Summary of the guidance of Autoriteit Persoonsgegevens

Summary of the guidance of Autoriteit Persoonsgegevens

The Dutch DPA has recently published their long-awaited guidance on tracking cookies and the related data processing. The topic is quite confusing because there are two laws involved – GDPR and ePrivacy directive – so it is good to finally have this clarification from the Autoriteit Persoonsgegevens.

What are the key takeaways?

1. Data protection authority will work closely with the Consumer protection authority on cookie supervision

In the Netherlands, the Autoriteit Persoonsgegevens supervises only personal data processing that results from the use of (tracking) cookies; Autoriteit Consument & Markt is another authority that will be involved.

This is because there are two laws that apply to cookies. One of them, the ePrivacy Directive (and the local versions of this law in every EU country), protects the right to privacy and confidentiality in the context of electronic communications. Another law is the GDPR and it applies when personal data processing takes place. These two laws are closely connected: the GDPR is a general set of data protection rules, whereas the ePrivacy applies to some specific things like the use of cookies or email marketing. The ePrivacy prevails over the GDPR in those aspects, everything not mentioned in the ePrivacy is regulated by the GDPR.

According to the ePrivacy directive, one can get access to a device (example: drop a cookie) or retrieve the information from a device (example: read the information stored in a cookie) only if that user gives her or his freely given, informed, specific and unambiguous consent.

The only consent exception is made for technically necessary cookies, which are crucial for the work of the website or for the provision of services the user is after. Shopping basket could be an example of such exception; everything else requires consent.

However, local implementations of the ePrivacy directive may allow for additional exceptions and the Netherlands is one of the countries that has that second consent exception: according to the Dutch Telecommunicatiewet, technologies that are (a) used to collect information on the quality and effectiveness of a requested service; and (b) have little or no effect on the privacy of the user of the service, do not require consent.

So in the Netherlands, the local Consumer protection authority (Autoriteit Consument & Markt) supervises the use of cookies in general. However, the Data protection authority (Autoriteit Persoonsgegevens) will step in when personal data are processed as a result of the use of cookies.

It is also important to keep in mind that the rules of Autoriteit Consument & Markt apply to foreign sites that focus on Dutch visitors.

2. Legal grounds for processing data via cookies

All of the above results in the following summary of the legal ground of data processing:

  1. Functional cookies (necessary for the work of the website or for the provision of the service the user requested) require no consent. The use of functional cookies falls under the ePrivacy directive (Telecommunicatiewet in the Netherlands), so it is not covered by the GDPR.
  2. Analytical cookies (can be used to analyse the performance of a site and cannot foreseeably be used to treat people differently on the Internet) can be processed based on legitimate interest under GDPR, do not require consent in the Netherlands. But do check your local legislation, this can be different for other countries.
  3. Tracking cookies (used to distinguish one device/person from another and treat people differently on the basis of their Internet behaviour) require consent under both GDPR and ePrivacy, no other legal basis for this data processing operation is applicable.

AP makes it very clear that tracking cookies cannot be considered functional because they are not necessary for providing the service.

3. Autoriteit Persoonsgegevens gave some insight on tracking cookies

Key questions are:

  • Can the information collected via cookies be used to monitor the behavior of a specific person or device across different sites over time?
  • Can the information collected via cookies be used to treat people differently on the basis of their Internet behavior? (Showing different ads seems to be sufficient enough for the AP in this regard).

If the answer to these questions is yes, the website is tracking or participates in tracking their visitors.

4. Freely given, informed, specific, unambiguous consent given via an affirmative action is the only legal basis for tracking site visitors

This means that visitors should always be given an opportunity to reject tracking cookies.

Visitors also should be presented with sufficient information before they accept tracking cookies:

  • The types of personal data collected and processed with the help of those cookies (example: visited web pages, IP addresses, cookie content, referrer URL, etc);
  • Exact purpose(s) of such data processing;
  • The names and categories of companies that collect data via tracking cookies (it is recommended to include cookie names and information about the purpose of each cookie);
  • The storage period (lifetimes of tracking cookies should be checked and there should be an assessment of whether the retention period is necessary for the purpose of that data processing);
  • Any other information necessary to give visitors a good overview of what they are consenting to and support the principle of fairness of data processing.

Needless to say that all other principles of data processing under GDPR apply. For example, all data collected via tracking cookies needs to be kept secure.

Websites also have to keep a record of visitor’s consent and the conditions under which consent was given.

5. The following examples are used to demonstrate bad data processing practices associated with the use of tracking cookies

  • Dropping tracking cookies on devices before the visitor makes choice;
  • Not offering an opportunity to say “no” to tracking cookies;
  • Assuming consent if the visitor simply continues to use the website without pressing the “OK” button;
  • Pre-selecting all cookies in the consent dialog (enabling all tracking cookies by default);
  • Restricting access to the website unless the visitor accepts tracking cookies;
  • Dropping cookies with a lifetime of longer than 6 months;
  • Giving visitors non-specific purposes such as “Improving our service”;
  • Assuming that GDPR is not applicable to data processing because no emails, names or addresses are being collected;
  • Pointing visitors to “Terms and Conditions” or “Privacy notice” instead of giving specific information about cookies;
  • Audience measurement that combines analytical services with profiling of website visitors without their consent.

6. AP gives some compliance tips

  • Make your Google Analytics privacy-friendly  (they also explain how to do that);
  • However, Autoriteit Persoonsgegevens stresses that combining Google Analytics with the advertising cookies of Google DoubleClick, AdWords or AdSense services is considered tracking. This is because in this case Google matches the data coming from those analytical cookies with the advertising data. So legitimate interest cannot be claimed for such data processing, websites have to ask for consent.

7. Sensitive data processing

Autoriteit Persoonsgegevens also mentions that the use of tracking cookies can result in the processing of sensitive information about people’s browsing behaviour, which increases the risks associated with such data processing. According to the GDPR, processing of special categories of data (health or sex life, for example) is forbidden unless a very small number of exceptions apply, one of which is explicit consent. The conditions for explicit consent are even stricter than those of the “usual” consent; so this needs to be taken into consideration when assessing the risks of data processing via tracking cookies.

8. AP encourages the general audience to ask both website owners and their advertising partners for the information about tracking cookies.

Complaints can be lodged at both Autoriteit Consument & Markt and Autoriteit Persoonsgegevens depending on the subject of such compliant: the use of personal data is supervised by the Autoriteit Persoonsgegevens, everything else should be addressed by the Autoriteit Consument & Markt.