13

Suppose that a data controller chooses the consent legal basis for GDPR article 6 purposes.

Then, the data controller says something along these lines in a cookie consent banner on their website:

We need to use cookies to provide you with our service.

Accept/ Decline

What if the user clicks "Decline"? Should the website session be terminated? Should the website developer prevent the user from further accessing any part of the website?

That seems like the logical conclusion if the user denies the processing of necessary cookies.

Paul Razvan Berg
  • 381
  • 2
  • 8
  • 17
    Just not set any cookies? – csstudent1418 Oct 16 '22 at 14:19
  • Some websites simply have an "Ok" button with no option, and most others only allow you to reject optional cookies (like this very website). That should be an indication that websites most likely don't need to ask for consent for necessary cookies (as opposed to simply informing users of those cookies). – NotThatGuy Oct 16 '22 at 14:48
  • 9
    As an aside, most websites seem to mislead the user about the true necessity of the cookies they offer as, for example, no cookie should be necessary to display a single static page with text. Analytics widgets, ads, any other fluff - probably not, but text the page would render anyway should not need it. – htmlcoderexe Oct 16 '22 at 23:01
  • 2
    Why do websites have to do this instead of the browser? – minseong Oct 17 '22 at 13:33
  • @theonlygusti 1) In the EU the onus is on the website. 2) the browser cannot know the purpose of the cookies, since cookie law requires the user to be able to read &understand & accept the different cookies one-by-one it's impossible for the browser to do this. Moreover you may want to allow Site A to use some cookie for purpose P but not allow a similar Site B to use some cookie for the same purpose P, so a solution like "Accept all cookies for purpose P" won't work. Consent must be specific and explicit. – GACy20 Oct 17 '22 at 15:27
  • 2
    In my experience, most web sites only have these two options: [Accept all cookies] [Waste 20 minutes of my life carefully specifying exactly which cookies I do and don't want] In dozens or hundreds of cookie banners a day, I can count on one hand the number that allow a genuine GDPR-compliant one-click opt-out. – Kyralessa Oct 17 '22 at 16:24
  • 1
    @theonlygusti websites don't have to do this, browsers support DNT. This is a classic example of malicious compliance perpetrated by an entire industry. They want you to be annoyed about the prompts in the hope the situation will change in their favour, not yours. – Flexo Oct 17 '22 at 17:09
  • You seem to be ignoring your own idea of "necessary".

    If the cookies are necessary, why would the site not stop the potential User right there?

    If the cookies are not necessary, what are you really Asking?

     – Robbie Goodwin Oct 18 '22 at 20:04

6 Answers6

38

These kinds of cookie banners are typically noncompliant and useless since they are not clear and provide too little information to users.

Careful: blocking a user who declines consent is usually a GDPR violation! Instead, only those aspects of the site that rely on this consent should be disabled.

When cookie consent is needed

Per the EU ePrivacy directive (PECR in the UK), information society services (websites, apps, …) are only allowed to store or access information on the end user's device if one of the following holds:

  • the access or storage is strictly necessary for performing a service that was explicitly requested by the user; or
  • the user has given consent

Note: there is no “legitimate interest” exception for cookies.

When is access/storage strictly necessary? For example, it is strictly necessary for a photography app to store photos on a device. It is strictly necessary for a website to store session cookies so that you can log in to the site. It is strictly necessary for an ecommerce site to store the contents of your shopping cart. It is strictly necessary to remember cookie consent status. And so on.

It is not strictly necessary from the perspective of the user to have analytics cookies, ad personalization cookies, or cookies for features that the user doesn't actually use.

Many websites that just provide the service the user expects will therefore not have to ask for cookie consent, even if they use cookies.

It is worth noting that the ePrivacy definition is entirely technology-neutral. It doesn't relate specifically to cookies, but to any kinds of storage, including LocalStorage. Regulatory guidance considers any access or storage of information on the device to be in scope, even JavaScript APIs in a browser (for example to read the screen dimensions), and considers techniques like fingerprinting to be functionally equivalent and therefore subject to the same rules.

It is also worth noting that these rules apply regardless of whether the information being accessed/stored qualifies as “personal data”.

What consent is

Consent is defined in Art 4(11) and Art 7 GDPR, and further explained in EDPB guidelines 05/2020.

A defining feature of consent is that it must be freely given. The user must not suffer “detriment” for revoking or declining consent. And per Art 7(4):

When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

This disallows making access to a service conditional on unrelated consent. For example, it would not be permissible for a website to exclude users who decline consent for advertising cookies. But:

  • The EDPB guidelines discuss that there can be “permissible incentive” for consent. For example, courts and some DPAs seem to be of the opinion that a subscription website can offer free access to users that consented to personalized ads: consent-or-pay-walls can be compliant, whereas consent-walls alone would not.
  • Sometimes consent is really needed for a processing activity, in which case it is OK to block that service until consent is given. For example, websites should not load third party content like YouTube videos or embedded maps until consent is given to share personal data with the third party. The rest of the website should still work, though.

