European regulators oppose cookie banners
In Europe, they concluded that the cookie banners do not meet the requirements of the GDPR. We discuss the background of the issue, share expert opinions and look at options for the development of the situation.
/ Flickr / Carsten Schertzer / CC BY / Photo changed
Article 30 of the EU General Data Protection Regulations states that the site is obliged to notify users about the installation of cookies, if they can be used to determine a person’s identity. Otherwise, the resource violates the requirements of the GDPR and it can write a large fine in accordance with the law.
')
It is believed that you can not get the consent of the user, if cookies are needed to save session data, play video and audio content, load balance on the site and the work of third-party plug-ins of social networks. However, the wording is rather blurred and it is not always clear when the user should be warned about the installation of cookies.
To avoid problems with GDPR, some site owners reinsured themselves and placed so-called cookie walls (cookie walls). These are banners that block access to content, until the user agrees to the processing of PD. However, in early March, a regulator in the Netherlands issued an order in which he called cookies walls illegal.
The decision was a response to numerous complaints from Europeans. Over the past year, APs have received a lot of demands from users to check the legitimacy of banners blocking access to content.
Representatives of the data protection agency in the Netherlands (AP) said that the cookie wall does not correspond to the GDPR. Cookie walls force users to accept data collection terms, which contradicts the requirements of the GDPR. By law, the permission of individuals to process personal information must be completely voluntary.
So far, no company has been punished for such practices. However, the AP warned that in the coming months they will actively check all user complaints. Therefore, site owners are likely to have to give up blocking banners.
Note that the decision of the Dutch regulator is not the first in Europe. Back in 2015 (when, instead of the GDPR , the ePrivacy directive was in force ), the Belgian data protection commission issued recommendations for site owners that prohibited the restriction of access to content without permission to set cookies.
The position of AP was supported by European lawyers who specialize in data protection. They note that the user must give consent voluntarily, and the company or the website is not entitled to exert any pressure on him.
Not all European regulators were on the same side. In November 2018, the cookie wall case was considered by the Austrian Data Protection Agency (RIS).
One of the local newspapers showed a banner with three options to visitors to the site. Users could agree to the installation of cookies and get full access to the page, refuse and open limited access or pay a subscription and get full access without installing cookies. In the RIS they considered that the banner does not violate the requirements of the regulations, and individuals provide consent to the processing of data voluntarily.
The AP decision was also not supported by the site owners themselves. In April, a complaint about the use of cookie wall was filed against the IAB Europe advertising association - there is only one button on its banner with the consent to set a cookie. Representatives of the organization noted that the regulation does not explicitly prohibit restricting access to the site, and criticized regulators for the lack of clear rules for working with cookies.
The IAB did not agree with the fact that their banner violated the right of users to access content. The developer of the ad blocker wrote a complaint against the organization, and therefore IAB considers the campaign against its website to be a manifestation of competition.
/ Flickr / k-state / cc by
Despite recent trials, in general, with the entry of GDPR into force, site owners have reduced the number of cookies on the pages. Experts from the University of Oxford analyzed data on cookies on sites from April to July 2018. On average, during this period, websites began to use 22% less cookies.
Until the end of 2019 in Europe will adopt a new law - ePrivacy Regulation , which aims to protect Internet users from spam and intrusive advertising. Cookies will be one of the main topics of the document. Since EU policies are against blocking cookies, it is likely that the new law will ban them.
Alternatives to sites can be the usual pop-up notifications for visitors to the pages. They do not restrict access to the content and provide an opportunity to obtain the consent of users. This option is supported by the citizens of the EU - about 53% of Europeans consider alerts rather encouraging than annoying.
/ Flickr / Carsten Schertzer / CC BY / Photo changed
Background question
Article 30 of the EU General Data Protection Regulations states that the site is obliged to notify users about the installation of cookies, if they can be used to determine a person’s identity. Otherwise, the resource violates the requirements of the GDPR and it can write a large fine in accordance with the law.
')
It is believed that you can not get the consent of the user, if cookies are needed to save session data, play video and audio content, load balance on the site and the work of third-party plug-ins of social networks. However, the wording is rather blurred and it is not always clear when the user should be warned about the installation of cookies.
To avoid problems with GDPR, some site owners reinsured themselves and placed so-called cookie walls (cookie walls). These are banners that block access to content, until the user agrees to the processing of PD. However, in early March, a regulator in the Netherlands issued an order in which he called cookies walls illegal.
What is the reason for this decision
The decision was a response to numerous complaints from Europeans. Over the past year, APs have received a lot of demands from users to check the legitimacy of banners blocking access to content.
Representatives of the data protection agency in the Netherlands (AP) said that the cookie wall does not correspond to the GDPR. Cookie walls force users to accept data collection terms, which contradicts the requirements of the GDPR. By law, the permission of individuals to process personal information must be completely voluntary.
So far, no company has been punished for such practices. However, the AP warned that in the coming months they will actively check all user complaints. Therefore, site owners are likely to have to give up blocking banners.
Note that the decision of the Dutch regulator is not the first in Europe. Back in 2015 (when, instead of the GDPR , the ePrivacy directive was in force ), the Belgian data protection commission issued recommendations for site owners that prohibited the restriction of access to content without permission to set cookies.
Opinions
The position of AP was supported by European lawyers who specialize in data protection. They note that the user must give consent voluntarily, and the company or the website is not entitled to exert any pressure on him.
“I note that for such activities at the start of the GDPR they blamed Facebook. The company added a dialog box to the application, the interface of which was criticized by many for pushing users to give their consent to processing PDs and continuing to work with the service, - commented Sergey Belkin, head of the IaaS development provider 1cloud . - Then the cost was only criticism. Perhaps the Dutch precedent will form a different attitude to such cases. "
Not all European regulators were on the same side. In November 2018, the cookie wall case was considered by the Austrian Data Protection Agency (RIS).
One of the local newspapers showed a banner with three options to visitors to the site. Users could agree to the installation of cookies and get full access to the page, refuse and open limited access or pay a subscription and get full access without installing cookies. In the RIS they considered that the banner does not violate the requirements of the regulations, and individuals provide consent to the processing of data voluntarily.
The AP decision was also not supported by the site owners themselves. In April, a complaint about the use of cookie wall was filed against the IAB Europe advertising association - there is only one button on its banner with the consent to set a cookie. Representatives of the organization noted that the regulation does not explicitly prohibit restricting access to the site, and criticized regulators for the lack of clear rules for working with cookies.
The IAB did not agree with the fact that their banner violated the right of users to access content. The developer of the ad blocker wrote a complaint against the organization, and therefore IAB considers the campaign against its website to be a manifestation of competition.
/ Flickr / k-state / cc by
What's next
Despite recent trials, in general, with the entry of GDPR into force, site owners have reduced the number of cookies on the pages. Experts from the University of Oxford analyzed data on cookies on sites from April to July 2018. On average, during this period, websites began to use 22% less cookies.
Until the end of 2019 in Europe will adopt a new law - ePrivacy Regulation , which aims to protect Internet users from spam and intrusive advertising. Cookies will be one of the main topics of the document. Since EU policies are against blocking cookies, it is likely that the new law will ban them.
Alternatives to sites can be the usual pop-up notifications for visitors to the pages. They do not restrict access to the content and provide an opportunity to obtain the consent of users. This option is supported by the citizens of the EU - about 53% of Europeans consider alerts rather encouraging than annoying.
Additional reading from our corporate blog:
Source: https://habr.com/ru/post/448024/
All Articles