Master Thesis
EUROPEAN PRIVACY REGULATION FOR COOKIES: A CRITICAL REVIEW
Luna Miranda de Oliveira Guimarães Student Number 13015672
Supervisor: Candida Leone, LLM
Master Programme: European Private Law
Faculty of Law University of Amsterdam
ABSTRACT
The topic regarding cookies tracking has been a major focus of discussion in the privacy landscape. Regardless of the existence of current regulation on the matter, more specifically the ePrivacy Directive and the GDPR, studies have showed that consumers are still confused about how the cookies function work, which type of information is tracked, besides not trusting the general privacy framework regarding cookies. In order to address these issues, the European Commission proposed a new ePrivacy Regulation. This thesis will focus on, firstly, trying to identify and describe the current framework regarding the cookies’ regulation and the main issues identified by academic articles related to the use of cookies by websites. Additionally, after analyzing the core innovations brought by the proposed ePrivacy Regulation, this thesis will assess if the current proposal for a new ePrivacy Regulation is suitable to address the identified issues.
The thesis is comprised of three chapters. Chapter one presents a summary of the current in force regulation regarding cookie banners and privacy notices. The same chapter will also provide a summary of the current rules applicable to the cookies consent notices. Chapter two will focus on the most pressing issues regarding how cookies are collected by websites, how cookie banners are displayed and how the consent of users for the collection of their data is requested. Chapter three will provide an overview of the rules established in the New ePrivacy Regulation. In the sequence, this same chapter will present an overview of how the new regulation relates to the issues identified in chapter three. Finally, the thesis will present a conclusion regarding the effectiveness of the New ePrivacy Regulation to address the issues and the need for additional regulation.
The results showed that it is unlikely that the barriers for the improvement of the digital environment and the privacy in the European Union, including all the issues regarding the misuse of cookies, will be solved with the simple replacement of the current existing ePrivacy Directive by the proposed ePrivacy Regulation. The new ePrivacy Regulation undoubtedly brings improvements and clarifications that are welcome in the sector. Nonetheless, a step further is still needed, with a more uniform and clear guidance on how websites or web browsers should implement such privacy regulation. This additional regulation should provide clear guidance to web browsers, as additional burden regarding the protection of user’s privacy rights is placed on these tools.
TABLE OF CONTENTS
INTRODUCTION ... 4
Cookies and the behavioural marketing ... 5
Summary of chapters ... 6
CHAPTER 1: REGULATORY HISTORY AND BACKGROUND ... 8
1.1. Historical development of the cookies’ regulation ... 8
1.2. Main in force rules and principles applicable to the cookies consent notices ... 10
1.2.1. Consent ... 10
1.2.2. Legitimate Interest ... 12
1.2.3. Strictly necessary cookies ... 14
CHAPTER 2: REALITY OF THE PRIVACY NOTICES AND USERS UNDERSTANDING OF THE PRIVACY FRAMEWORK ... 15
CHAPTER 3: THE NEW E-PRIVACY REGULATION ... 26
3.1. Relevant provisions ... 26
3.1.1. Web browsers and other software enabling access to internet as gatekeepers ... 27
3.1.2 Lawful processing of cookies data and rules for consent ... 31
3.2. How the New ePrivacy Regulation addresses the identified issues ... 33
CONCLUSION ... 37
INTRODUCTION
In 2013, Luzak published the article Privacy Notice for Dummies1, to discuss the need for a
harmonized European guideline on transparent and readable disclosure on the cookies. According to this author, back then, internet users were not aware of cookies or hardly understand when and how they work. Six years have passed since then and, even though users seem to be more aware of the existence of cookies, many problems related to the tracking of user’s online activity though cookies still remain.
Since the enacting of the General Data Protection Regulation (“GDPR”)2, which went into
effect on May 25, 2018, the number of websites displaying a cookie banner increased. After the enforcement of this regulation, a survey demonstrated that around 62 % of the most popular websites in the EU was then displaying a cookie consent banner in their websites, 12% more than in January of the same year3. This effect was even more pronounced in some specific
countries, where the use of cookie banners increased up to 45% since January 20184. The
impact of GDPR in the use of cookie banners and privacy notices by websites is undeniable. One of the reasons for such pronounced adoption of the GDPR rules by the companies is the provision of strong enforcement mechanisms, aimed to force companies to take privacy law seriously, in the same level as they consider antitrust and corruption regulations. Before the enacting of the GDPR, even large data companies faced only lower fines when violation user’s privacy rights5.
