Monitoring of the use of cookies – Reviews to be undertaken by the Office of the Commissioner for Personal Data Protection

17 Jun 2021 | Antonis Karaolis

Monitoring of the use of cookies – Reviews to be undertaken by the Office of the Commissioner for Personal Data Protection

Executive Summary


The Office of the Commissioner for Personal Data Protection has announced that, as from 22nd June 2021, wide web monitoring shall commence in relation to the use of cookies for compliance with the requirement for valid consent of the users when interacting with so-called “cookie walls”. In accordance with Article 5(3) of the Directive concerning the processing of personal data and the protection of privacy in the electronic communications sector (2002/58/EU) (hereinafter referred to as the “Directive on privacy and electronic communications”), which has been transposed in the Law on Electronic Communication and Postal Services (112(I)/2004) (hereinafter referred to as the “Electronic Communication Law”), the storage of information or the acquisition of access to already stored information in the terminal equipment of a subscriber or user shall only be allowed if the subscriber or user concerned has given his consent, based on clear and comprehensive information, inter alia, for processing purposes.


Brief Discussion


  1. Introduction


The Electronic Communication Law requires the informed consent of users of electronic communication networks and services before information is stored or accessed in the user’s terminal device. Consent constitutes one of the key lawful justifications to process personal data, as listed in Article 6 of the General Data Protection Regulation (2016/679) (hereinafter referred to as the “GDPR”). The GDPR conditions in relation to obtaining valid consent are applicable in situations falling within the scope of the Directive on privacy and electronic communications, which has been transposed into Cyprus law under the Electronic Communication Law.



  1. Guidance on obtaining consent for cookies


Before analysing the legal requirements in relation to obtaining consent for the use of cookies, it is essential to have a basic understanding of the importance of the meaning of cookies and their purpose.


Cookies are a legitimate and useful tool, which serve crucial functions for websites and are used for various purposes including, inter alia, the following:


  • Verification of the identity of the users engaged in online transactions;
  • Targeted advertising by the website operators;
  • Enhanced functionalities.


Thus, cookies are the primary tool that advertisers use to track the users’ online activity so that they can target users with highly specific advertisements.


In light of the fact that storing information or gaining information stored on a user’s device by way of cookies can entail the processing of personal data, general data protection rules shall apply. Indeed, the crucial role of consent is underlined by Articles 7 and 8 of the Charter of Fundamental Rights of the European Union.


With regards to obtaining consent, the GDPR stipulates that consent of the data subject must be:


  • freely given,


  • specific,


  • informed and


  • unambiguous indication of the data subject's- in the case of cookies the user’s- wishes by a clear affirmative action, which signifies agreement to the processing of personal data relating to him or her.


It should be noted that, in addition to the above elements of consent, the timing of consent is vital. Indeed, as a general rule consent must always be obtained before the controller starts processing personal data for which consent is needed. Thus, consent must be sought before cookies are set.


  • Free/ freely given consent and real choice


Consent mechanisms must present the user with a real choice and control. Accordingly, the user must be free to choose between the option to accept some or all cookies or to decline all or some cookies. In addition to the latter, users must be offered with a real choice regarding tracking cookies, which are utilised to follow individual behaviour across websites.


It should be noted that consent will not be considered to be free if the data subject, in the case of cookies being the user, is unable to refuse or withdraw his or her consent without detriment. Thus, when consent is obtained via electronic means such as one mouse-click, the user must be able to withdraw that consent equally as easily. In light of the above, as a general rule withdrawal of consent is a necessary requirement for obtaining valid consent.


It should be highlighted that any sort of influence upon the user, which may be manifested in a variety of ways such as utilising different colours or fonts, preventing the user from exercising their free will, shall render the consent invalid. Additionally, granularity in relation to the options available to the user is important since a service may involve multiple processing operations for more than one purpose. In such cases, the user must be free to choose which purpose they accept, rather than having to consent to a bundle of processing purposes.


  • Specific and informed consent


In addition to the element of free consent and granularity, the website must also obtain specific consent, which is closely linked with the informed consent requirement. Thus, the element of specific consent comprises of the following:


  • Purpose specification;


  • Granularity in consent requests, and


  • Clear and comprehensive information to the users on how they may signify their consent.


In relation to purpose specification, it must be noted that the processed data must be adequate and not excessive in relation to the purpose for which they are collected. Thus, data subjects must always give consent for a specific processing purpose, which can only be obtained when data subjects are specifically informed about the intended purposes of data use concerning them. Therefore, websites should provide specific information with each separate consent request about the data that are processed for each purpose, in order to make data users aware of the impact of the different choices they have and structure their procedure for obtaining consent appropriately.


In addition, informed consent can only be achieved by providing information to users prior to obtaining their consent is essential in order to enable them to make an informed decision, meaning to understand what they are agreeing to. For consent to be informed, there are certain elements, which are crucial to make a choice, including, inter alia,  (i) the purpose for which consent is sought, (ii) what type of data shall be collected and used and (iii) the existence of the right to withdraw of crucial to make a choice.


  • Unambiguous indication of wish


Consent requires a clear affirmative act by the user meaning that the data subject must have taken a deliberate action to consent to the particular processing. In this manner the concept of valid consent requires the use of mechanisms that leave no doubt of the user’s intention to consent. Thus, users must signify their consent through a positive action or other active behaviour, provided that they have been fully informed in relation to the purpose and type of cookies. In practical terms, unambiguous consent may be obtained either by clicking on a button or link or by ticking a box in or close to the space where the information is presented. Thus, it should be noted that websites must design consent mechanisms in a manner that is clear to users in order to avoid ambiguity and must ensure that the action by which consent is given can be distinguished from other actions.


  1. Types of cookies and exemptions from consent


In accordance with the Electronic Communication Law, there are certain types of cookies, which are exempted from the requirement of consent, if they satisfy one of the following criteria:


  • the cookie is used “for the sole purpose of carrying out the transmission of a communication over an electronic communications network” or


  • the cookie is “strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service”


Cookies may be classified based on various factors, one of them being their duration. Thus, (i) session cookies are temporary and expire once the session ends while (ii) persistent cookies remain stored in the user’s terminal device until it reaches a defined expiration date. It should be noted that, session cookies may be exempted from the informed consent requirement since their lifespan that is in direct relation to the purpose it is used for and expire once they are not needed.


In addition to the above, cookies may be classified in accordance to the purpose they serve. Accordingly, based on their purpose, cookies can be classified in one of the following categories:


  • Strictly necessary cookies: These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Consent is exempted for this type of cookies.


  • Preferences cookies or functionality cookies: These cookies allow a website to remember choices you have made in the past, like what language you prefer.


  • Statistics cookies or performance cookies: These cookies collect information about how you use a website, like which pages you visited and which links you clicked on.


  • Marketing cookies: These cookies track your online activity to help advertisers deliver more relevant advertising or to limit how many times you see an advertisement.


How can we help you?


With our comprehensive support at every stage, we will assist you with:


  • Performance of pre-diagnostic checks and assessment of your current cookies’ strategy and available options;


  • Provision of advice in relation to consent mechanisms from an EU and Cyprus legal perspective;


  • Full support with the implementation of consent mechanisms to ensure sufficient and valid consent.

Authors: Iacovos Kouppas, Georgia Tymviou

About this Article
Antonis Karaolis

Advocate / Director

Link Copied!
Related articles