If consent was not freely given, if the user didn't have an actual choice, then the consent is invalid.

What should the data controller in your scenario do?

The data controller should reassess the role of the cookies for which they are trying to ask for consent.

  • If these cookies are strictly necessary from the user's perspective, then it is proper to inform the user about them – but this should not be confused with consent. It is my personal opinion that purely informational cookie banners are confusing/misleading and should be avoided, but this could also be argued differently.
  • If these cookies are not strictly necessary, then the phrasing “We need to use cookies to provide you with our service” is quite misleading. It should be made clearer to the user that they can opt-in to additional services/improvements if they want to. The user should be able to configure this on a per-purpose basis.

Thus, more compliant cookie consent flows will typically give the user three options:

  • continue with only strictly necessary cookies/purposes (must be default behaviour if none is selected)
  • consent to all purposes
  • configure purposes

For example, I'm fairly happy with the current Reddit cookie notice:

enter image description here

Why this is a good notice:

  • it explains the data controllers (Reddit and partners)
  • it summarizes the purposes for which consent is sought
  • it links to more detailed information
  • the presented options “accept all” an “reject non-essential” are less ambiguous that “accept/decline”

Comparing this with the list of minimum required information for informed consent in section 3.3.1 of the EDPB guidelines linked above, the following information is missing though:

  • the identity of the “partners”
  • what (type of) data will be collected and used
  • the existence of the right to withdraw consent
Community
  • 1
amon
  • 23,930
  • 3
  • 44
  • 76
  • "It is strictly necessary to remember cookie consent status." - is it really strictly necessary, couldn't you just ask every time a new session starts? – Affaltar Oct 14 '22 at 11:20
  • 12
    @Affaltar I am not aware of official guidance on this matter. But my reasoning is that consent must be a free choice. Without remembering cookie consent status, the site would nag me on every page to give consent since I look like a new user, and my only option to permanently get rid of that banner would be to give consent. That sounds more like a dark pattern than like a free choice. Thus, I think it would be typically appropriate to set a cookie when consent was declined. It is reasonable for a site to reset cookie consent status regularly, e.g. every six months. – amon Oct 14 '22 at 12:56
  • You claim that it "is strictly necessary for" sites of certain kinds to store certain things. But why is it necessary for them to store this on the user's device? Why shouldn't the server store this itself? Why may it delegate some of its information-storing responsibility to its users? – Rosie F Oct 14 '22 at 18:58
  • 12
    @RosieF modern web applications are multi-user by default. When you log in to a site, we need to be able to identify you from the thousands of other current users. Commonly, a secret is placed on your machine in the form of a Bearer token. This can be a cookie, or in local storage. When you perform the next action on the site, this token not only identifies that you have logged in, but is also used to work out who you are. So when you go the the profile page, you are shown your profile instead of that of a random user. This is the bit that is necessary to store on the user's device. – Skrrp Oct 14 '22 at 20:04
  • 1

    "if the user didn't have an actual choice, then the consent is invalid" Closing a tab and never visiting this site again is always a choice.

     – Revolver_Ocelot Oct 14 '22 at 21:26
  • 17
    @Revolver_Ocelot Yes, in a philosphical/existential sense you always have a choice. But in a GDPR compliance sense, not all choices are relevant. Please refer to Art 7(4) GDPR (quoted in the answer): access to a service must not be denied if consent is declined. Also compare pare 38–41 in the EDPB guidelines linked above. – amon Oct 14 '22 at 22:01
  • Re consent-or-pay-walls: Now I'm wondering how far a site could push the envelope. I'm sure there exist specialty publications (such as academic journals) with very high subscription prices. Who is to say that the local paper of Nowhere, OK can't charge a similarly high price, to people who decline tracking cookies? – Kevin Oct 15 '22 at 07:38
  • 3
    @Kevin (1) While consent-or-pay can be compliant, it is still up to the data controller to demonstrate that there is valid consent via a free choice. Can't ask for “consent or a million Euro”. (2) Businesses want to maximize their profits. A user with a subscription tends to bring more money and stability than a user with ads – but only if the payment is reasonably low for the target demographic (→ demand curve). (3) While consent-or-pay is widely accepted now, it will be interesting to see what higher courts like the CJEU have to say about it. – amon Oct 15 '22 at 09:19
  • @amon: OTOH, there are legitimate jurisdictional questions here... I can't imagine the USTR would be happy to discover that a European court is telling American businesses what prices are "reasonable" for them to charge on global markets. It could end up in a highly complex WTO/ITC dispute or something of that nature. – Kevin Oct 15 '22 at 23:19
  • 5
    @Kevin That is a very old argument, that is long settled. Any business that is/wants to do business in the EU is subject to EU laws. – MikeB Oct 17 '22 at 09:42
14

It's very easy for a web site to claim they "need" cookies, with the same sincerity that a child "needs" a pony. So here is a litmus test.

