> Personal Data Protection


New guidelines on the use of cookies published by a number of supervisory authorities across the EU

One of the most important and topical issues recently is the use of cookies and other tracking technologies on websites. A number of supervisory authorities in EU Member States, including the Information Commissioner of the Republic of Slovenia (IPRS), have recently issued new guidelines on the use of cookies.

The topic is not always necessarily related to the protection of personal data (some cookies work without collecting personal data), but it is an area that is importantly touched upon and intertwined with, and, in the case of the collection of personal data through the use of cookies, overlaps with, the protection of personal data. In the light of the numerous reports of website operators by NOYB to the supervisory authorities over the last few years, additional guidance from supervisory authorities is more than welcome. On the one hand, they help to understand how a supervisory authority will assess the compliance of the use of cookies, but on the other hand, they also serve as a useful reminder of certain aspects that may be easily forgotten or misinterpreted.

These are therefore not new rules or laws, but rather new, more detailed and updated guidance and direction from the supervisory authority in this area.

Below we summarize some of the highlights of the IPRS Guidelines on the use of cookies and similar tracking technologies, which are available in full here (Guidelines), supplemented by our observations and opinions:

  1. The use of cookies in Slovenia is governed in particular by the Electronic Communications Act (ZEKom-2) and the General Data Protection Regulation (GDPR).
  2. Most problems and infringements occur in practice in the area of information to individuals and, in particular, the collection of consent from individuals for the use of cookies. Article 225 of the ECome-2 Act allows cookies without consent solely for the purpose of transmitting a message over an electronic communications network, or where this is strictly necessary for the provision of an information society service explicitly requested by the subscriber or user. The Guidelines also explain in detail the meaning of all these terms.
  3. It is important to note that the question of ‘strict necessity’ is assessed from the point of view of the website user and not from the point of view of the website operator. It is this criterion that often leads to confusion or misinterpretation of meaning in practice. For website operators, analytical and in some cases marketing cookies may also be “necessary”, but they cannot be understood as necessary within the meaning of the ZEKom-2 and therefore their use requires consent.
  4. In order for the consent of the data subject to be informed, the website operator must provide all the information referred to in Article 13 GDPR, providing the basic information on a pop-up banner (i.e. prior to obtaining consent), and the other information may be provided via a link, which must also be available on the pop-up banner.
  5. The content of the cookie acceptance pop-up banner is also of paramount importance, and is in practice also subject to many errors. Most websites only allow the acceptance of all cookies and then allow the user to reject certain types of cookies on a difficult to access sub-page and in a complicated way. This approach is not in line with the legislation. It is also inappropriate to “force” an individual to opt-in to all cookies in a certain way, for example by making the option to accept all cookies more prominent or by pre-selecting (ticking) individual non-essential cookies.
  6. Approaches that require the individual to refuse cookies that have been arbitrarily set (so-called opt-out) are also inappropriate, as both the ZEKom-2 and the GDPR require prior active consent.
  7. It is also crucial that individuals are given the option to withdraw their consent in an easy way at all times (via an easily accessible link or an icon visible at all times).
  8. The Guidelines also clarify a number of important terms (including but not limited to ‘essential cookies’, ‘message transmission’, ‘information society service’, ‘consent’, etc.), exceptions and good practices.

We certainly advise a high level of care when using cookies, as the responsibility (and burden of proof) for compliance lies with the website operator and any breaches are not necessarily only a breach of the ZEKom-2 but also of the GDPR, which imposes extremely high fines.