Nonetheless, more recent studies6 show that even though the use of some type of cookie banner
or privacy notice is now more widely spread across websites, the knowledge of the general user regarding the meaning of such notices and their implications for privacy is still very poor. Many users seem to be unaware of their rights regarding privacy and many websites still use cookies in an irregular or at least unethical way. As highlighted by Degeling et al. 7, the simple presence
1 Luzak, J., 2013.
2 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of
natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR) [2016] OJ L 119.
3 Degeling, M. et al, 2019, p.1. 4 Degeling, M. et al, 2019, p.1.
5 Hoofnagle, C., Slot, B. and Borgesius, 2019. p.67. 6 Detailed on chapter 4 of this thesis.
of a privacy notice or a cookie banner does not mean that a service is in compliance with the privacy regulations.
Cookies and the behavioural marketing
Cookies are “a piece of text stored by a user’s web browser and transmitted as a part of an HTTP request”8. In a more palpable language, cookies are defined as small text files that a
server can send to a browser, that on its turn saves that file and send it back in case the same server contacts the browser again. They can be useful for a website to remember the language preferences set by the user, contents of a virtual shopping cart or that the user has already logged in9.
Cookies can be categorized as first party cookies, the ones set by the website itself, or third-party cookies, set by others, such as ad networks. Third third-party cookies allow ad networks to follow users around the web10.
Cookies soon became quite popular amongst the marketing industry, since with third party cookies it became possible for ad networks to track users’ behaviour across websites and show them more relevant advertisement. For this reason, cookies became a very relevant tool for behavioural marketing and advertisement11.
The reality is that, in the current days, cookies have become an essential part of user’s experience when browsing the internet. From a public policy perspective though cookies can constitute an invasion of privacy, since consumers passively and, most of the times, unknowingly, give their private information and not actively share it.12 One example of the
risks that this type of technology present, is the fact that website owners can use cookies to discriminate users on the price based on their browsing history13 - a phenomenon that received
a lot of attention from the press14.
8 Krzyszrofek, M, 2019, p.98. 9 Borgesius, F., 2014. p.39. 10 Borgesius, F. 2014, p.31.
11 Behavioral targeting is defined by Borgesius as the activity to “monitoring people’s online behaviour, and using
the collected information to show people individually targeted advertisements”. (Borgesius, 2014, p.28.)
12 Bornschein, R., Schimidt, L. and Maier, E, 2020, p.139. 13 Schimidt, L., Bornschein, R. and Maier, Erik, 2020. p.1.
14 For example: Borland, H. Plane Talking: Do Airlines Use Cookies to Increase Prices for Flights? Available at: https://www.thesun.co.uk/money/5482811/do-airlines-hike-prices-if-you-keep-lookingat-the-same-flights-on-the-same-day/.
For this reason, regulators in many jurisdictions, aiming to protect user’s online information privacy, created a series of norms regarding the collection, using and transfer of cookies data by website owners. In the European framework, the Directive 2002/58/EC on Privacy and Electronic Communications, known as the “ePrivacy Directive” or “Cookies Law”15 and the
GDPR were the regulators attempt to achieve such objective. Nonetheless, issues regarding how these regulations must be implemented exists and will be discussed on the following chapters of this thesis.
Back then, in 2013, Luzak concluded her article indicating the need for a harmonized European guideline on transparent and readable disclosure on the cookies16. The objective of this work
is to assess which problems still persist regarding the use of the privacy notices for cookies in European websites and if a proposed new Regulation on Privacy and Electronic Communications17 (“New E-privacy Regulation”) addresses these issues in a satisfactory
manner.
The New EPrivacy Regulation covers a variety of situations that are not only restricted to cookies, such as Over-the-Top communication services, electronic communications services, machine to machine communications, between others. I will restring my analysis to the main objective of this work, which is the impacts of the proposed new regulation to the cookies tracking framework.
Summary of chapters
This thesis will be developed as follows:
First, in Chapter 1, I will make a summary of the current in force regulation regarding cookie banners and privacy notices, to provide some background on the previous regulations and discussions that led to the publishing of the New ePrivacy Regulation proposal. On the same chapter, I will also provide a summary of the currently rules applicable to the cookies consent
15 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing
of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) [2002] OJ L 201.
