What are cookies are, what is their use and how does using them impact on businesses?
A cookie is a small text file that can be stored on your computer when you visit websites.
When you visit the website later again, the cookie returns to the concerned website. In this way, amongst other technical ways, the website recognizes your browser.
There are 3 types of cookies: cookies for functional purposes, cookies for analytical purposes and cookies for advertising purposes.
On 1st October 2019 The Court of Justice of the European Union (“CJEU”) delivered its judgment in Case C ‑ 673/17 finding that the consent is not validly given or permitted by way of a pre-checked checkbox which the user must deselect to refuse his or her consent. Instead, the consent must be obtained by a consumer’s “active behaviour.”
In its judgement, the CJEU made it clear that the conditions regarding consent are not to be interpreted differently according to whether or not the information stored or accessed on a website user’s terminal equipment is personal data within the meaning of Directive 95/46 on the protection of individuals with regard to the processing of personal data or Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46(GDPR).
The information that the service provider must give to a user includes the duration of the operation of cookies and whether third parties may have access to those cookies.
Regarding the form of the consent, the CJEU established that consent of a user required under Directive 2002/58 (the ePrivacy Directive) for storing or accessing cookies should have the same meaning as the data subject’s consent as defined and further specified in GDPR. In accordance with the GDPR, consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement, such as by a written statement, including by electronic means, or an oral statement.
This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance. Silence, pre-ticked boxes or inactivity does not constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for each of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided. Therefore, consent that does not comply with the requirements of the GDPR may not be relied upon for the purposes of the ePrivacy Directive.
For businesses knowing which cookies they use, what data is collected with them and with whom they are shared is a necessity, both under GDPR and under ePrivacy Directive. Bearing in mind that since the GDPR took effect on May 25, 2018, data protection authorities in the EU including Romania have wasted no time in launching enforcement actions and issuing fines.