On 4 February 2015, the Dutch Senate adopted the amendment to Section 11.7a of the Dutch Telecommunications Act (the ‘Cookie Act’ in popular parlance). It is as yet unclear when the new Act will enter into force. This blog briefly describes the differences between the current legislation and the new Cookie Act. It also discusses the manual for the use of Google Analytics recently published by the Dutch Data Protection Authority (College Bescherming Persoonsgegevens).
What does the current legislation say?
The general rule of the current Section 11.7a of the Telecommunications Act is that cookies may be stored only if i) the user’s prior consent has been obtained ii) the user has been informed in advance.
There are two exceptions to this general rule. In brief, obtaining consent and providing information are not required if the relevant cookies are i) necessary to display the website or ii) strictly necessary to provide a requested service (read this blog for more information).
If cookies collect personal data, their use is also governed by the Dutch Personal Data Protection Act (Wet bescherming persoonsgegevens), implying that there must be a legal ground for processing the data. In respect of cookies, this ground in general is either the user’s consent or the company’s legitimate commercial interests. If the user’s consent is required, this involves permission for the storage of cookies as well as separate permission for the use of personal data.
Why the amendment?
The Cookie Act has caused considerable irritation among Internet users and companies storing cookies alike. They argue that the current legislation overshoots the mark by requiring permission for virtually all types of cookies. As a result, consumers are needlessly confronted with pop-ups and banners while their privacy is hardly at stake and companies have to incur additional expenses. The purpose of the new legislation is to remove these objections.
What does the amendment entail?
Relative to the legislation currently in force, the new Cookie Act is more limited in terms of scope. Two new grounds for exception will be added to the existing exceptions.
Under the new legislation, the requirement to obtain consent and provide information does not apply if:
i) the cookies are used to collect information about the quality and effectiveness of information society services, and
ii) this collection has minor or no impact on the relevant subscriber’s or user’s privacy.
It is up to the parties involved to determine whether a cookie has only minor impact on privacy. According to the Explanatory Memorandum to the legislative proposal, this will in any event apply to analytic cookies, A/B testing cookies and affiliate cookies to the extent that they are used solely for these purposes. The general rule will continue to apply in full to cookies that are used in any other way to build user profiles and/or to track users across the web.
The Personal Data Protection Act will continue to apply to personal data collected by means of cookies. It will remain a requirement to establish whether the processing is based on either consent or legitimate interests. It is obvious that consent will not be required to process data collected by means of cookies that have minor or no impact on privacy. As for other types of cookies, this will have to be established on a case-by-case basis.
Lastly, the amendment adds a new subsection which explicitly prohibits government agencies from using so-termed ‘cookie walls’, requiring users to accept cookies before being given access to a website. No such absolute ban applies to other parties. They may use ‘cookie walls’ unless the relevant service is of critical importance to users and no alternative is available, in which case it is impossible for them to give consent of their own free will. This will have to be established on a case-by-case basis.
Does this remove all uncertainty?
Although the amendment narrows the scope of the Act, it does not necessarily simplify its implementation. Unlike under the current legislation, companies will be required to establish themselves whether cookies have minor or no impact on privacy. The question is whether they are capable of doing so properly at all times.
At any rate, even before the Act’s entry into force there is uncertainty about the use of Google Analytics. The Data Protection Authority has published a manual setting out the conditions on which cookies may be used for the benefit of Google Analytics. Several commentaries argue that the manual is inconsistent with the essence of the new Act.
The primary purpose of analytic cookies is to obtain information about a website’s effectiveness and quality. This does not mean, however, that they are always permitted. The way in which analytic cookies are used is a key factor in establishing the degree of impact on privacy.
The Explanatory Memorandum is fairly clear on this point:
To prevent the use of analytic cookies from having more than a minor impact on Internet users’ privacy, these cookies and the data generated with them may not be used, for example, to create profiles of Internet users or to cause such profiles to be created by a third party with which the website holder shares the usage data of an analytic cookie set by the website holder. This is also the case if an analytic cookie set by the website holder (i.e. a first-party analytic cookie) can be read out by a third party.
This is self-explanatory reasoning. If data collected by means of analytic cookies are subsequently used for tracking purposes, the impact on privacy will be more than minor. Incidentally, there is no ban on sharing such data with third parties. The Explanatory Memorandum states the following on this point:
For the exception to apply, website holders sharing their usage data from analytic cookies with third parties must provide safeguards to minimise the privacy impact. They must explicitly stipulate in a processor’s agreement with the third party in question that the latter may not use the information in a way that has more than a minor impact on the privacy of the Internet user whose data are involved. The parties must agree in this processor’s agreement that the third party may not use the data for its own purposes or may use the data solely for purposes strictly defined in the agreement that have minor or no impact on the privacy of the subscribers and users concerned.
Given that analytic cookies also collect personal data, the Data Protection Authority has prepared a manual setting out the four conditions that must be met in order for the use of Google Analytics to be privacy friendly. Website holders must:
1. conclude a processor’s agreement with Google;
2. prevent Google from processing entire IP addresses (IP anonymization);
3. disable data sharing with Google;
4. provide information about the use of Google Analytics.
The requirement of a processor’s agreement comes as no surprise. Website holders are responsible for the processing of personal data they provide to Google. Google qualifies as a processor if it processes data solely on a website holder’s instructions. The Personal Data Protection Act stipulates that controllers and processors must conclude a processor’s agreement, and Google offers to do so.
If Google’s activities extend beyond merely processing data on a website holder’s instructions, it no longer qualifies as a processor but becomes the data controller. As a minor impact on privacy is less likely in this case, it is obvious for the Data Protection Authority to require that website holders disable data sharing with Google if they intend to invoke the exception. However, it is uncertain whether this also applies to purely technical support. To what degree is a user’s privacy infringed if Google assists a website owner in the use of Google Analytics?
The Data Protection Authority subsequently requires anonymization of the last eight digits of IP addresses. It is obvious that anonymization makes a minor impact on privacy more likely. Parliamentary history explicitly refers to this (see the Memorandum in response to the Report). However, I find this less relevant in the case of Google Analytics. Even in the absence of further anonymization, I believe Google’s processing of IP addresses as a processor solely to measure a website’s effectiveness and quality implies a minor impact on privacy. In my view, it would have been better if the Data Protection Authority had referred to IP anonymization as a best practice.
It remains to be seen whether the provision of this information can be made mandatory. In my view, websites can meet their obligation to provide information even without including these statements, which is why I believe they should also have been referred to as best practices.
The manual (in Dutch) is available here.