16 Luzak, J., 2013, p. 556.
17 Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life
and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) [2017] COM(2017)10 final.
notices, in order to build the path for the understanding of the main issues connected to the manner that cookies consent notices are currently presented.
In the sequence, with the proper background in place, in Chapter 2 I will raise the most pressing issues regarding how cookies are collected by websites, how cookie banners are displayed and how the consent of users for the collection of their data is requested.
In Chapter 3 I will provide an overview of the rules established in the New EPrivacy Regulation. The main objective of this section is to further analyse how the new proposed rules relate to the identified issues. In the sequence I will present an overview of how the new regulation relates to the issues identified on Chapter 2.
Finally, I will draw a conclusion regarding the effectiveness of the New ePrivacy Regulation to address the issues and the need for additional regulation.
CHAPTER 1
REGULATORY HISTORY AND BACKGROUND
1.1. Historical development of the cookies’ regulation
The first directive attempting to regulate and provide some guidance on how to use cookies was the ePrivacy Directive18. This directive had as merit being the first regulation in a European
Union level to attempt to harmonize the rules regarding the privacy of internet users and guarantee a minimal level of rights for the consumers of internet websites in the European territory. This directive brought, for example, the need for the service provider to inform users, prior to obtaining their consent, about the type data that will be processed, for which purposes and duration and whether the data will be transmitted to a third party. Users should also be given the possibility to withdraw their consent for the processing of cookies data at any time. In november of 2009, the ePrivacy Directive was object of a reform19, to include some rules
aiming to improve the protection of personal data and privacy of users. Between them, the mandatory notification in case of data breach, enhaced protection against interception communications and the strengthen of the powers of local data protection authorities20.
Nonetheless, this directive had poor enforcement and compliance21.
Thirteen years after the publishing of the original draft of the ePrivacy Directive, in 2015, the European Commission issued a document called the Digital Single Market Strategy ("DSM Strategy”)22, which purpose was, amongst others, to increase the trust and security in digital
services and support the development of a digital single market across the Union. In this context, the adoption of the GDPR was key for the achievement of these objectives.
18 Directive on privacy and electronic communications.
19 Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending
Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws (Reform of the Directive on privacy and electronic communications) [2009] OJ 337 p.11.
20 Press release of the European Data Protection Supervisor. ePrivacy Directive close to enactment: improvements
on security breach, cookies and enforcement.
21 Hoofnagle, C., Slot, B. and Borgesius, F, 2019, p.66.
22 Communication from the Commission to the European Parliament, the Council, the European Economic and
Social Committee and the Committee of the Regions, A Digital Single Market Strategy for Europe. [2015] COM (2015) 192 final.
Therefore, one year later, the final version of GDPR was published and this regulation went into effect on May 25, 2018.
Differently from the ePrivacy Directive, the GDPR expressly mentions cookies only once, in Recital 30. Nonetheless, it is important to notice that all the general regulations regarding privacy established in this law apply directly to the use of cookies, to the necessary consent, archive of cookies data, and etc.
In any case, the text of GDPR is still quite vague, speaking almost to the level of an aspirational principle23. As a consequence, despite of the regulation, quite often websites are still using and
tracking cookies in a manner that is not in agreement with the regulations or misusing the freedom given by such a generic language to nudge or even force the users to accept the tracking of their internet usage.
Aware of this problem and imbued with the ideas for modernization of the digital services market in the European Union, the European Commission carried out an ex post Regulatory Fitness and Performance Programme ("REFIT ") on the ePrivacy Directive24. The assessment
made on the results of the ePrivacy Directive showed that this Directive has not kept pace with technological developments25 and not fully met its objectives. This is how the European
Commission described the results of the REFIT in the New ePrivacy Regulation project26:
“In terms of effectiveness and efficiency, the REFIT evaluation found that the Directive
has not fully met its objectives. The unclear drafting of certain provisions and ambiguity in legal concepts have jeopardized harmonization, thereby creating challenges for businesses to operate cross-border. The evaluation further showed that some provisions have created an unnecessary burden on businesses and consumers. For example, the consent rule to protect the confidentiality of terminal equipment failed to reach its objectives as end-users face requests to accept tracking cookies without understanding their meaning and, in some cases, are even exposed to cookies being set without their consent.”
