About those cookies - German DPA's weigh in

Much has been discussed about the recent cookie guidance by the UK ICO and the French CNIL, but what do other data protection authorities think? In a detailed position paper, the association of German Data Protection Authorities (Datenschutzkonferenz, or DSK) set out their world view on cookies and provide a very helpful detailed guide to conducting a legitimate interest analysis.

As TL:DR, this is where the three DPA's (UK, France and Germany) land on cookies:

• Retargeting and online behavioral advertising cookies > consent is required (opt in)
• Third party analytics cookies > consent is required (opt in)
• First party limited analytics cookies > consent de-facto not required but for three very different reasons: CNIL - if you meet with certain very specific conditions re your analytics cookies, consent is not necessary; DSK - you can use legitimate interest and the balance would tip in your favor; UK - consent still needed but this is not an enforcement priority for the ICO so we will not rush to enforce in these cases.

A deeper dive into the DSK analysis:

Generally - Opt in consent needed: If the ePrivacy directive applies (and under the upcoming ePrivacy Regulations): Opt in consent is necessary unless the cookies are necessary for technical reasons / necessary to ensure the technical functionality of the services (so called “strictly necessary” cookies).

When consent is required, it needs to be provided in accordance with GDPR consent requirements.

• A declaration or other clearly confirmatory act is required – e.g. ticking a box when visiting a website, selecting technical settings, or by any other statement or active conduct by which the user unambiguously expresses his/her consent
• Silence, ticked boxes or inactivity (absence of objection) do not constitute consent
• You must be inform users in detail in advance of any form of data processing you carry out and of all recipients
• You must give the users the opportunity to specifically consent to the individual forms of data processing

Joint controllers: In cases where several (joint) controllers wish to rely on the requested consent, or where the data is to be transferred to other controllers or processed by other controllers – you must identify all these third parties and you must describe the processing activities of each third party in sufficient detail.

Requirements for cookie banners:

• The banner must contain an overview of all processing operations requiring consent. This can be done by naming the third parties involved and their functions. The user’s selection can be activated via a selection menu. (pre-selected choices do not work).
• Reference to the setting of cookies together with an "OK" button – is NOT adequate consent as there is no easy option to refuse.
• The banner cannot be a cookie wall (i.e. conditioning access to a website on providing consent to personal data processing causes the consent to be invalid)
• While the banner is displayed, no personal data may be collected and the scripts activating the collection may not be deployed.
• The banner must not block access to details on the identity of the controller (the so called “imprint” required under German law) or to the privacy notice, cannot be blocked.
• Only when the user has given his consent(s) through an active action, such as placing checkmarks in the banner or clicking on a button, may the data processing requiring consent actually take place

Pseudonymization: IDs or identifiers, for example, do not constitute a pseudonymisation measure within the meaning of GDPR as they are used to make the individual individuals distinguishable and addressable. Consequently, there is no protective effect.

Legitimate Interest Legal Basis: You can use Legitimate interest for cookies (if ePrivacy directive does not apply) or otherwise as your legal basis if:

1.There is a Legitimate Interest of the Controller or Third Party.

Some examples:

• Provision of special functionalities, e.g. the shopping cart function using a so-called session identifier,
• Free design of the website also under efficiency and cost saving considerations, e.g. integration of content hosted on other servers, use of content delivery networks (CDN), web fonts, map services, social plug-ins, etc.
• Integrity and security of the website; IT security measures are, for example, the storage of log files and in particular IP addresses for a longer period of time in order to be able to detect and prevent misuse,
• Range measurement and statistical analyses,
• Optimization of the respective web offer and personalization / individualization of the offer tailored to the respective user,
• Recognition and feature assignment of users, e.g. in the case of advertising-financed offers
• Fraud prevention, denial of service attacks, and bot usage

2. The Data Processing is Necessary to Protect the Legitimate Interest

• That means that there are no milder, equally effective means is available to accomplish the purpose.
• Use of an analytics tool that shares information with third parties ((e.g. social networks or external analysis services) is not “necessary for the legitimate interest” as there are less invasive ways to accomplish the purpose of analytics which collect significantly less personal data and do not transmit it to third parties (e.g. via a local implementation of analysis software).

