Skip to main content

Direct marketing, cookies, apps: what are the rules in Europe?

 


In the last months, several fines have been issued against organisations for unlawful cookie practice, GDPR and electronic communications code breaches.
For instance, the French data protection authority ('CNIL') fined Carrefour Banque €800,000 for failures under GDPR to provide adequate and complete information on its website in accordance with Article 13 of the GDPR on the right to be informed as well as for placing cookies on users' devices upon their access of the website, without first having obtained users' consent to the application of cookies.
The Spanish data protection authority ('AEPD') fined Miguel Ibanez Bezanilla SL €3,000 for unlawful cookie practices and lack of security measures. In particular, following an individual complaint, the AEPD found that, in relation to Miguel Ibanez Bezanilla's cookie practices, the website does not present a first layer or banner providing information on cookies, as well as that, within the 'privacy notice' of the website, generic information on cookies is presented, but no indications are provided regarding the retention period, third-party cookies, and  the possibility of rejecting all cookies.
Also the Spanish data protection authority ('AEPD') fined Iberia, Líneas Aéreas de España, S.A. €30,000 for failing to provide users with the option to reject cookies and instead required them to accept cookies if they wanted to continue browsing.


What are the 'rules' about cookies in Europe? 

When installing cookies on the websites, organisations shall abide by the following legislations:

  • Regulation 2016/679/UE (GDPR) e.g. recital 47, articles 5 (priciples), (15 right of access), 13 and 14 (information notice), 22 (automated decision-making), 25 (data protection by design and default), 6-7-8 (lawful basis) and 9 (special category of data)
  • Directive 2002/58/CE as amended by Directive 2009/136/CE
  • Law applicable in the Country where the Data Controller is established or, if non-EU, the national law where the cookies and apps are installed.

Case law: C-673/17  - The Court of Justice of the European Union ('CJEU') issued, on 1 October 2019, its decision on the Planet49 GmbH v. Bundesverband der Verbraucherzentralen. In particular, the Decision concluded that consent is not validly given when the storage of information already stored in the terminal equipment of the user of a website, by the cookie intermediary, is authorised by means of a pre-ticked box that the user must uncheck to refuse. Therefore in order to install cookies it is necessary the users'  'active' consent.


What are the best practice in Europe?

  •  The CNIL Recommendations that have been published on 21 January 2020: very clear, user friendly and 'business oriented.

- layered information notices combined with meaningful icons;
- implement granular consent requests;
- separate consent to access the geolocation  data;
- no behavioural advertising and profiling with children's data
- user's right to uninstal the apps;
- no distribution of apps in stores without privacy policy.

The current applicable laws regulating cookies are the e-Privacy Directive and the GDPR.
E-Privacy Directive states that "information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information. It requires the user's consent that must be in line with the GDPR requirements for consent.
GDPR: Recital 30 refers to cookies and similar technologies that may be used to create profiles of the natural persons and identify them. Recital 24 refers to cookies in relation to monitoting activities .:

Therefore, consent can be collected through: banners that provide a clear information notice (link). The banner must clear state that cookies can be installed while using the website or that personal data can be collected for the purpose of marketing.
Important: the cookies law does not require that data controllers have a specific log for the cookie consent, however the data controllers must prove that consent has been correctly provided. therefore, data controllers must implement mechanisms to stop the automatic installation of cookies until the users provide their consent.
N.B. in case of technical cookies, consent is not necessary.

Comments

Post a Comment

Popular posts from this blog

Olivia: The New Tool from Garante Privacy to Help Protect Your Data

In the digital era, data protection has become one of the most critical aspects of business operations. Whether you run a small startup or a multinational corporation, ensuring the privacy and security of customer data is essential. With GDPR (General Data Protection Regulation) in full effect, the challenge for many businesses is how to effectively comply with complex legal requirements. Enter Olivia, a groundbreaking tool launched by Garante Privacy—Italy’s data protection authority—that aims to make GDPR compliance easier for everyone. What is Olivia? Olivia is a powerful and intuitive tool designed to assist businesses in meeting their data privacy obligations under GDPR. Developed by Garante Privacy, the Italian authority responsible for protecting personal data, Olivia provides automated features and guidance to help companies safeguard personal information, avoid costly data breaches, and ensure full regulatory compliance. Key Features of Olivia 1. Automated GDPR Audits Olivia s...
Post a Comment
Read more

Navigating the Future of Recruitment: Understanding ICO recommendations on AI Tools

  Artificial intelligence (AI) is revolutionizing recruitment by offering faster and more efficient processes while claiming to reduce human biases. However, as highlighted in the UK Information Commissioner’s Office (ICO) report published in November 2024, using AI in hiring comes with ethical and legal responsibilities. HR professionals must ensure compliance, safeguard candidate rights, and foster trust by aligning their practices with these recommendations. The ICO's audit of AI tools, conducted between August 2023 and May 2024, exposed both strengths and risks in their application. While some providers showed positive efforts in monitoring bias and accuracy, others revealed alarming practices, such as excessive data collection and opaque decision-making. With nearly 300 recommendations outlined, the report provides a clear roadmap for HR teams and AI developers to improve compliance. Addressing Key HR Activities with AI Tools The ICO's findings emphasize the need for HR te...
Post a Comment
Read more

Italy: Garante's new guidelines on cookies and similar tracking technologies

    The Italian data protection authority ('Garante') launched, on 10 December 2020, a public consultation on its draft guidelines on cookies and other similar tracking technologies 1 ('the Guidelines'). In particular, the Guidelines aim to illustrate the legislation applicable to the storing of information, or the gaining of access to information already stored, in the terminal equipment of users, as well as to specify the lawful means to provide the cookie policy and collect online consent of data subjects, where necessary, in light of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). In addition, the Guidelines note that the Garante's previous guidance on Simplified Arrangements to Provide Information and Obtain Consent Regarding Cookies 2 , while maintaining its relevance, need to be integrated with specific reference to certain aspects such as scrolling as a lawful means to collect consent for profiling cookies ...
Post a Comment
Read more