It was clear then that a new regulation regarding the protection of personal data in the electronic environment was needed. It is in this context that the proposal for the New e Privacy Regulation was discussed and further published.
23 Hoofnagle, C., Slot, B. and Borgesius, F., 2019, p.67.
24 Ex-post REFIT evaluation of the ePrivacy Directive 2002/58/EC (REFIT) [2017] SWD (2017) 5. 25 Item 1.1. of the Proposal for a Regulation on Privacy and Electronic Communications.
1.2. Main in force rules and principles applicable to the cookies consent notices
As explained above, both the rules laid down on the ePrivacy Directive and on GDPR apply to the tracking and processing of personal data using cookies.
According to article 6 of GDPR27, the process of personal data is prohibited, unless if done
based on one of these six legal grounds: (a) the user has given consent to the processing of their personal data for one or more specific purposes; (b) processing is necessary for the performance of a contract to which the user is party; (c) there is a legal obligation by the website to process the user information; (d) processing is necessary in order to protect the vital interests of user; (e) processing required by the public interest; (f) processing is based on legitimate interests of the website, that prevails over the user’s interest.
In order to base the discussions that are the object of this thesis, I will focus the on the legal basis (a) and (f) described above. Better detailing on the other processing grounds can be found is general GDPR doctrines28.
1.2.1. Consent
Consent it for sure the most popular legal ground for lawful process of personal data29. In
summary, yt means that the user’s data can be processed provided that the user gave their consent for that30.
GDPR imposes a series of requirements for this consent to be considered valid. Under this regulation, consent needs to be “freely given, specific, informed and unambiguous”31.
First of all, the requirement of “freely given” means that “consent should be an autonomous
act of the data subject, free from external manipulations”32. The consent has to be, in that sense,
a product of the user’s free decision, regardless of the grounds based on which their decision is taken. This concept, therefore, is irreconcilable with the so-called “take-it-or-leave-it”
27 Art. 6 GDPR.
28 E.g. Krzyszrofek, M. 2019. 29 Art. 6 GDPR.
30 For a comprehensive guide on all the aspects involving consent for data processing purposes, please see Kosta,
E,, 2011.
31 Working Party, Guidelines on consent under Regulation 2016/679, 2017 32 Kosta, E., 2011 p.149.
situations33, where a website only accepts the access to its content if the user accepts all cookies
or being tracked for targeted marketing34. If the user is only granting their consent because
otherwise, they can’t have access to the website’s content, this consent it not really granted in a freely manner, exempted from any external manipulation. Another questionable practice is the one of websites using tracking walls, which are barriers that can only be passed by users in case they agree to third party tracking35. In these cases, the consent is not considered
sufficiently “free”, as this practice makes the consent involuntary36.
For the requirements of “specific” and “informed” to be fulfilled, vague and superficial consent requests are not considered sufficient. Asking the user, for example, to grant permission to use their data for “commercial purposes” would not be considered a valid consent, as too vague37.
GDPR also prohibits hiding the consent request in the small print of a general terms and conditions, as is requests the consent to be “clearly distinguishable from the other matters, in
an intelligible and easily accessible form”.38 As highlighted by Borgesius39, a company can
never guarantee that a person reads the text of a consent request, but they can make sure to provide all the necessary information in accordance with the data protection regulations. Finally, for the cookies tracking to be considered lawful according to the GDPR, the consent must be unambiguous, which means that an active and positive act of consent must be given. The mere inactivity of the user cannot be interpretated as a valid expression of the user’s wish40.
No consent can be inferred from the silence of the data subject.41 Therefore, the use of opt-out
options, where the consent is implicit unless the user expresses it otherwise, is not considered a valid mean of obtaining consent42. The European Court of Justice (“ECJ”) issued a press
release, in the context of the Planet49 decision, reinforcing the invalidity of the pre-checked
33 Hoofnagle, C., Slot, B. and Borgesius, F., 2019, p.79. 34 Borgesius, F. et al., 2018, p.2.
35 Borgesius, F. et al., 2018, p.5. 36 Borgesius, F., 2014, p.232.
37 Hoofnagle, C., Slot, B. and Borgesius, F., 2019, p.80. 38 Art. 7(2) GDPR.
39 Borgesius, F., 2014, p.224. 40 Borgesius, F., 2014, p.219. 41 Kosta, E., 2011, p.164.
boxes for means of consent43. The decision on the Planet49 case was recently reinforced, in the
Orange Romania case44.