You say the user who comes to a URL with no cookies should get no page. OK, what if that user's browser has a User-Agent of "Googlebot"? It is the Google crawler. Whoa, whoa, whoa, that's a different deal! you say. We WANT to serve content to the Google search engine as bait for visitors! We Do Not Want to serve content to users who resist tracking!

That sentiment, right there, is what violates GDPR.

You must cheerfully serve the same content to cookie-refusing users as you do to Google. Noting Google's own content policy, which forbids serving different content to Google than to users (the SEO word for that is cloaking). Obviously you can omit things like the logged-in bar, but the meat of the content should be the same, cookied or not or Google.

A counter-example is example.com/user/inbox. Obviously this page exists only for logged in and cookied users and shows them their in-site messages. Someone who is not logged in, including Google, has nothing of value here. Blanking that page for cookieless users is perfectly fine.

Harper - Reinstate Monica
  • 19,563
  • 2
  • 27
  • 81
  • 1
    "You must cheerfully serve the same content to cookie-refusing users as you do to Google" That sounds doubtful. While it's clear that the cookies are not necessary to serve the content, that doesn't mean you need to serve the content freely to everyone, anymore than a restaurant needs to give free food to everyone if they give free food to a food-critic. – towr Oct 16 '22 at 16:55
  • @towr StackExchange is a Q&A site. Thus all answers are in the context of a question; nothing on this platform should be inferred to be a blanket statement for all cases everywhere. Aother way of looking at that is "you" spoken here refers to OP, not all beings. Of course one could disclaim "This is not a blanket statement" for every single statement, but then we're into a political discussion of whether disclaimerism is a virtue or a horror. – Harper - Reinstate Monica Oct 16 '22 at 20:45
  • 4
    @towr - restaurants that get a reputation for serving free food to critics tend to end up with more critics than customers. GDPR is both simple and straight forward once you get your head around it. It says that data about a person belongs to them, not you. You can use it only if they have given you permission to. If you need that data to give them a service, fine, no data no service, but you can not deny a service because you haven't got data you want for something else. – Paul Smith Oct 16 '22 at 23:39
  • 2
    Look, thanks for the condescension, but the point is google and regular users are not equivalent. Websites let google through their paywalls because google provides them a service. As a business a website may need cookies for regular users so they can implement their paywall and have a viable business. It's simply not true that if google gets free access to content that every user without cookies should get the same access to the same content. This answer is misleading by suggesting that content can only be shielded if it should also be shielded from google (as with a user's inbox). – towr Oct 17 '22 at 06:23
  • 2
    @towr: Of course they're not identical. The point here is about technical necessity, though. Either cookies are technically necessary or they're not, and this needs to be decided on a function-by-function basis, not on a visitor-by-visitor basis. Using Googlebot as the visitor, and the Inbox as a function in this example helps to clarify how you do the analysis – MSalters Oct 17 '22 at 08:37
  • @MSalters The fact that many websites do not grasp that the user-agent is not a reliable way to authorize access doesn't mean they don't have a legitimate need for authorization. -- Maybe it would be easier if people just quoted where the GDPR substantiates these claims. I can't really quote all the places where it doesn't. I'm all in favor for all of you being right, I just find it hard to believe. NB I would say getting free advertising from being indexed by google, and earning income from paying visitors are two different functions. – towr Oct 17 '22 at 16:33
  • @towr Sorry, didn't mean to condescend. Your thought about "content behind paywalls" is understandable, except search engine rules prohibit that, it's called "cloaking" or "doorway pages". It's a bad User Experience for the search user. It is Extremely Typical for the user's* interest to be totally ignored in such discussions, since SEOs do not even slightly care - but search engines do*. As such, your use case is faulty, regardless of GDPR. – Harper - Reinstate Monica Oct 17 '22 at 23:25
  • I know you've seen cases where a Google search result led you to a paywall, I see those too - but since I was involved in creating search engine rules, you bet I check - actually the page is showing you (and Google) an abstract, and Google indexed the abstract. That is fine. Also, paywalled content is available in specialty search engines, e.g. Google Scholar may send you to PACER-walled content, or Google Books may send you to a book you must buy. But you knew that was the deal when you used Scholar or Books, and they don't let random websites inject content there. – Harper - Reinstate Monica Oct 17 '22 at 23:40
  • "search engine rules prohibit that" That's different from what the google documentation suggests here and here. "This structured data helps Google differentiate paywalled content from the practice of cloaking, which violates spam policies". So it's allowed as long as you're honest about it. And since 2017 they no longer even require the first click to be free. – towr Oct 18 '22 at 05:44
  • @towr Sure, they did that due to pressure from paywall organizations who don't want to be branded cloakers, and it makes sneaky cloaking a more serious violation, so it's a win/win. That doesn't mean they rank same as free content. No doubt Google submarines those results under free content when it is available; it'll surface in a tail query with little other good results. But you can do the same thing with an XML feed as some did with Paid Inclusion. But while these details are interesting, it doesn't invalidate the moral litmus test I give in my answer. – Harper - Reinstate Monica Oct 18 '22 at 20:08
  • I wonder how much trouble I'd have saved us both if I'd just said at the start it would improve this answer if there was some reference that validated this litmus test. It's not my burden of proof, in any case. -- It's also not quite clear to me whether the litmus test is actually about treating googlebot differently from normal users or that it's about the reason behind it (wanting to track users). I've been assuming the former, in case that wasn't clear. – towr Oct 19 '22 at 06:18
7

