On December 13, 2023, the EDPB – European Data Protection Board – published a letter of response to a voluntary initiative – cookie pledge – of the European Commission, through which it was proposed a system allowing enterprises to intervene and manage cookie directly, as to lighten the mechanism to ask for users consent for data processing.
The current modalities are weighted by long and sometimes excessively technical descriptions, which risk to frustrate the choice of the user, a phenomenon known also as “cookie fatigue”.
The goal of the Cookie Pledge and its assessment
The main goal pursued by the Commission is to guarantee users to protect their rights and fundamental liberties while making effective choices in relation to cookie consent.
In the document of assessment of the initiative, the EDPB specified that the presence of all requirements to obtain a valid consent ex art. 4(11)(7) GDPR was not verified, being limited to highlighting the most relevant ones.
In particular it was highlighted that:
- Interested parties’ consent must consist in a positive action. The simple navigation on a website or the use of the browser general settings that allow the use of cookies is not sufficient.
- When the consent is asked for, the access or archive of information in terminal devices is not permitted before obtaining a valid consent;
- Users must be informed of their possibility to revoke their own consent easily and at any time
The principles of the Cookie Pledge
In the proposal, the Commission elaborated some fundamental principles aimed at tracing the common rules for the use of cookie and to prevent the phenomenon of the cookie fatigue mentioned above.
- Principle A: consent is not necessary for the so-called essential cookies, that is cookies strictly necessary for the website functioning, and for data processed on the basis of legitimate interest.
- Principle B: users must be informed in case the owner of the website or the app accessed receive a compensation for advertisements, exposing users to the tracking of their habits.
- Principle C: users must be informed in relation to business models to choose from and to the consequences of accepting or not trackers.
- Principle D: choosing a form of advertisement less privacy-invasive must be always possible
- Principle E: the consent to cookies for advertisement purposes should not be asked in relation to each single tracker. Moreover, it must always be possible for the user to have further information in relation to the types of cookies used for advertisement purposes and having the possibility to make a targeted selection of those cookies that users wished to accept.
- Principle F: if the purposed of the cookies is the same, only a single consent must be asked.
- Principle G: the possibility to accept cookies can be presented again to the user who refused them only a year after their refusal.
- Such period is considered abstractly appropriate in order to protect the choice to not be subjected to cookies. Moreover, EDPB has specified that the data collected relating to the lack of consent must not identify the subject unequivocally, but it must contain generic information common to all those who refused to grant consent.
- Principle H: users have the possibility to use application recording in advance preferences of the single subject in relation to cookies. Even if the user set a default consent, it does not constitute a valid consent in itself.
Conclusions
These are only the most important principles. As the EDPB explained many times in the letter of response to the European Commission, the respect of the above-mentioned principles is necessary but not sufficient for the activity to be considered compliant to GDPR or to the ePrivacy Directive. It needs a constant case-by-case analysis of the activity carried out.
Elena Bandinelli