1.2.2. Legitimate Interest
Another relevant ground for cookies processing is the legitimate interest of the website owner. This possibility cover situations where the interest of the website can supersede the ones of the user, but does not apply when these interests are overridden by the interests or fundamental rights and freedoms of the user. This provision, also known as “balancing provision”, is supposed to be a catchall to include all the multi-reasons why the website must collect the cookies information that does not fall under the other lawful processing options.45
As highlighted by Borgesius, many data processing practices can happen in a harmful small scale, bringing very limited risks to the user46. As an example, a bakery store that keeps a list
of names and addresses of regular customers, to easy the delivery or send greetings cards. But can a website use this legal ground to justify collecting cookies data for the purpose of targeted market for example? One could argue that the processing of this data would be done in the legitimate interest of the website, since this website can be interested in either presenting targeted marketing to the user in order to be marketing-efficient or to sell it to third parties in order to increase its profit. Nonetheless, for a company to be able to rely on the legitimate interest justification, based on the balancing provision, just their own interest is not enough. The processing must also be necessary47.
43 In October 2019 the German company Planet49 received an unfavorable decision from the ECJ for using
pre-ticked checkbox to request users consent to participate in a promotional campaign (Case C-673/17, BV VVB v Planet49 [2019]). After the decision, the ECJ issued a press release informing that “consent must be specific so
that the fact that a user selects the button to participate in a promotional lottery is not sufficient for it to be concluded that the user validly gave his or her consent to the storage of cookies”. As a consequence, the “consent which a website user must give to the storage of and access to cookies on his or her equipment is not validly constituted by way of a prechecked checkbox which that user must deselect to refuse his or her consent”. (Court
of Justice of the European Union. Press Release of the Court of Justice of the European Union, Press Release No 125/19, 2019.).
44 In this case, a contract which contained a clause stating that the data subject has consented to the collection and
storage of a copy of their identity document was not sufficient proof that the person had given a valid consent. This is because the box referring to that clause has been pre ticked by the data company and the terms of the contract were considered misleading, regarding the possibility for the client to conclude the contract without consenting in providing the data. (Case C-61/19, Orange România v ANSPDCP [2020])
45 Hoofnagle, C., Slot, B. and Borgesius, F., 2019, p.81. 46 Borgesius, F., 2014, p.209.
For the necessity configuration, the processing needs to be assessed under the subsidiarity and proportionality test. For the first one, the question is if there is any less intrusive manner to promote the products or services, for example, by using contextual advertising48. For the
second one criteria, one have to ask if the tracking and processing is proportionate. For Borgesius49 “the processing is disproportionate if it exceeds the limits of what is appropriate to pursue the ad networks business interests”.
Finally, for the balancing provision to be applicable, the interests of the data subject must also be taken into consideration, since the GDPR established that, for the legal interest legal ground to be justified, the interests of the website cannot not be “overridden by the fundamental rights
and freedoms of the data subject”50. In that sense, the user can have the interest of using the
website without being tracked and a reasonable expectation regarding their privacy when using the internet. Many users consider the tracking and behavioral target to be intrusive51.
In that sense, Borgesius52 summarizes his overall conclusion on the use of legitimate interest
the justify the use of cookies for targeted marketing as the following:
“In conclusion, under current law, personal data processing for behavioural targeting,
in particular if it involves tracking an internet user over multiple websites, generally can’t be based on the balancing provision. If, in rare circumstances, a firm could rely on the balancing provision for behavioural targeting, the data subject would have the right to stop the data processing: to opt out.”
Krzyszrofek53 agree with this position:
“(…) certain authors have argued that, under the applicable laws, the use of cookies for
the data controller’s legitimate interest covered not only cookies allowing the statistical analysis of website visits, but also cookies used for targeted advertisement. I disagree with this view. Indeed, legitimate interests may only be invoked if ‘a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place’ (…). Where no links exist between the data subject and the data controller, in particular, where the data subject is not the controller’s customer but only visited its website incidentally, it would be unjustified to claim that the data subject should expect that files might be saved on his/her device for the purpose of tracking his/her activity merely for the controller’s business purposes.”
48 Contextual advertising is an advertising targeted per general audience, for example, advertising about cars on a
car’s website (Borgesius, 2014, p.212.)
