Cookies: the yes, the no, and the maybe
| Joost Krapels |
Privacy
They are impossible to escape these days: cookies. Sometimes accompanied by a impenetrable cookie wall, a large banner, a small information bar, or nothing at all. Cookies allow certain website features, traffic analysis, and marketing. What is and is not allowed is not always clear, which many websites use to their advantage. In this article we explain what measures need to be in place for different types of cookies in The Netherlands.
Types of cookies
Not all cookies are created equally. Even though a cookie is a small text file containing (machine readable) information, they can be used for different purposes. Separated on those purposes, we can distinguish the following categories:
Functional cookies
Functional cookies can be used to perform specific features on a website. Examples of such features are remembering information for a user, such as items in a shopping basket, semi-filled in forms, or login details. Blocking these cookies can cause a website to lack features, or even break.
Statistical cookies
Websites have changed significantly in the last two decades, and the static HTML websites of the mid 90’s and early 2000’s are a rare sight nowadays. Website owners greatly value their internet presence, and want to know how the website is used. With this information, broken pages can be detected, boring content improved or removed, and new content tailored to visitors. Many Dutch visitors could mean that you should explore the Dutch market, and no Spanish visitors on your “B&B Madrid” website is a clear hint to offer the website in Spanish as well.
Tracking cookies
This category of cookies is used to identify a user, and collect information on them throughout multiple pages and/or websites. Actions, such as clicking, page loading, or even mouse movement is stored in the cookie, combined with the identifier. Once the cookie is loaded by its provider, said provider can combine actions of a single user to identify behavior. Names and addresses are often not stored in the cookies, but the collected information is often enough to point back to an individual. Tracking cookies are often used in direct marketing, since offering user groups with specific interests or behavior a specific product works wonders for your sales department.
Rules and legislation
Europe
Several European and nationwide laws influence cookies. All cookies fall under the 2002 e-Privacy Directive (EPD), and tracking has to comply with the GDPR as well. Currently, the successor to the EPD is under review by the European Parliament. It was planned to become law in 2019, but did not survive the final vote of the year. This successor, the e-Privacy Regulation, levels the playing field for rules surrounding electronic communication and cookies. Earlier this year, we wrote a Dutch article on the E-Privacy Regulation.
If personal data is processed during the use of cookies, the GDPR starts to play a significant role. Website providers that place the cookie are mandated to provide information to the website users (e.g. using a privacy statement), and put the use of cookies and third parties involved into their register of processing activities.
The Netherlands
The EPD has been implemented in The Netherlands as the Telecommunicatiewet. Later, the Dutch Government altered a section of the Telecommunicatiewet to give guidance on the use of cookies. This is commonly known as “De Cookiewet”, which is still valid law until the E-Privacy Directive becomes into force somewhere in the next years. Since the Telecommunicatiewet predates the GDPR, references to the GDPR’s predecessor have been changed to references to the GDPR. This means that, for example, the bar for “good” consent for cookies has been raised. The Autoriteit Persoonsgegevens has also recently stated cookie walls are not a valid manner of obtaining consent. Conditioning access to the service on consent goes against the requirement of consent being freely given. Even more recently, the supervisor published a report on a cookie check they performed on 175 Dutch web shops. Not all cookies require explicit consent, but the user needs to be notified of the use of any cookie that uses personal data.
Functional cookies
The first category of cookies does not require active consent. Under the Telecommunicatiewet, no consent needs to be requested for cookies that are required to perform the service. The lawful basis (article 6 GDPR) for functional cookies is legitimate interest of the website owner, or performance of a contract if the service provided through the website is the core of a paid service. Asking consent for this processing of personal data would allow the user to retract the consent, which would break the website.
Statistical cookies
Statistical cookies can often, by default, be traced back to natural persons. This makes the use of cookies collection of personal data, triggering the effect of the GDPR. Providers of cookies sometimes allow for IP-adresses to be partly masked, removing the most direct connection to a natural person. Whether the rest of the information can still be used to identify someone, differs on a case by case basis.
Statistical tracking data can often be pseudonymized, reducing the risk to the individuals involved. Google Analytics can, for example, mask the final digits of an IP-address, and marketeers can choose not to share the collected analytics with third parties. According to the Telecommunicatiewet, if analyzing the quality and effectiveness of the provided service does not have a large influence on the user’s privacy, consent is not required. The analysis then falls under the GDPR lawful basis Legitimate interest.
If the statistical data is aggregated to a high enough level, and individuals cannot be distinguished anymore, statistical cookies fall outside of the scope of personal data. This is not often the case with websites, but certainly technically possible.
Tracking cookies
Since tracking users and treating them differently from others based on this is classified as profiling under the GDPR, tracking cookie providers are bound by strict rules. If the processing is not based on the performance of a contract, the only lawful basis left is explicit consent. In 2018, the European advisory group WP29 (now EDPB) brought out a guideline on consent. This guideline offers several examples of legal explicit consent, such as (electronic) signature, clearly marked and separated checkboxes, and clicking a confirmation email after giving initial consent.
Even though guidelines by the EDPB are not legally binding, the group’s advice should be taken seriously since it consists of representatives of all national Supervisory Authorities.
As you can see, analytical and tracking cookies are not legal or illegal by default. It is important to consider how the cookies will be used, and what measures will be put in place. With a well thought-through (documented!) decision on the use of cookies and transparant communication to the users, the chance of a fine is low.
Cookies for website owners and users
Many plugins on your website come with their own cookies, for which you as a website owner are responsible. With tools such as Cookiebot, you can automatically recognize cookies on your website, and offer visitors the option to opt-in to or out.
Website users could install the free browser plugins Privacy Badger and Ghostery, which learn to recognize tracking cookies and block them automatically. These tools are also useful to check your cookie statements.
For more articles about privacy, visit our page with all privacy articles.
Image credit: @adeolueletu via Unsplash
Joost Krapels has worked at ICT Institute from 2019 - oct 2024. He is a security and privacy officer with a lot of GDPR and ISO 27001 experience, and has Security+ and CISSP certification.