It remains fairly common for internet users to be denied acces to websites when they choose not to accept (tracking) cookies. But are websites actually allowed to do this? In this blog post, we will look at the legal provisions applying to the use of tracking cookies.
But did you know that websites only allowing visitors access to their content if they accept so-called ‘tracking cookies’ are in fact acting in violation of the GDPR? In this blog post, we will take a closer look at this specific type of cookies from a GDPR perspective and in the context of the Dutch Telecommunication Act.
What are cookies?
Cookies are small files which are downloaded by website providers to the device used by visitors – their computer or smartphone for instance – for the purpose of collecting and storing information about the visit or about (the device used by) the visitor. In this blog, we will be focusing on the use of ‘tracking cookies’, a special subset of cookies. If you are interested in the legal requirements applicable to other types of cookies, please refer to the website of the Dutch Authority for Consumers and Markets (ACM).
One way of protecting yourself against cookies is to use the incognito mode of your browser which will then refrain from saving history data and non-essential cookies. Do you want to know how to remove cookies? Check the Radar five-step plan.
Of all types of cookies commonly used, the most privacy-invasive variant is the category known as tracking or marketing cookies, since they have the ability to trace a visitor’s online behaviour. Tracking cookies are sent to and stored on personal devices in order to identify users of the internet on one or more websites. They not only keep track of sites visited, but they also record other data, like the IP-address and the type of device being used. Storing these data then allows for profiling – the creation of individual consumer profiles which are used for targeted advertising and other commercial activities.
Legal provisions for tracking cookies
Telecommunication Act aka ‘Cookie Act’
Among the rules listed in Article 11.7a TW of the Telecommunication Act is the requirement of user consent for actual cookie placement (Article 11.7a, 1, b). Also, website visitors have to be informed on the purposes for which cookies are being used (Article 11.7a, 1, a). To both requirements there are exceptions, specified in Article 11.7a, 3. If for instance, cookies are necessary for the website to perform properly or if they serve the exclusive purpose of enabling communication within an electronic communications network, the obligation to inform and the requirement of consent do not apply.
How about the GDPR?
Strictly speaking, the GDPR is primarily about the protection of personal data, which does not necessarily cover cookie placement. However, the GDPR does apply to the use of tracking cookies, since these cookies, whether triggered by a Facebook Pixel or Like button or whatever other mechanism, most definitely or at least usually imply the processing and transfer of personal data. So, what does the GDPR have to say about the use of tracking cookies?
Necessity or consent
Processing personal data is only allowed if a “legitimate basis” can be shown to exist. Article 6,1 of the GDPR lists six of these justifications, among them necessity in the context of business requirements such as the performance of a contract.
If, however, a company wants to follow the online activities of people by using tracking cookies, they always have to obtain prior permission from the data subjects, which must be requested in a legally valid way. Where cookies are not, or not significantly privacy-invasive, consent is not required.
In order for consent to be legally valid in terms of the GDPR, it must be “freely given, specific, informed and unambiguous’’ (Article 4, 11 of the GDPR). Thus, a simple box with a default setting of checked is not sufficient, as explained by the European Court of Justice.
As early as 2019, the Data Protection Authority (DPA) ran an inquiry on the use of tracking cookies which demonstrated that of all the websites using them, almost half did not meet the requirement of consent.
It is, for instance, fairly common for visitors to be denied access to a website when they refuse to accept tracking cookies. When, as a result of this ‘cookiewall’, sites or services are unavailable to consumers, they may yield to the pressure and agree after all. In this case, their consent does not qualify as being ‘’freely given’’ and as such, does not provide a legitimate basis for the placement of tracking cookies.
Obligation to inform
Much like the Dutch Telecommunication Act, the GDPR also specifies the obligation to inform, meaning that data subjects have to be given prior information on the nature of the personal data to be processed, the purposes for which and the manner in which they are to be processed. This information, as mentioned in Article 12, 1 of the GDPR, must be provided in a concise and intelligible form.
If a website uses tracking cookies, visitors should be informed in a timely manner. Websites also need legally valid consent from their visitors in order for the placement of tracking cookies to be allowed. This implies that visitors must have the – real – option to refuse these cookies. Otherwise, they cannot consciously and appropriately exercise their right to protection of personal data. Therefore, websites must remain accessible for people who refuse tracking cookies, or they will be in violation of the GDPR.