April 14, 2019 at 12:33European regulators oppose cookie banners
In Europe, it has been concluded that cookie banners do not comply with the GDPR. We discuss the background of the issue, share the views of experts and look at options for the development of the situation. / Flickr / Carsten Schertzer / CC BY / Photo changed
In the 30 article of the General on the protection of EU data rules it says that the site is obliged to notify users about the installation, the cookies have, if they can be used to determine a person's identity. Otherwise, the resource violates the requirements of the GDPR and may be charged a large fine in accordance with the law.
It is believed that you can not get user consent if cookies are needed to save session data, play video and audio content, balance load on the site and the work of third-party social network plugins. However, the wording is rather vague and it is not always clear when to warn the user about setting cookies.
To avoid problems with GDPR, some website owners have been reinsured and placed so-called cookie-walls (cookie walls). These are banners that block access to content until the user agrees to the processing of the PD. However, in early March, a regulator in the Netherlands issued a decree calling the walls of cookies illegal.
The decision was a response to the numerous complaints of Europeans. Over the past year, the AP received a lot of demands from users to verify the legitimacy of banners blocking access to content.
Representatives of the Netherlands Data Protection Agency (AP) said the cookie walls are not GDPR compliant. Cookie walls force users to agree to the terms of data collection, which is contrary to the requirements of the GDPR. By law, the permission of individuals to process personal information must be completely voluntary.
So far no company has been punished for such practices. However, the AP warned that in the coming months they will actively check all user complaints. Therefore, site owners will likely have to abandon blocking banners.
Note that the decision of the Dutch regulator is not the first in Europe. Back in 2015 (when the ePrivacy directive was in place of the GDPR ), the Belgian Data Protection Commission issued recommendations for website owners, which forbade restricting access to content without permission to set cookies.
The position of AP was supported by European lawyers who specialize in data protection. They note that the user must give his consent voluntarily, and the company or site does not have the right to exert any pressure on him.
Not all European regulators are on the same side. In November 2018, the Austrian Data Protection Agency (RIS) examined the cookie wall case .
One of the local newspapers showed the site visitors a banner with three options. Users could agree to set cookies and get full access to the page, refuse and open limited access or pay for a subscription and get full access without setting cookies. The RIS considered that the banner does not violate the requirements of the regulation, and private individuals provide consent to the processing of data voluntarily.
The AP solution was also not supported by the site owners themselves. In April, a complaint for using the cookie wall was filedagainst the advertising association IAB Europe - on its banner there is only one button with the consent to set cookies. Representatives of the organization noted that the regulation does not explicitly prohibit restricting access to the site, and criticized the regulators for the lack of clear rules for working with cookies.
The IAB also did not agree with the fact that their banner violates the right of users to access content. The organization’s ad blocker wrote a complaint about the organization, and therefore the IAB considers the campaign against its site a manifestation of competition.
/ Flickr / K-State / CC BY
Despite recent proceedings, in general, with the entry into force of the GDPR, site owners have reduced the number of cookies on the pages. Oxford University experts analyzed cookie data on websites from April to July 2018. On average, during this period, sites began to use 22% less cookies.
Until the end of 2019, a new law will be adopted in Europe - the ePrivacy Regulation , whose goal is to protect Internet users from spam and intrusive advertising. One of the main topics of the document will be cookies. Since EU policies are against blocking cookies, it is likely that the new law will ban them.
An alternative to sites may be regular pop-up notifications for page visitors. They do not restrict access to content and provide an opportunity to obtain user consent. EU citizens also support this option - about 53% of Europeans consider alerts to be more encouraging than annoying.
Background
In the 30 article of the General on the protection of EU data rules it says that the site is obliged to notify users about the installation, the cookies have, if they can be used to determine a person's identity. Otherwise, the resource violates the requirements of the GDPR and may be charged a large fine in accordance with the law.
It is believed that you can not get user consent if cookies are needed to save session data, play video and audio content, balance load on the site and the work of third-party social network plugins. However, the wording is rather vague and it is not always clear when to warn the user about setting cookies.
To avoid problems with GDPR, some website owners have been reinsured and placed so-called cookie-walls (cookie walls). These are banners that block access to content until the user agrees to the processing of the PD. However, in early March, a regulator in the Netherlands issued a decree calling the walls of cookies illegal.
What is the reason for this decision
The decision was a response to the numerous complaints of Europeans. Over the past year, the AP received a lot of demands from users to verify the legitimacy of banners blocking access to content.
Representatives of the Netherlands Data Protection Agency (AP) said the cookie walls are not GDPR compliant. Cookie walls force users to agree to the terms of data collection, which is contrary to the requirements of the GDPR. By law, the permission of individuals to process personal information must be completely voluntary.
So far no company has been punished for such practices. However, the AP warned that in the coming months they will actively check all user complaints. Therefore, site owners will likely have to abandon blocking banners.
Note that the decision of the Dutch regulator is not the first in Europe. Back in 2015 (when the ePrivacy directive was in place of the GDPR ), the Belgian Data Protection Commission issued recommendations for website owners, which forbade restricting access to content without permission to set cookies.
Opinions
The position of AP was supported by European lawyers who specialize in data protection. They note that the user must give his consent voluntarily, and the company or site does not have the right to exert any pressure on him.
“I note that Facebook was reproached for such activities at the start of the GDPR. The company added a dialog box to the application, the interface of which many criticized for unnecessarily pushing users to agree to process the data and continue to work with the service, ”commented Sergey Belkin, head of development department of IaaS provider 1cloud . - Then there was only criticism. Perhaps the Dutch precedent will form a different attitude to such cases. "
Not all European regulators are on the same side. In November 2018, the Austrian Data Protection Agency (RIS) examined the cookie wall case .
One of the local newspapers showed the site visitors a banner with three options. Users could agree to set cookies and get full access to the page, refuse and open limited access or pay for a subscription and get full access without setting cookies. The RIS considered that the banner does not violate the requirements of the regulation, and private individuals provide consent to the processing of data voluntarily.
The AP solution was also not supported by the site owners themselves. In April, a complaint for using the cookie wall was filedagainst the advertising association IAB Europe - on its banner there is only one button with the consent to set cookies. Representatives of the organization noted that the regulation does not explicitly prohibit restricting access to the site, and criticized the regulators for the lack of clear rules for working with cookies.
The IAB also did not agree with the fact that their banner violates the right of users to access content. The organization’s ad blocker wrote a complaint about the organization, and therefore the IAB considers the campaign against its site a manifestation of competition.
/ Flickr / K-State / CC BY
What's next
Despite recent proceedings, in general, with the entry into force of the GDPR, site owners have reduced the number of cookies on the pages. Oxford University experts analyzed cookie data on websites from April to July 2018. On average, during this period, sites began to use 22% less cookies.
Until the end of 2019, a new law will be adopted in Europe - the ePrivacy Regulation , whose goal is to protect Internet users from spam and intrusive advertising. One of the main topics of the document will be cookies. Since EU policies are against blocking cookies, it is likely that the new law will ban them.
An alternative to sites may be regular pop-up notifications for page visitors. They do not restrict access to content and provide an opportunity to obtain user consent. EU citizens also support this option - about 53% of Europeans consider alerts to be more encouraging than annoying.