Cookies, which are typically unique, anonymized bits of information used in the operation of a website, are used to process visitors’ personal data in the vast majority of cases. As such, cookies must comply with the European General Data Protection Regulation (GDPR) and the practices and expectations of the National Authority for Data Protection and Freedom of Information (NAIH) in relation to cookies and their use.
The starting point for compliance is to provide information about the use of cookies and related data management to visitors of websites that use cookies. This information is typically provided by website operators in a banner on the home page of the website, which allows for cookie settings, and in the cookie notice available through that banner.
Many data controllers follow the practice of providing information on the use of cookies in a separate section of their privacy policy available on their website. In line with the data protection authority practice, it is rather recommended, however, that the rules and information on cookies are presented in a separate cookie policy, which appears more transparent for visitors.
However, ensuring transparency and information on the use of cookies is insufficient in itself to guarantee compliance, it is also essential therefore to review the exact way in which cookies are used. Cookies that are essential for the operation of a website (typically including session cookies) may be used on the basis of the legitimate interest of the controller as the legal basis (i.e. even in the absence of the visitor’s consent), while marketing and analytical cookies require the consent of the data subject, which in practice can be given, for example, by setting the appropriate cookie settings on the cookie banner of the website.
On many websites, the erroneous practice of not providing cookie information can be seen in cases where it is not necessary to obtain the consent of the users (e.g. all cookies are essential for the operation of the website or are otherwise applied by the website operator relying on its legitimate interest as a legal basis). It is important to underline that informing data subjects about the use of cookies and the related processing of their personal data is also necessary in cases where the use of cookies is not based on the consent of the data subjects.
It is also often the case that individual cookies are incorrectly categorized (for example: cookies that require consent are indicated as essential cookies) or that the website operator requires the visitor to accept all cookies at once without consideration to the nature of the cookies.
In accordance with its regulatory practice on cookies, NAIH is also pays increasing attention to the control of the use of cookies, therefore the lack of appropriate cookie settings and banner or the lack of adequate cookie policy on the webpage may pose a significant risk. The authority, for example, recently imposed a data protection fine of HUF 10,000,000 on a major media content provider for, among other things, the lack of an appropriate cookie policy on its website.
However, within the EU, the practice of data protection authorities of different member states on cookie-related data processing is still evolving and different opinions on data protection implications of cookie use may be adopted by authorities in different countries. Bearing this in mind, the decisions of the various European data protection authorities related to cookies do not always correspond, or in many cases reflect the position of the given authority on specific sub-issues. In this context, it is particularly important for website operators using cookies to consult with data protection experts before using cookies and to review the cookie practices applied with respect to the website from time to time.
If you have any further questions about the use of cookies and the processing of personal data, please feel free to contact the SimpLEGAL team for quick and easy to use solutions!
Labels: Cookie policy Cookie management Privacy statement Privacy guidelines Cookie regulation Cookie policy statement Cookie settings Accept cookies Block cookies Disable cookies Consent to cookies Cookie tracking Request cookie consent