3. The User’s Rights do not Outweigh the Controller’s Legitimate Interest

• At issue are the user’s right to: privacy, confidentiality of communications, freedom of information and expression and the interest of not suffering any economic consequences (e.g. personalized pricing)
• Protective measures taken by the data controller as part of his/her data protection obligations (e.g. pseudonymization) do not count in favor of the controller in the balancing test. To that end, consider only additional protective measures.

Additional factors for the balancing:

• Reasonable expectation of the persons concerned and predictability / transparency

o  These are objective and subjective expectations

o  Sharing information with third parties for such third parties’ own purposes does not meet with users’ expectations because: they don’t have relationships with such third parties and because the consequences and potential risks for the interests, fundamental freedoms and fundamental rights of the users cannot be assessed

o  Techniques that can exactly reproduce and document the behavior of visitors when interacting with a service of the information society, such as recording keyboard, mouse and wipe movements on touch screens, are outside the user's expectations

o  The average user of social networks does not expect websites to include "invisible" pixels in order to trigger data processing by third parties

• Possibilities for intervention by the persons concerned

o  Consider the form in which the data subjects have the possibility and are informed of legally and technically preventing, restricting or placing under other conditions the processing of personal data (e.g. Users can, for example, delete certain cookies in the browser settings. With device fingerprinting, on the other hand, it is practically impossible to prevent (re-)recognition on the user side)

o  Consider rights of objection which go beyond the scope of Art. 21 GDPR – e.g. if you give an outright right to object generally- that is an extra measure but if the processing is marketing and a full right to object already exists – it is not an extra measure.

o  A technical circumvention of desired default settings, such as the use of first party cookies due to blocked third-party cookies, is not permitted

• Data chaining

o  Consider which possibilities exist for linking, duplication of data sets (e.g. through a higher number of data processing actors) and enrichment of data sets, in particular independent of purpose, and which risks arise from this for the users

o  Procedures must be technically and organizationally designed in such a way that a personal reference is eliminated as soon as possible and user profiles - if at all - are created under pseudonyms

• Parties involved

o  The more controllers, processors and other recipients are involved in the processing activity, the greater the harm to the user

• Duration of observation

o  Consider the lifespan of the cookies - how long it is possible to recognize the users and to collect and allocate information on their usage behavior. The shorter users can be segregated and recognized, the less important the amount of information collected about them is in the balance of interests

• Circle of affected persons (e.g. particularly vulnerable persons)

o  Where there is an increased need for protection of persons, this leads to a higher weighting of the interests, fundamental rights and freedoms of the persons concerned

o  Children are one group.

o  Also – profiling which also serves to identify and make use of particular vulnerabilities or situations of vulnerability

• Data categories

o  Consider which data categories are collected and in which degree of detail information is collected

o  Consider whether the data subject is directly or indirectly identifiable – pseudonymous data is less burdensome.

o  Consider whether and in what form usage profiles are created, in particular which number of usage data are combined and whether additional interests and characteristics are subsequently assigned in order to locate the user in a specific target group and finally address him in a target group-specific manner (targeted advertising)

o Profiling for targeted advertising is largely cross-service and cross-device and can therefore lead to a comprehensive, profound and prolonged invasion of the user's privacy.

o Large-scale processing entails risks to the rights and freedoms of users which could result in physical, material or non-material damage (e.g. discrimination, identity theft, financial loss, reputational damage or other significant economic or social disadvantages). This risk is higher when personality-descriptive aspects such as work performance, economic situation, health, personal preferences or interests, reliability or behavior are analyzed or predicted in the profiling process. The creation of movement profiles and forecasts is also regularly classified as a high risk.

• Scope of data processing

o  Consider the extent of data processing - The greater the amount of data processed, and the longer it is stored, the higher the risk to the rights and freedoms of the data subject

o  Consider the number of data subjects involved - The larger the number of persons affected, the sooner and more finely granulated comparison groups can be formed

o  Profiling of special category data requires consent – This includes dating portals, websites of political parties, religious associations, online health portals and disease websites. In such cases, obtain informed consent, which explains all aspects of the data collection, including the fact that information about sexual orientation or interest in the political parties concerned is disclosed to third parties

o  Consider the relationship between the person responsible and the data subject - e.g. imbalance of power, monopoly position 

Many thanks to Peter Hense and Tillman Herbrich for their helpful insights on this.