If your company has a website, there is a significant chance it has cookies. Even purely informative websites (ones without a webshop, for example) often have cookies: to keep track of the visitor's language preferences, collect statistics about the way visitors use the site or to personalise advertisements. No matter what your website developer says, in the vast majority of cases these cookies will collect personal data. In practice, the data protection world - unlike the technical world - is much less likely to conclude that cookies are « anonymous ».
Right now, 90% percent of companies operating in Belgium with a website risk a privacy penalty for violating the rules surrounding cookies. This is evident from research by law firm De Groote - De Man ((Source: https://lnkd.in/dSEYKfb). They checked how more than 200 corporate websites handle cookies.
The research revealed that a large majority of the websites do not comply with the privacy regulations. One of the most common breaches is that websites either don't ask for permission to place cookies or they do so in the wrong way. As a result, they risk a high fine when inspected by the Belgian Data Protection Authority.
By extension, the same risk holds true in other EU countries. Indeed, the use of cookies falls within the scope of the General Data Protection Regulation. Furthermore, Directive 2002/58/EC (the « ePrivacy Directive »), as implemented in the national legislation of the Member States, applies as lex specialis (thus taking priority over the General Data Protection Regulation). The ePrivacy Directive is currently being revised by the European legislator, but for the time being they have not succeeded in adopting the new ePrivacy Regulation. In the meantime, the national supervisory authorities (including the Belgian Data `Protection Authority) have not been idle. In recent months, several authorities have issued guidelines on the use of cookies, and fines have also been imposed for infringements relating to them.
So what should you do?
To play it safe, you should assume that all cookies collect personal data. The threshold to be able to speak of « anonymous » cookies is very high, so you should not run the risk that the supervisory authority would take a different view (than the website developer).
You must inform the website visitor about the use of cookies and ask for his/her consent for cookies that are not essential or functional (e.g. statistical, advertising or social media cookies).
You do this by means of a so-called cookie banner:
- The cookie banner contains a brief description of the types of cookies used by the website and a link to the cookie statement for more information. If the website already has a privacy statement (in accordance with articles 12 and 13 GDPR), that cookie statement only needs to contain the following information: for each cookie, its name, purpose, retention period and possibly the name of the third party that placed the cookie and/or uses the cookie. The cookie statement also has to contain information about changing the browser settings and the possibility of revoking the consent. The cookie statement must be drawn up in the language of the target group and must be easily accessible (i.e. available via a link on every page of the website).
- You must obtain the visitor's consent for placing the non-essential/non-functional cookies. This too is best done through the cookie banner that appears immediately on the first visit to the website. Obtaining consent should be done granularly, i.e. at least per type of cookie (statistical, advertising and social media). If you provide the possibility of accepting all cookies with a single click, it is also a good idea to provide a button for rejecting all (non-essential/non-functional) cookies. You are not allowed to work with pre-ticked boxes (for non-essential/non-functional cookies), nor is it sufficient to have a message that continued surfing is deemed to be consent.
Navigating the unchartered waters of cookie policies in Europe is a tricky business. Be sure to seek expert legal advice, as fines for violations may amount to 4% of your annual turnover.
And bottom line: think before you have another cookie.
