes to allow you to enforce your rights, CookieScan just give you an easy way to start the ball rolling.

Ensure your website is PECR and ePrivacy compliant

Create a FREE CookieScan account today and start managing your cookie consent.

Get Started