Why it is high time CJEU to deal with Google Analytics cookies and cookie walls
This article aims to provoke discussions and consideration of crucial aspects regarding analytics cookies and the notion of cookie walls.
Some recent news regarding cookies and the corresponding EU legal framework started me thinking about their practical implications and the technical application of the relevant legal requirements set by both ePrivacy Directive (“ePD”) and GDPR. The events in question are the Court of Justice of the European Union’s (“CJEU“) decision in the Planet 49 case and the fine imposed to Vueling Airlines by the Spanish DPA. Although both cases cover substantial problems in terms of cookies implementation and compliance, in practice there is ample room for serious discussions and consideration of additional crucial aspects.
Into the Spotlight: Google Analytics cookies
Why particularly Google analytics cookies are spotlighted? Well, Google cookies are among the crystal clear examples of third-party cookies running on literally almost every website nowadays. Speaking of Google analytics cookies, we need to clarify the term “analytics cookies” a little bit. Under Google Analytics cookies we have in mind namely: _gid, _gat, _ga — cookies all associated with Google Universal Analytics. Different in the expiration period and purpose, they are all served by Google to “collect information and report site usage statistics without personally identifying individual visitors to Google.” As some privacy professionals point out, such a statement is quite controversial regarding profiling and cookies. Profiling is based on the usage of cookies so inevitably personal data is collected and processed. For this reason, we cannot underestimate the impact of analytics cookies under no circumstances.
In reality, most of the times the average end-user is not able to restrain the instant placement on browsers of Google Analytics cookies and cannot deny these effectively. Recently, major browsers attempt to clear up this cookie mess by blocking various types of cookies by default. Even though working software solutions are available on the market, their employment across websites is far from considerable.
In this context, a question pops out — to what extent Google Analytics cookies and their equivalent counterparts are compliant to the requirements of GDPR and ePD.
In my opinion, to grasp the solution of such complex question we should, first, look up the relevant ePD provisions. Article 5(3) of the ePD states that storing any information is only allowed if prior consent is collected and is offered the right to refuse such processing unless it is strictly necessary for the proper operation of the website. With this regard, it is given the impression that any website shall provide option users to reject the placement of cookies on their browser or the website operator to be able to justify why certain cookies qualify as “strictly necessary”. According to ICO, necessary cookies are ones “essential in order to enable you to move around the website and use its features, such as accessing secure areas of the website. Without these cookies services you have asked for, like shopping baskets or e-billing, cannot be provided.” In the light of this concept of strict necessity, I am not confident that Google cookies served to collect information and analyze user’s behavior are strictly necessary for the correct user experience or the requested information to be provided in a proper manner. Such cookies do not benefit the interface of websites directly, architecture or technical maintenance. What is more, there is no apparent and strong causal link between the employment of such cookies and the proper operation of a website. From the literal interpretation of the wording “strictly necessary”, it could be concluded that bare necessity is not sufficient to justify an exception from the rule set by Article 5 (3). With regard to that, with the word “strictly” is established a firmer threshold to prevent any speculative exploitation of cookies. Accordingly, a high-level interpretation of the “strictly necessary” would be extremely practical and constructive.
From a legal standpoint, end-users shall be able to decide whether or not to give consent before the Google Analytics cookies are placed on their device. With this being said, in general, every website should provide end-users the fair choice to accept or reject cookies effectively. The complication is whether it is attainable in practice and adequately to reject such third-party cookies that are served before or at the same time with the cookie notice. As the proliferation of Google Analytics cookies is massive, the topic becomes more pressing and suggests predominantly technical than legal discussion.
Cookie walls — Resurrection?
One probable solution may be an implementation of a new concept of “cookie walls” that prevent the direct placement of such analytics cookies on the terminal equipment of end-users. The purpose of the particular cookie walls should be to deter from the placement of all cookies until the user decides what to do at the time of loading the website. At the same time, the user should be able to take advantage of real and free choice, information about the duration of the operation of cookies and whether or not third parties may have access to those cookies along with a settings panel to select from. As a result, such cookie barrier technology could be praised as a one-stop tool for achieving a higher degree of GDPR & ePD compliance in terms of cookies. However, this means to reinvent the common notion of cookie walls. Currently, the term “cookie walls” is a synonym for “take it or leave it” approach for collecting cookies consent. With regard to that, EBPD also confirmed that cookie walls are not GDPR compliant. The majority of existing cookie walls violate cookie requirements and allegedly were deemed invalid by some DPAs.
CJEU enters the stage
Even though we have corresponding rulings of various DPAs and opinion of EBPD, CJEU remains the highest instance called upon delivering undoubtedly exact guidance and valid legal interpretation of the considerations explored above.
By all means, CJEU shall be requested for such preliminary ruling by a national court in order to issue a decision concerning the abovementioned matters. Hopefully, in the near future, this will happen.
What I believe CJEU should examine in respect to websites and their compliance in terms of cookies requirements laid down by the GDPR and ePD and further elaborate on is as follows:
- To what extent analytics cookies qualify as strictly necessary for the operation of websites? How to determine the degree of necessity of cookies in terms of the strict necessity concept?
- Shall cookie walls be generally deemed invalid? Under what conditions cookie walls could be declared as GDPR & ePD compliant?
Conclusion
To summarize, in the light of the CJEU Planet 49 and Vueling Airlines cases some of the highlighted legal implications are currently not technically applicable on a large scale in practice. Hereby, a huge gap occurs concerning analytics cookies, especially Google analytics ones, and the real ability the average-user to adequately deny them at the right time.
Generally, analytics cookies that violate the rules for cookies under GDPR and ePD expose millions of websites and companies to fines.
On the other hand, is it justified to prevent website operators from the employment of such analytics cookies and jeopardize their revenue model based on an analysis of the audience? Striking a fair balance between the corresponding rights and freedoms based on the current EU legal framework may be the right answer.
Thanks to all beta readers for their valuable feedback: Krisztian Kenderesi, Enislav Enikov, Hristina Stoyanova, Lewa Owolabi, Constantinos Tsiourtos, Maria Raphael, Dr. Julia Wernicke, Dick Barbier, Nicky Watson
About the Author
Damyan Todorov, CIPP/E, is currently working as an external DPO and privacy consultant towards GDPR implementation and compliance. Completed LLM Law & Technology at Tilburg University in 2017. Find Damyan on LinkedIn or his personal website.