We can't answer what should be done. We can answer what legally can be done: There's a line in the sand between mainly two categories of cookies after doing the lawful basis tests:

  • Strictly necessary cookies for the mere functionality of the site.
  • Any other cookie.

Acceptance is only necessary for the any other cookie category. This is for example analytics or which types of ad you deem cool.

For many of the strictly necessary ones you also might have legitimate interests under (f), but it is enough that the site won't work at all or not properly if not saving those data on the user's disk. As a random example, to allow a customer's shopping card to function, a list of items the user put into the shopping cart could be stored in the cookie. Or when logging in, a keyphrase that enables access to the user's data.

It is your duty to differentiate between absolutely necessary cookie content and anything else.

Trish
  • 39,097
  • 2
  • 79
  • 156
  • 2
    And if your management insists that cookies to send me spam emails are absolutely necessary, then they are wrong in the sense of GDPR. – gnasher729 Oct 14 '22 at 11:27
  • 1
    Key point though, is that what matters is not whether _ your _ website has been built in a way that requires a specific cookie, but rather whether it is necessary for ANY such site. – MikeB Oct 17 '22 at 09:46
1

We're missing the obvious thing here.

"Strictly necessary cookies" don't exist. Period. Every time - every single time- one of these banners pops up I use uBlock to zap it away without accepting or denying anything at all. You can TRY to make me accept them. You will fail, every time, and I will continue to use the site regardless, because I can and you can't stop me.

Every site I have ever done this on as a user- probably hundreds at this point: I do it every time I get the cookie banner, everywhere I see it (including this very site, which itself is in violation of the GDPR via its lie about cookies that are "strictly necessary" ) - continues to function exactly as desired for the duration, regardless.

There. Are. No. Strictly. Necessary. Cookies. They simply do not exist and never have.

Hot take: if you insist there are cookies that exist that are strictly necessary, you are lying. Knowingly. And your company should be held liable under the GDPR.

Again, that includes this very site.

I have a degree in web design and development. I am posting this as a guest, without accepting any cookies or logging in.

And I can still post, without accepting any cookies at all (the cookie liebanner is up even as I type this on mobile).

I am considering reporting this site to EU regulators as an ironically shining example of just how many websites blatantly lie about "strictly necessary cookies" in order to try to skate around their legal requirements.

Kyle
  • 11
  • 2
0

Stopping the user who declines from using your website is a GDPR violation. What the site needs to do is to run the site without the cookies. If this makes it harder to send spam to me... That's Ok.

gnasher729
  • 34,028
  • 2
  • 46
  • 88
  • 11
    I don't believe this is accurate. If the cookies are strictly necessary for the service (e.g. session cookies) they are essential and don't need seperate consent – Richard Tingle Oct 14 '22 at 16:58
-1

@Richard Tingle I posted my reply above and this one without creating an account, much less logging in. I've accepted no cookies prior to doing so.

Strictly necessary cookies don't exist. Not when you can refuse to accept or deny them and still have this particular functionality.

If I intended to create an account (I don't) or log in (I haven't, ever) it would be different. As it is, this sites claims of cookies being "strictly necessary" are just plain lies. I have neither created an account nor logged in, and despite refusing to accept OR deny the cookie liebanner I can still post and even edit my post (as I have just now done).

What I've just proven conclusively is that cookies AREN'T NECESSARY. Period. My actions right here, right now are proof positive that the claims of them being necessary for the site to function properly are boldface lies that should cause this very site to be sanctioned per the GDPR.

No I am not being polite. Frankly, given the discussion and the site I find myself on I am very, very, very pissed off. I do NOT like being lied to and I like people who lie to regulators even less.

This site should face fines for this given this discussion. It's open and flagrant violation of the GDPR requires a response. I think I WILL report this site to regulators. Its admins damned well ought to know better than to try to pull this trick.

Kyle
  • 11
  • 2