Cookies: the yes, the no, and the maybe
| Joost Krapels |
They are impossible to escape these days: cookies. Sometimes accompanied by a impenetrable cookie wall, a large banner, a small information bar, or nothing at all. Cookies allow certain website features, traffic analysis, and marketing. What is and is not allowed is not always clear, which many websites use to their advantage. In this article we explain what measures need to be in place for different types of cookies in The Netherlands.
Types of cookies
Not all cookies are created equally. Even though a cookie is a small text file containing (machine readable) information, they can be used for different purposes. Separated on those purposes, we can distinguish the following categories:
Functional cookies can be used to perform specific features on a website. Examples of such features are remembering information for a user, such as items in a shopping basket, semi-filled in forms, or login details. Blocking these cookies can cause a website to lack features, or even break.
Websites have changed significantly in the last two decades, and the static HTML websites of the mid 90’s and early 2000’s are a rare sight nowadays. Website owners greatly value their internet presence, and want to know how the website is used. With this information, broken pages can be detected, boring content improved or removed, and new content tailored to visitors. Many Dutch visitors could mean that you should explore the Dutch market, and no Spanish visitors on your “B&B Madrid” website is a clear hint to offer the website in Spanish as well.
This category of cookies is used to identify a user, and collect information on them throughout multiple pages and/or websites. Actions, such as clicking, page loading, or even mouse movement is stored in the cookie, combined with the identifier. Once the cookie is loaded by its provider, said provider can combine actions of a single user to identify behavior. Names and addresses are often not stored in the cookies, but the collected information is often enough to point back to an individual. Tracking cookies are often used in direct marketing, since offering user groups with specific interests or behavior a specific product works wonders for your sales department.
Rules and legislation
Several European and nationwide laws influence cookies. All cookies fall under the 2002 e-Privacy Directive (EPD), and tracking has to comply with the GDPR as well. Currently, the successor to the EPD is under review by the European Parliament. It was planned to become law in 2019, but did not survive the final vote of the year. This successor, the e-Privacy Regulation, levels the playing field for rules surrounding electronic communication and cookies. Earlier this year, we wrote a Dutch article on the E-Privacy Regulation.
The first category of cookies does not require active consent. Under the Telecommunicatiewet, no consent needs to be requested for cookies that are required to perform the service. The lawful basis (article 6 GDPR) for functional cookies is legitimate interest of the website owner, or performance of a contract if the service provided through the website is the core of a paid service. Asking consent for this processing of personal data would allow the user to retract the consent, which would break the website.
Statistical tracking data can often be pseudonymized, reducing the risk to the individuals involved. Google Analytics can, for example, mask the final digits of an IP-address, and marketeers can choose not to share the collected analytics with third parties. According to the Telecommunicatiewet, if analyzing the quality and effectiveness of the provided service does not have a large influence on the user’s privacy, consent is not required. The analysis then falls under the GDPR lawful basis Legitimate interest.
If the statistical data is aggregated to a high enough level, and individuals cannot be distinguished anymore, statistical cookies fall outside of the scope of personal data. This is not often the case with websites, but certainly technically possible.
Since tracking users and treating them differently from others based on this is classified as profiling under the GDPR, tracking cookie providers are bound by strict rules. If the processing is not based on the performance of a contract, the only lawful basis left is explicit consent. In 2018, the European advisory group WP29 (now EDPB) brought out a guideline on consent. This guideline offers several examples of legal explicit consent, such as (electronic) signature, clearly marked and separated checkboxes, and clicking a confirmation email after giving initial consent.
Even though guidelines by the EDPB are not legally binding, the group’s advice should be taken seriously since it consists of representatives of all national Supervisory Authorities.
Cookies for website owners and users
Many plugins on your website come with their own cookies, for which you as a website owner are responsible. With tools such as Cookiebot and Praivacy, you can automatically recognize cookies on your website, and offer visitors the option to opt-in to or out. If you plan to implement Google Analytics, you should follow the Autoriteit Persoonsgegevens’ (Dutch) guide on setting the privacy settings. When you follow this guide, consent is not required for the use of Google Analytics.
Website users could install the free browser plugins Privacy Badger and Ghostery, which learn to recognize tracking cookies and block them automatically. These tools are also useful to check your cookie statements.
For more articles about privacy, visit our page with all privacy articles.
Image credit: @adeolueletu via Unsplash
Joost Krapels has completed his BSc. Artificial Intelligence and MSc. Information Sciences at the VU Amsterdam. During his Master study he evaluated several compliance tools for GDPR compliance and interviewed business owners about the impact of the GDPR. Within ICT Institute, Joost provides IT advice to clients, advises clients on Privacy and Security, improves our GDPR tools and templates, and co-develops the Security Verified standard.