Cookie policy not in line with AVG

There is a good chance that when you open a site, a pop-up will appear to ask if you allow cookies. This asks permission to track your internet behaviour. However, last Thursday, the Court of Justice of the European Union (CJEU) ruled that IAB’s (Interactive Advertising Bureau) cookie system violates European privacy law; General Data Protection Regulation (AVG). This could have major implications for users when deploying the cookie policy, as almost every website uses them. Accepting cookies stores several pieces of data. The question is for how long this data is stored and how long your internet behaviour is tracked.

Facts

The case took place between IAB and the Data Protection Authority in Belgium. IAB uses a cookie system that is widely found on the internet. Two (preliminary) questions were referred to the Court. (1) Is a standard-setting industry organisation (IAB) a data controller if it offers a consent management standard without direct access to personal data? And (2) does the sector organisation’s responsibility automatically extend to subsequent processing by third parties for internet users’ online advertising preferences? The management of cookie systems contains detailed requirements for the storage and dissemination of consent data, which contains personal data. Important considerations were whether gaining access to personal data and connecting an identifier such as an IP address affected this assessment. In addition, the dispute also revolved around the interpretation of Articles 4 and 24 of the AVG in the light of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union.

Judgment

The Court held that IAB’s cookie system violated the AVG. It held that the interpretation of the aforementioned provisions of the AVG must be in line with the fundamental rights of individuals (Articles 7 and 8 Charter). The fact that the sector organisation does not have direct access to the personal data processed within the standard by its members does not prevent this. In doing so, the Court emphasises that joint responsibility does not automatically apply to subsequent processing of personal data by third parties. Think of providers of internet sites or applications regarding users’ preferences for targeted online advertising. According to the Court, it is important that appropriate technical and organisational measures are taken in accordance with the AVG.

IAB Cookie System

IAB’s cookie policy is linked to the Real Time Building (RTB) system, which is used by as many as 80% of European websites. Based on internet users’ personal data, ads are placed on visitors. The system works as follows; when a user visits a website or app with available ad space, it is auctioned in real time on an ad exchange where advertisers bid based on criteria. The system selects the winning ad based on the highest bid and displays it directly to the user on the website or app. This system used the Transparency & Consent Framework (TCF) to regulate digital advertising in line with the AVG. Both RTB and TCF were under investigation by the Data Protection Authority.

Consequences in practice

With so many European websites using the RTB system, they will most likely have to change their cookie policies. This ruling will require more transparency on how personal data is processed. But consent on cookie policies will also have to be more specific, informed and valid. In it, users should be able to actively and freely consent to the collection and use of their data for targeted advertising. In addition, the amount of information processed should be reduced a lot. With the ruling, organisations will also now have to more clearly identify who is responsible for processing that data in line with the AVG. For internet users, however, privacy and data protection rights are strengthened. They can have more confidence in the cookie system and can be better informed about how their data is processed and protected.

Conclusion

The Court’s ruling in this case provides important implications for personal data protection in Europe. However, the question is to what extent it can work through in practice. European users of the RTB system should at least make several changes within the website to stay in line with the AVG and the Charter.

Questions?

Do you have questions about cookies or their policies? Our lawyers will be happy to advise you! Then contact one of our lawyers by mail, telephone or fill in the contact form for a free initial consultation. We will be happy to think along with you.