The web cookie discussion in the EU is witnessing a revival. Data protection authorities across Europe are sharpening their stance on cookie regulation and the updated e-Privacy regulation is rumoured to be finally moving forward in the EU Parliament. In addition, the CJEU recently delivered a judgment on joint controllers’ responsibility that is closely related to the question of the use of cookie techniques. This blog summarises some of these recent developments and considers what their impact on the legal “cookie land” will be.

Once again: What are cookies and why are they problematic?

Depending on your point of view, cookies are both the most loved and the most hated marketing strategy. Loved for obvious reasons: they are a helpful tool for online retailers to monitor visitors of a website, place relevant ads and eventually sell more. Hated: because the Internet was born as a world for those who loved anonymity, but turned out to become a surveillance machine that collects, stores and reuses every virtual trace we leave behind. The more website owners become dependent on generating broad knowledge of their visitors through a better understanding of their online behaviour, the more privacy on the Internet shrinks and disappears.

Regulators, in particular European regulators, sensed a deterioration in web users’ privacy as soon as the use of cookies became a widespread marketing strategy, and proceeded to take steps to enhance privacy. For a decade, e-Privacy cookie rules have been in place, requiring that data subjects are provided with all relevant information and asked for consent prior to being tracked by a third-party cookie.

However, the use of cookies has become increasingly diverse, and tracking is possible beyond traditional cookie techniques. Facebook not only tracks its own users, but by utilising pixels and tags on third-party sites it can follow pretty much every random person who happens to browse the Internet. With opportunities to extract more information, there also comes responsibility. Social networks and website owners both get a piece of the pie in the targeting process – now the question is how should the legal responsibilities be split?

Regulating cookies

CNIL, the French Data Protection Authority, first published guidelines on cookies in 2013. The latest version, intended to be in line with the relevant provisions contained in the General Data Protection Regulation (GDPR), was published in July. A comparison shows nothing revolutionary, but some details are telling.

First, CNIL makes it clear that cookie banners no longer constitute a valid consent. This means that the pop-up consent banners that the EU has grown accustomed to and are variations of a box with a simple text informing of the use of cookies, do not meet GDPR standards and website owners will have to implement new, more specific solutions.

Second, CNIL elaborated on the concept of consent. In order for a consent to be valid, it not only needs to be informed, free, non-ambiguous and meaningful (as the GDPR’s definition requires), but it also has to satisfy two additional standards: being auditable, meaning that controllers can demonstrate its validity, and revocable, meaning that users can withdraw consent at any time.

Just a few days before CNIL, its UK counterpart, ICO, issued a second guide on cookies. ICO touched upon similar issues, one example being the joint controllership in a situation where the use of cookies and trackers involved several operators. This typically happens when a website owner collaborates with a social website to gather information about the visitors to increase their audience. In such situations, ICO noted, responsibilities should be shared and spelled out in a joint controllership agreement in accordance with Article 26 GDPR, including which party provides notice and obtains consent from the users.

Another legal consideration related to online tracking as a distinct type of personal data processing is its legal basis. Obtaining consent is everyone’s first thought, but ICO indicated that “…, it may be possible to rely on an alternative lawful basis for subsequent processing beyond the setting of any cookies”. However, this option appears to be fairly limited, and only available to downstream vendors that have absolutely no control over determining the purposes of personal data use.

Joint controllership through the prism of online tracking

Data controller and data processor are two fundamental concepts in data protection law. The GDPR definition is simple, but the reality is much more nuanced. The roles of controllers and processors are becoming more fluid, with controllers losing some of their traditional dominance over data and processors being more likely to influence decisions over it. This might be the reason why the concept of joint controllers is gaining in importance as it may be useful in situations when the traditional distinction between controllers and processors fails to address the right issues.

The recent judgment of the CJEU elaborates on the concept of joint controllers in the context discussed above, and is a particularly prickly point for EU regulators - targeted advertising. In the judgment, the CJEU considered whether websites that host a Facebook-like button should assume the role of a (joint) data controller. Specifically, the Court looked into the use of the Facebook-like button by Fashion ID, a German online shopping website.

The CJEU drew on Advocate General Bobek’s preliminary analysis which showed that the mere existence of the button on the Fashion ID website triggered the transfer of visitors’ personal data to Facebook, even if the user did not click the 'Like' button or have a Facebook account. This very likely constituted a much more intrusive use of data than most of the Fashion ID users expected, though they were never adequately informed about it. Generally speaking, providing information about data use is the task of a data controller. The duty to inform eventually became the main question discussed in the ID Fashion case: whose responsibility was it to inform the users about that marketing strategy, or in other words, who was the data controller?

The Court found that the website owner, and not Facebook, bears the information duty as well as the duty to obtain user’s consent under the e-privacy directive if the tracking happens by utilising cookie techniques. Although Fashion ID’s argument that they had no influence on the transfer of data to Facebook, and therefore could not be considered controllers, held some water, the Court’s view was that joint controllership could exist for specific phases of the data processing (in the case at issue, the initial collection of the data and its transmission to Facebook). As a result, Fashion ID could be seen as a data controller at least for that limited period of time.

Taken together …

All these initiatives, however, do not seem to have brought any revolutionary changes. Guidelines from DPAs primarily confirm their up-to-date position and although their guidance is very influential, it is worth stressing that they haven’t been tested in court yet. The CJEU judgment elaborates on the role of a joint controller in a specific situation of the Facebook-like button, but mainly sticks to its position in other recent data protection judgments. Major social media players and digital platforms do not seem to be under attack – they can easily avoid legal difficulties by updating their terms with a new data controller processing agreement. For smaller websites, the situation will probably be different; they will have to figure out the right way to satisfy legal requirements and overcome technical burdens. The winners would appear to be data subjects, since the broad concept of controllership means that they will be better protected by being granted additional avenues to ascertain legal rights.