Cookies - how to properly ask for consent?

In most cases, the first thing an ordinary Internet user notices when he or she accesses a website is not its content, but information about the cookies used, asking for consent to use them. But what does it look like from the perspective of a website manager? Find out what information you should know in order to properly implement "cookies" on your website.

Historical outline

Directive 2009/136/EC, introduced by the EU in 2011, aims to protect users' privacy online. As such, the European Parliament has forced all EU member states to obtain informed consent from their audiences for the collection and storage of their data. If you do business in your chosen EU country, you must comply with the following requirements:

  1. Notify users that your website uses cookies.

  2. Provide information on how the data is used.

  3. Provide users with the option to accept or refuse the use of Cookies on your site.

  4. Ensure that cookies are not placed on users' computer without their express consent.

A breakthrough in the legal assessment of cookies and related obligations came with the October 1, 2019 decision of the General Court of Justice of the European Union regarding one German company. In that decision, the General Court referred to the relationship of privacy and electronic communications laws to data protection laws, which have been superseded by the General Data Protection Regulation (GDPR).

The court said that a company's use of cookies is tantamount to the processing of personal data (because it can be traced to a specific person). As such, there is some overlap between the privacy and electronic communications regulations and the data protection regulations, so both regulations should apply. The court answered the preliminary questions posed by the German court and, in particular, reached the following conclusions:

  • Consent is required for the use of marketing cookies, which must be evaluated in accordance with the provisions of the GDPR. Consent is not valid if it is given via a default checkbox, which the user must uncheck to deny consent;

  • The information that the service provider should provide to the website user also includes the duration of the cookies and whether third parties can access them.

Cookies on the website

The cookie policy does not specify how cookies should be implemented on a website. We outline the most common solutions.

Adding a pop-up message asking for consent to cookies

This is a possible and popular solution that gives permission for cookies. It is worth remembering that the notification or window that is used should include a place where users have the opportunity to agree or refuse cookies. Also, it is important to provide simple assurances about the security of the data and inform about the purpose of using this information.

The most common are two forms of using such messages. They can appear as small rectangular boxes at the bottom of the page, or as large windows that obscure the content of the site until the user takes action and accepts the use of cookies. Both forms are shown below.

Extend the terms of use to include information about cookies.

This is a good solution for avoiding unsightly pop-ups. However, not all site administrators choose to do this. Some choose to add information about cookies to the terms of use as an alternative option. This is an interesting and effective method, but it will not always be appropriate. First of all, it is important to remember that users must consent to the use of cookies. Even if you include such information in the terms of use, it will also be necessary to find a way to get users to accept the terms first. One solution is to require users to register with the site in order to use it. Unfortunately, this solution is only applicable in a small number of cases (usually when subscribing to a service), and putting such a condition in front of the recipient significantly reduces their convenience in using the site.

Keep in mind that adding information about cookies to the already existing terms of use of the site is not sufficient - you require separate consents for the use of cookies. If there are users on your site who have already agreed to the terms and conditions, but now you are just adding information about cookies, you will have to ask them to read and accept the new terms and conditions.

Is it enough to inform users about the use of cookies?

The so-called implicit consent, usually sent through a short message on the website, informs the user about the use of cookies on that site. This message does not have to be displayed all the time, sometimes a few seconds are enough, after which it is removed from the view of the recipient. If the user remains on the site, it is presumed that he or she agrees to the use of these cookies.

In some countries, consent to the use of cookies cannot be presumed. This is used in the UK, for example, but in Poland it is illegal. In Poland, the responsibility for regulating cookies lies with the telecommunications law. According to Article 174, the user's consent cannot be implied, but can be expressed by electronic means. In this case, the condition is that it is recorded and confirmed by the user, and that the consent can be withdrawn at any time in a simple and free way. In addition, if these rules are not followed, the President of the Office of Electronic Communications may impose a financial penalty on the owner of the site equal to 3% of the revenue earned by the entity in the previous calendar year.

Subscribe to our newsletter

Stay up-to-date on e-commerce, technology, innovation and legal developments.

notify