Is my cookie illegal?

Twelve questions from developers to privacy experts.

 

Who are you, and what do you do for work?

Jari Ala-Varvi and Niku Hinkka, CIPP/E certified Data Protection & Privacy Specialists working for OpSec Oy.

 

From the ePrivacy Directive point of view, a cookie banner has two essential functions:

  1. inform users about cookies that identify them
  2. ask consent for storing and collecting data from the end-user

 

So what’s GDPR? Another banner?

The GDPR is a vital EU regulation, and ePrivacy is a directive dependent on local country-specific legislation.

The GDPR clarifies the rights of data subjects concerning the processing of personal data and is directly applicable to the law.

Cookies are not personal data in themselves, but their GDPR-compliant use requires diligent care, for example, when you use them for processing personal data.

The definition of valid consent comes from GDPR because the ePrivacy directive references it in recital 17.

 

Not true. It’s a common misunderstanding to interpret that the ePrivacy directive would cover only cookies. ePrivacy and GDPR protect the rights of the end-users, regardless of the technology used to collect or store the data on the end user’s equipment.

The term “cookie” is just one example of these technologies in ePrivacy directive recital 25.

Because of the ambiguity of privacy legislation, cookies and other technologies collecting or storing information about the user provide a challenge. For example, a less known principle of the ePrivacy directive is the privacy sphere: collecting data about the end user’s device, or storing any data on the end user’s device, violates the end user’s private space.

If you use this private space, e.g., read or store information on the end user’s device, you need consent , i.e. you need a banner, in most European countries, whether you process personal data or not. If using this private space is strictly necessary for providing the service the user has explicitly asked for, you don’t need consent.

Why does everyone then talk about cookies?

Before JavaScript, twenty years ago, cookies were probably the only solution for online analytical purposes, so the term ended up as an example in the legislation. Legislators have always had difficulties understanding and keeping up with technological progress.

Nowadays, the term cookie has expanded, and we also have new technical implementations which can achieve the same results as cookies.

How about localStorage or sessionStorage?

We can interpret that there is no difference because GDPR and ePrivacy require consent, informing, and respecting the end-users privacy sphere. It does not matter what the storage is called, as long as it resides in the user’s equipment.

Is there any way to avoid the banner?

You can avoid using banners with a 100% server-side solution that does not invade the privacy sphere or process identifiable personal information. Or with a solution that relies solely on HTTP-header uploads to servers, thus not reading client data with JavaScript.

Is it okay to bypass ad blockers?

We haven’t heard of any legally binding decisions from the authorities in Europe. However, an ad blocker is a powerful expression of the user’s will against advertising, which traditionally has a lot of weight in legal consideration. It would be advisable and far-sighted to respect the user’s choice in this matter.

So everybody is doing it wrong?

If developers are actively trying to find technical loopholes to exploit privacy legislation, they are likely already breaking the law. GDPR article 25 states that the data protection should be by design and default, which means that developers should implement solutions supporting the end-users rights.

Really? Even companies like GitHub?

Github states that they don’t use cookies. They still track users. The legal question about the use of banners is not about cookies. It is about informing the end-users and having their consent using ANY technologies that read/store information on the user’s device.

It’s common to think something is legal if it’s not explicitly forbidden. Companies often operate based on cost-benefit analysis, and it might be possible that Github’s choice of narrow interpretation is a calculated risk towards legal uncertainty, a business decision because developers dislike banners even more than the everyday users.

Why harass people with the banner!?

No one likes banners. But, they at least try to prevent using privacy as a free currency by giving people a choice. Don’t blame the players. Blame the game.

This is also a design issue. Poorly implemented banners degrade website user experiences, while subtler and easy-to-use banner solutions might change people’s attitudes towards consent banners.

What’s the best way forward?

The idea that data is the new oil has brought us a gold rush phenomenon. All gold rushes end in time. User and privacy-friendly solutions are the future, and stakeholders recognize this too. Just be nice to people, stop trying to find loopholes, and ask permission when needed.

Like Jim Carrey says, playing a successful lawyer in the movie Liar Liar:“Stop breaking the law a##hole!“

Liability clause: This blog is not legal advice, and you shouldn’t interpret it as such.

Leave a Reply

Your email address will not be published. Required fields are marked *