Cookie Banners back in spotlight
The European Data Protection Board (“EDPB”) has recently published a report (the “Report”) about a number of ‘cookie law’ concerns, and has concluded that:
- The use of pre-ticked boxes to opt-in to the use of cookies does not give valid consent.
- Websites practices that
- give users the impression that they have to give their consent to access the website are prohibited
- push users to give consent are prohibited
- consist in using different button colours to highlight the “accept all” button over other available options are prohibited
- Rely on “legitimate interests” as the legal basis for the use of non-essential cookies are prohibited.
- All buttons should ideally use the same size, colour, font and contrast.
- A “reject all” button must be included on the first layer of the cookie banner so as to ensure that the use of cookies is as easy to accept as it is to refuse.
- Non-compliance with the rules on the use of cookies will result in non-compliance of any subsequent processing of personal data collected through cookies.
- Website owners should put in place easily accessible solutions allowing users to withdraw their consent at any time.
Comment: The contents of this report are likely to guide EU regulator’s decisions about cookies in the future. For the avoidance of doubt, this report has no direct implications for the UK, except that UK websites that are also intended for users/visitors in the EU may be considered as ’fair game’ by EU regulators.
The importance of checking on those you rely on to process data for you
In two recent decisions, the French data protection authority, the CNIL, has emphasised the importance of data controllers auditing their data processors.
Case 1: A company relied on a third-party to ensure for password security and only holding personal data of inactive users for an appropriate retention period. These obligations were reflected in specific contractual instructions and in its defence the company pointed to its data processor’s contractual responsibility. However, the CNIL pointed out that the company did not audit its contractor to ensure that the contractual instructions were being followed and concluded that this meant the company had failed to comply with its responsibilities under the GDPR.
The company was fined €250,000
Case2: A company relied on a third-party to collect the consent of data subjects for direct marketing, i.e., to send marketing messages by email. The third party was contractually obliged to comply with the GDPR and ePrivacy rules applicable when obtaining such consents (but failed to do so, with the result that individuals received marketing emails without having given their prior consent). The company acknowledged that it had no control over the consent collection forms used by the third party and that it did not carry out any audit. The CNIL considered that the measures implemented by the company to ensure that valid consent was collected were insufficient and constituted a breach of the company’s obligations under both the GDPR and the ePrivacy applicable rules.
The amount of the fine is unknown.
Comment:
Although these two cases are in France, the same rules apply in the UK and demonstrate that:
- although the GDPR provides for enforcement directly against data processors, data controllers remain liable for compliance failures by their data processors
- controllers using data processors should, as well as making sure those processors contractually commit to comply with the GDPR and ePrivacy rules, implement an audit process
The relevant ‘formula’ is: Contracts + audits = compliance
Further reading:
22nd February 2023 Threat Bulletin
Get norm.’s data protection bulletin direct to your inbox
norm. tracks and monitors the latest data protection developments and collates these into a monthly data protection bulletin.
You can receive this bulletin for free, every month, by entering your business email address below: