Are your cookies ok?

Nikola Megne

In IP Posted

This time we are not talking about the delicious pastry, but rather the tiny files that keep your webpage running smoothly. On February 16 the Latvian Data State Inspectorate (DSI) published a report on its finding regarding the compliance with the use of cookies on the websites of the largest e-commerces in Latvia. The DSI had reviewed 29 web pages belonging to 26 of the largest e-commerce businesses and had found issues in all of them.

The report once again reminds us that cookies are personal data and in a digital world it is important to implement them in a manner that complies with the privacy requirements. The main issue the DSI states in this report is non-compliance with the requirements for obtaining consent which is mandatory. Here is the rundown of the findings:

• consent is obtained passively, i.e., “If you continue to use this website, you consent to cookies” – this goes against the principles of the General Data Protection Regulation (GDPR), as consent is defined as an active expression of one’s wishes;
• there is no option to refrain from cookies, i.e., there is no choice between “accept cookies” or “reject cookies”, only “accept cookies” – meaning, the data subject is stripped of their right to choose;
• cookies are implemented before the data subject has given consent, resulting in processing data without the data subject’s consent, which goes against the GDPR;
• the wording encourages the data subject to accept the cookies – consent should be given freely, without being influenced;
• there is no option to choose which cookies to allow – the data subject should be able to choose to allow one kind, but refuse other kind of cookies, if the purposes of these cookies differ (for example, tracking and analytical cookies are vastly different, and a data subject should not have to allow both, but may choose to);
• the withdrawal of consent is tied to the settings of the browser and is not easily done – the GDPR expressis verbis states, that withdrawing consent should be as easy as giving consent;
• pre-ticked boxes to analytical or marketing cookies are also a violation, as the data subject themself has not given active consent by checking these boxes;
• there is no cookie banner altogether – this is a cluster of issues because it removes the possibility to consent to cookies, as well as ignores the data subjects right to be informed about the data processing.

Additionally, the DSI notes that there are some issues with providing information about the cookies to the data subject. Namely, the cookie banners do not contain the necessary initial information and the cookie policies lack in some aspects as well, for example, no expiration time for the cookies are listed or the functions of the cookies are not explained well.

However, mostly these issues can be resolved rather easily and do not require fundamental changes to either the cookie settings or the cookie policies, provided that at least some regard to the rights of the data subject has been given.

So, we ask again – are your cookies ok? If you have any doubts, it’s always a good idea to have a professional third party review your existing cookie settings and respective policies. Ideally, this should be done on a regular basis, as the world of data protection is fluid and requirements are ever-changing.

Feel free to contact us and we would be happy to assist you in the evaluation of your cookies – both the electronic and pastry kind.

[1] You can find the DSI’s report in Latvian here: DSI report.

[2] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.