Something Is Happening on The Cookie Front

Something Is Happening on The Cookie Front

A new proposal for the e-Privacy Regulation (ePVO) shakes up the need for consent for cookies. But while cookie storage could get easier, browser vendors don’t want to support third-party cookies in the future. But it’s not really about cookies or no cookies, it’s about clear guidelines and informing those affected.

Something is happening on the cookie front

We remember (with horror): countless emails landed in mailboxes saying that the General Data Protection Regulation (GDPR) required the recipient’s consent for the newsletter they subscribed to, for example, even if there was already consent for it.

At the time, it was obviously overlooked by many that there is more than one possible legal basis for the processing of personal data. Article 6 of the GDPR (lawfulness of processing) lists these quite clearly.

In the case of cookies, however, the consent of the data subject, i.e. the visitor to a website, may be required. The German data protection supervisory authorities have never required consent for all cookies, but for certain cookies, an opt-out is not sufficient for them. Recital 32 of the GDPR, for example, explicitly states that “silence, boxes already checked, or inaction by the data subject” does not constitute consent.

READ:  What Is Two-Factor Authentication (2FA)?

Business interest groups have been hoping for a change through the planned e-Privacy Regulation (ePVO) for some time. Now a new draft for the ePVO is available, which should please certain stakeholders.

Legitimate interest as the basis for cookie retention

The Croatian Presidency of the Council of the EU published a new draft e-privacy regulation on 21.02.2020 and recognizes here a legitimate interest in storing cookies without the consent (cookie consent) of the users because there is a financing interest of advertising-financed online press publications and audiovisual media services.

The new draft does not open the door for cookies but specifies various conditions and areas of the application when cookies may be set without requesting consent, i.e. without cookie banners that must first be processed by the user. Cookie banners are also not very popular and often not really effective.

In this regard, the new draft states, “End users are often asked to consent to the storage of, and access to, stored data in their terminal devices because of the ubiquitous use of tracking cookies and similar tracking technologies. As a result, end-users may be overwhelmed with requests for consent. This can lead to a failure to read consent request information and undermine the protections provided by consent.

This idea is not impractical and shows that consent alone cannot ultimately provide sufficient protection. More is needed for data protection.

READ:  What is An Account In IT System?

Third-party cookies are coming to an end, but…

Now, however, there is another development regarding the future of cookies. More and more browsers (after Safari also Firefox and Chrome) are planning to no longer allow third-party cookies in the future, there is talk of deadlines such as “within the next two years”, according to the Bundesverband Digitale Wirtschaft (BVDW), for example.

However, this of course does not mean that the possible new cookie requirement from the planned ePVO can then no longer be applied. The data protection supervisory authorities had already clarified that data controllers must ensure that consent covers not only the setting of cookies requiring consent but all processing activities requiring consent, such as procedures for tracking users through tracking pixels or div. fingerprinting methods, if these are not permitted on the basis of another legal basis.

If there will be a new legal basis with the planned ePVO, then the transferred statement of the supervisory authorities will of course also apply to cookie alternatives and not only to cookies. So there must then be a legal basis for all corresponding processing activities such as fingerprinting, such as “a legitimate interest because there is a financing interest of the advertising-funded online press publications and audiovisual media services.”

Transparency and information always remain decisive

Whether for the storage of cookies or the use of cookie alternatives such as fingerprinting, in each case the user must be informed exactly how their data will be used. This requirement of data protection remains in any case. The new draft of the ePVO also states a requirement: the end-user has been provided with clear, precise, and user-friendly information about the purposes of cookies or similar techniques. In addition, there must be a possibility to object.

READ:  Virus Scan with Microsoft Process Explorer

Data protection does not mean clicking as many cookie banners as possible but requires a secure legal basis for processing and transparent data use that the user is aware of and agrees to, for example, in order to be able to use advertising-financed online content free of charge, but without having to endure too great an intrusion into their privacy.

Depending on the weighing of interests, cookies and cookie alternatives will also be subject to consent under the new draft of the ePVO. Thus, the draft states: Only if the results of the balancing carried out by the service provider show that its legitimate interest is not overridden by the interests and fundamental rights and freedoms of the end user, the service provider can rely on this legal basis, i.e. otherwise consent must be obtained or another legal basis must exist.