The Electronic Communication Law requires the informed consent of users of electronic communication networks and services before information is stored or accessed in the user’s terminal device. Consent constitutes one of the key lawful justifications to process personal data, as listed in Article 6 of the General Data Protection Regulation (2016/679) (hereinafter referred to as the “GDPR”). The GDPR conditions in relation to obtaining valid consent are applicable in situations falling within the scope of the Directive on privacy and electronic communications, which has been transposed into Cyprus law under the Electronic Communication Law.
Cookies are a legitimate and useful tool, which serve crucial functions for websites and are used for various purposes including, inter alia, the following:
Thus, cookies are the primary tool that advertisers use to track the users’ online activity so that they can target users with highly specific advertisements.
In light of the fact that storing information or gaining information stored on a user’s device by way of cookies can entail the processing of personal data, general data protection rules shall apply. Indeed, the crucial role of consent is underlined by Articles 7 and 8 of the Charter of Fundamental Rights of the European Union.
With regards to obtaining consent, the GDPR stipulates that consent of the data subject must be:
It should be noted that, in addition to the above elements of consent, the timing of consent is vital. Indeed, as a general rule consent must always be obtained before the controller starts processing personal data for which consent is needed. Thus, consent must be sought before cookies are set.
Consent mechanisms must present the user with a real choice and control. Accordingly, the user must be free to choose between the option to accept some or all cookies or to decline all or some cookies. In addition to the latter, users must be offered with a real choice regarding tracking cookies, which are utilised to follow individual behaviour across websites.
It should be noted that consent will not be considered to be free if the data subject, in the case of cookies being the user, is unable to refuse or withdraw his or her consent without detriment. Thus, when consent is obtained via electronic means such as one mouse-click, the user must be able to withdraw that consent equally as easily. In light of the above, as a general rule withdrawal of consent is a necessary requirement for obtaining valid consent.
It should be highlighted that any sort of influence upon the user, which may be manifested in a variety of ways such as utilising different colours or fonts, preventing the user from exercising their free will, shall render the consent invalid. Additionally, granularity in relation to the options available to the user is important since a service may involve multiple processing operations for more than one purpose. In such cases, the user must be free to choose which purpose they accept, rather than having to consent to a bundle of processing purposes.
In addition to the element of free consent and granularity, the website must also obtain specific consent, which is closely linked with the informed consent requirement. Thus, the element of specific consent comprises of the following:
In relation to purpose specification, it must be noted that the processed data must be adequate and not excessive in relation to the purpose for which they are collected. Thus, data subjects must always give consent for a specific processing purpose, which can only be obtained when data subjects are specifically informed about the intended purposes of data use concerning them. Therefore, websites should provide specific information with each separate consent request about the data that are processed for each purpose, in order to make data users aware of the impact of the different choices they have and structure their procedure for obtaining consent appropriately.
In addition, informed consent can only be achieved by providing information to users prior to obtaining their consent is essential in order to enable them to make an informed decision, meaning to understand what they are agreeing to. For consent to be informed, there are certain elements, which are crucial to make a choice, including, inter alia, (i) the purpose for which consent is sought, (ii) what type of data shall be collected and used and (iii) the existence of the right to withdraw of crucial to make a choice.
Consent requires a clear affirmative act by the user meaning that the data subject must have taken a deliberate action to consent to the particular processing. In this manner the concept of valid consent requires the use of mechanisms that leave no doubt of the user’s intention to consent. Thus, users must signify their consent through a positive action or other active behaviour, provided that they have been fully informed in relation to the purpose and type of cookies. In practical terms, unambiguous consent may be obtained either by clicking on a button or link or by ticking a box in or close to the space where the information is presented. Thus, it should be noted that websites must design consent mechanisms in a manner that is clear to users in order to avoid ambiguity and must ensure that the action by which consent is given can be distinguished from other actions.
In accordance with the Electronic Communication Law, there are certain types of cookies, which are exempted from the requirement of consent, if they satisfy one of the following criteria:
Cookies may be classified based on various factors, one of them being their duration. Thus, (i) session cookies are temporary and expire once the session ends while (ii) persistent cookies remain stored in the user’s terminal device until it reaches a defined expiration date. It should be noted that, session cookies may be exempted from the informed consent requirement since their lifespan that is in direct relation to the purpose it is used for and expire once they are not needed.
In addition to the above, cookies may be classified in accordance to the purpose they serve. Accordingly, based on their purpose, cookies can be classified in one of the following categories:
How can we help you?
With our comprehensive support at every stage, we will assist you with:
Authors: Iacovos Kouppas, Georgia Tymviou