In February 2020, the Hellenic Data Protection Authority issued guidelines on the use of internet cookies and trackers. The guidelines follow a sweeping audit the HDPA conducted of the use of cookies on popular Greek websites and found widespread noncompliance with the EU General Data Protection Regulation. The guidelines, written in a concise and transparent manner, feature “dos” and “don’ts,” and set a two-month grace period for data controllers to comply.
Obligation to obtain consent and exceptions
According to the guidelines, the use of any trackers not deemed technically necessary for the establishment of the connection with a website or for the provision of an internet service requested by the user, require the prior consent of website users. This includes the use of third-party web analytics trackers, such as Google Analytics. In any case, lawful notice should be given to the data subject on the use of trackers, regardless if necessary or not.
Form and content of the notice
The guidelines recommend that the supply of relevant information and the request for consent be provided using appropriate mechanisms (e.g. pop-up windows or banners). It is lawful to give notice through multiple levels, as long as it is guaranteed that the user’s consent after they have been specifically informed about the tracker categories is used. The banner (either in the form of a pop-up window or otherwise) should provide specific information for the purpose that each tracker is used. In line with recent Court of the Justice of the European Union jurisprudence, the guidelines state that general information on the use of trackers is not sufficient. For each tracker or tracker category, notice should be given to the user about the duration of processing, the identity of the controller and the recipients or categories of recipients.
How to obtain consent
According to the guidelines, for consent to be valid, the use of cookies requires clear positive action. Therefore, pre-ticked boxes, the continuance of browsing or plain scrolling will be deemed as unlawful practices before the HDPA, resulting in the invalidity of the relevant consent. In the same manner, a user will not be deemed to have given consent, solely because their browser is configured to receive cookies.
In respect of the mode of obtaining consent, the guidelines set the following standards for the protection of the fundamental rights of data subjects:
- The user must be able to accept or decline the use of trackers (those for which consent is required) with the same number of actions (“clicks”) and from the same level, either all or each category separately.
- The user must be able to withdraw their consent in the same manner and with the same feasibility with which they have given it.
- Failure to consent to the use of trackers should not result in the restriction of access to the website’s content ("cookie wall" prohibition).
- To ensure that the user is not affected by website designs favoring the option to consent vis-à-vis the option to decline, buttons of the same size, tone and color should be used.
- Finally, the time period for the storage of the user's choice must be the same in case of either consent or decline.
The guidelines refer to the following practices as unlawful:
- The user cannot continue browsing without cookie pop-up windows in case of lack of any selection on their behalf.
- The option to decline the use of trackers is only given at a second level, i.e. following the selection of a hyperlink to "more information" or "settings."
- The size and color of the "accept" or "consent" button strongly urges the user to choose it, e.g. is large or bold and or pre-ticked.
- Following the user consent or decline, they are not given the opportunity to change preferences or user preferences may only be changed through their web browser settings.
- If case trackers are rejected, the user receives numerous requests via pop-up windows to change their decision, whereas, if the trackers are accepted, the user’s choice is maintained for a longer period of time than the rejected tracker.
Overall, the new guidelines move a step further in several open issues compared to corresponding guidelines of supervisory authorities in other member states of the EU, thus signifying a growing trend towards stricter rules concerning online trackers. Given that regulatory discrepancies in this matter seem to increase between member-states, the European Data Protection Board may be the most appropriate institution to address the issue at EU level, even before the adoption of the ePrivacy Regulation.