How cookies should be presented on the web
Especially when visiting Estonian websites, it is often noticeable that what is related to cookies is not quite correct. For example, it is common for a banner to appear on the homepage of a website with the message that you have agreed to all the cookies used on the website.
After the adoption of General Data Protection Regulation, in practice there was a perception that the non-acceptance of cookies must be taken care of by the web user itself, by setting the appropriate settings in the web browser program of its device. Even today, many websites are built on such premise. However, such an approach is not in line with data protection law and the following explains why.
A cookie is a text file generated by a website you visit, which the website stores in the browser of the device you are using, and which is thus able to monitor a person's web behaviour.
Whether or not the use of a cookie requires a person's consent depends on the type of cookie. Cookies are generally divided into three groups according to their main characteristics:
1) By duration:
a. session cookies, i.e. temporary cookies that expire immediately when the web session ends (the user closes the website or web browser);
b. Persistent cookies are a category that includes all cookies generated for different purposes that remain on your hard drive until deleted by the user or browser, depending on the cookie's expiration date.
2) By origin:
a. first-party cookies, which are cookies sourced from a website you visit;
b. third-party cookies that originate from website service providers or other websites that the user has visited.
3) By purpose:
a. functional cookies, which are essential for the proper functioning of the website, allowing the website to be browsed and access to secure parts of the page. For example, thanks to such cookies in online stores, it is possible that the products added to the shopping cart will not be deleted while browsing is continued in online store;
b. preference cookies, which allows to "remember" a user's previous choices, such as user IDs, language preferences, or address information entered in a previous session;
c. statistical cookies, which collect analytical data about website visits, such as the number of users in a given time period, which pages users have browsed, and which links they have clicked on. Statistical cookies help the website to evaluate the user experience;
d. advertising or marketing cookies that monitor a user's online behaviour in order to survey a person's consumption habits and interests in order to provide them with personalized ads according to their preferences.
So on the one hand, cookies can be good assistants to allow us to have a smoother and more convenient online experience. On the other hand, information collected through advertising cookies about individuals' preferences and habits allows for intrusive monitoring of online behaviour and undermines privacy. However, according to the requirements of the ePrivacy Directive, cookies that require consent include all cookies that are not directly necessary for the operation of the website, including analytical and statistical cookies, the main purpose of which is to provide input to the website administrator about website traffic.
Inter alia the judgment clarifies that consent must be specific and that the user must understand the function of the cookie with which he or she consents. Consequently, a separate consent must be sought for each cookie with a different purpose. In practice, this means that by a single consent the user cannot be forced to accept both analytical and advertising cookies. The user must have the option to accept some cookies and disable others.
The user's consent can only be valid if it has been given consciously. Before asking for consent the webmaster is obliged to allow the user to read the information that explains how the cookies work, their effect on the user and the validity of the cookies. In particular, the judgment emphasizes that the user must be informed whether third parties have access to the information collected through cookies.
Following the ruling in the Planet49 case, the European Data Protection Board has also clarified its guidelines on appropriate consent. Pursuant to the guidelines, the consent of cookies cannot be considered as voluntary given consent if access to services and functions is made conditional on the user agreeing to the storage of information or allowing access to information already stored on his or her device (so-called cookie walls). It means that the website must not make the visit conditional on the user clicking on the button to accept all cookies. In such case the user does not have a free choice whether to accept cookies or not.