How cookies should be presented on the web


Especially when visiting Estonian websites, it is often noticeable that what is related to cookies is not quite correct. For example, it is common for a banner to appear on the homepage of a website with the message that you have agreed to all the cookies used on the website.

After the adoption of General Data Protection Regulation, in practice there was a perception that the non-acceptance of cookies must be taken care of by the web user itself, by setting the appropriate settings in the web browser program of its device. Even today, many websites are built on such premise. However, such an approach is not in line with data protection law and the following explains why.

A cookie is a text file generated by a website you visit, which the website stores in the browser of the device you are using, and which is thus able to monitor a person's web behaviour.

Cookie technology allows you to store information that can be used to collect information about people's preferences and also to identify people. Due to the nature of the cookie, it falls within the scope of data protection rules, which main principle is that the processor must have legal basis for processing personal data. The processing of personal data may be justified by a legal or contractual obligation, a legitimate interest, or the consent of the data subject. The use of cookies is regulated by the ePrivacy Directive. In accordance with this directive, the consent of the user of the website must always be sought if the page stores information on his or her device and has access to the previously stored information. Consent is not required, and the information published on the website about the use of cookies is sufficient if the storage of and access to the information is essential for the provision of the service. The provision on the use of cookies has not been unambiguously transposed into Estonian law, which is why the logic of the legal basis from General Data Protection Regulation has been followed so far. Pursuant to the referred principle, it was not necessary to obtain the consent of the user if the use of online cookies did not lead to the identification of people, i.e. the processing of personal data. It was considered sufficient if the websites had information about the use of web cookies.

Whether or not the use of a cookie requires a person's consent depends on the type of cookie. Cookies are generally divided into three groups according to their main characteristics:

1)     By duration:

a.     session cookies, i.e. temporary cookies that expire immediately when the web session ends (the user closes the website or web browser);

b.     Persistent cookies are a category that includes all cookies generated for different purposes that remain on your hard drive until deleted by the user or browser, depending on the cookie's expiration date.

2)    By origin:

a.     first-party cookies, which are cookies sourced from a website you visit;

b.     third-party cookies that originate from website service providers or other websites that the user has visited.

3)    By purpose:

a.     functional cookies, which are essential for the proper functioning of the website, allowing the website to be browsed and access to secure parts of the page. For example, thanks to such cookies in online stores, it is possible that the products added to the shopping cart will not be deleted while browsing is continued in online store;

b.     preference cookies, which allows to "remember" a user's previous choices, such as user IDs, language preferences, or address information entered in a previous session;

c.     statistical cookies, which collect analytical data about website visits, such as the number of users in a given time period, which pages users have browsed, and which links they have clicked on. Statistical cookies help the website to evaluate the user experience;

d.     advertising or marketing cookies that monitor a user's online behaviour in order to survey a person's consumption habits and interests in order to provide them with personalized ads according to their preferences.

So on the one hand, cookies can be good assistants to allow us to have a smoother and more convenient online experience. On the other hand, information collected through advertising cookies about individuals' preferences and habits allows for intrusive monitoring of online behaviour and undermines privacy. However, according to the requirements of the ePrivacy Directive, cookies that require consent include all cookies that are not directly necessary for the operation of the website, including analytical and statistical cookies, the main purpose of which is to provide input to the website administrator about website traffic.

The attentive internet user has certainly noticed that many websites have made progress in informing and asking for cookies. A banner will appear on the homepage of the website, allowing the user to choose which cookies they allow to be stored on their device, separately for each type of cookie - statistical, preference or marketing cookie. The more transparent use of cookies by websites is a direct result of the October 2019 judgment of the Court of Justice of the European Union (the Planet49 case). This judgment was significant because it gave the first legal interpretation that consent under the ePrivacy Directive must also comply with the conditions for consent set out in General Data Protection Regulation. According to the judgment, the pre-filled checkboxes by the webmaster for cookies requiring the prior consent of the web user are not lawful, as the web user's consent to the use of cookies is only valid if it is given voluntarily and actively. This means that the consent of the web user cannot be assumed. Consent must be given through the person's own action on the same website that uses cookies.

Inter alia the judgment clarifies that consent must be specific and that the user must understand the function of the cookie with which he or she consents. Consequently, a separate consent must be sought for each cookie with a different purpose. In practice, this means that by a single consent the user cannot be forced to accept both analytical and advertising cookies. The user must have the option to accept some cookies and disable others.

The user's consent can only be valid if it has been given consciously. Before asking for consent the webmaster is obliged to allow the user to read the information that explains how the cookies work, their effect on the user and the validity of the cookies. In particular, the judgment emphasizes that the user must be informed whether third parties have access to the information collected through cookies.

Following the ruling in the Planet49 case, the European Data Protection Board has also clarified its guidelines on appropriate consent. Pursuant to the guidelines, the consent of cookies cannot be considered as voluntary given consent if access to services and functions is made conditional on the user agreeing to the storage of information or allowing access to information already stored on his or her device (so-called cookie walls). It means that the website must not make the visit conditional on the user clicking on the button to accept all cookies. In such case the user does not have a free choice whether to accept cookies or not.

Although the precedent-setting judgment has been in force for more than a few years, it is unfortunately still encountered on websites where consent to the use of cookies is not properly sought. In order to avoid any breach of data protection law, it must therefore be borne in mind that the user's consent is not required only for the use of the functional cookies that are directly necessary. All other cookies must be approved separately by the user of the website!