49 Borgesius, 2014, p.212. 50 Art. 6(1)“f” GDPR. 51 Borgesius, F., 2014, p.213. 52 Borgesius, F., 2014, p.217. 53 Krzyszrofek, M., 2019, p.99.
1.2.3. Strictly necessary cookies
Additionally to the GDPR lawful processing options, Article 5(3) of the ePrivacy Directive also allows the tracking and processing of strictly necessary cookies54. Strictly necessary
cookies are the ones without which the site or the service requested by the user would not work55. One famous example is the one of the shopping cart remembering the purchase made
by the users or the fact that the user has logged in56.
This category of cookies is commonly treated together with the “legitimate interest” cookies, as for a cookie to be legally tracked by the website, this tracking needs to be lawful, as discussed above. Strictly necessary cookies are lawful reason for the website to use cookies, as provided expressly by law. Additionally, the situations where the website would have legitimate interest in tracking the user’s behavior (and all the requisites of the balancing provision are fulfilled) and the ones where the use of cookies is strictly necessary can overlap.
The Working Party issued a Working Document57 trying to provide some guidance on which
types of cookies should require users consent and which ones not, in order words, which cookies can be considered strictly necessary. Nonetheless, this guidance is not binding and there is currently no enforceable regulation in place to provide a precise definition of what are the limits for the websites to consider certain cookies as strictly necessary, which gives them a wide margin of interpretation.
Regardless of all the current rules described above, especially the ones regarding consent and legal grounds for lawful data processing, there is still a lot of space for toxic creativity by website owners. This is because, as already discussed, the GPDR rules are presented almost as a principle, with very little detailing on its practical applicability58. This lack of clear guidance
and uniformization on how to implement the rules regarding user’s privacy, led to a series of issues, that will be discussed in detail in the next chapter.
54 Richie, K. Cookies, the GDPR, and the ePrivacy Directive. GDPR.eu. 55 Krzyszrofek, M., 2019, p.98.
56 Degeling, M. et al., 19, p.3.
57 Working Party. Opinion 04/2012 on Cookie Consent Exemption. 58 Bornschein, R., Schimidt, L. and Maier, E., 2020, p.136.
CHAPTER 2
REALITY OF THE PRIVACY NOTICES AND USERS UNDERSTANDING OF THE PRIVACY FRAMEWORK
For the selection of the academic material to base this chapter, I have used the catalogue of the University of Amsterdam as main source.
There I selected articles having the word “cookies” in the title and “data privacy” in the content, in order to filter unrelated research. I have also excluded the term “medical” from the research for the same reason.
Since some studies were published before the GDPR entry in force and, therefore, do not cover all the observed effects after the effectiveness of such regulation, I have decided to exclude the results of these works from my analysis. This chapter is, therefore, based on studies published after June 2018.
Finally, from the results obtained, I have filtered academic articles that present analysis based on empirical studies, made in real websites, in order to obtain a concrete and realistic overview of the issues related to the use of cookie banners and consent notices. After making this first initial screening, I’ve also included some related articles referenced on the relevant literature found on the UvA database.
After this screening, this chapter is mainly based on following main studies59.
An article60 by A. Dabrowsky et al, published in March 2019, that collected cookies from
Alexa’s Top 100,000 websites and compared their cookie behaviour in different data set points, one in 2016 and one in 2018 and in different locations (a Member State of EU and a US-based Amazon data center) to measure the impact of GDPR in such behaviour.
The work published in June of 2019 by the University of Michigan and written by M. Degeling61, et al., that monitored the impact of the GDPR in the 500 most popular websites in
28 Member States of the European Union, including on the cookie banners.
59 Besides the complementary bibliography, as referenced in each item. 60 Dabrowski, A. et al., 2019.
The study, published by C. Utz et al. in October of 201962, with 82,890 real users of a German
website that analysed how the position, type of choice and content framing on consent notices might influence user’s behaviour and opinions.
The article published by Soe, T. et al63, that manually analyzed 300 consent notifications from
Scandinavian and English language news outlets, in order to identify the use of dark patterns. Below I present a compilation of the main issues related to the cookies banners and communication with users, gathered from the collection of academic work analysed. This selection is not based solely on any of the works, nor is organized in a criteria relevance, time or any other metric, besides my person assessment of their relation to the work I intend to present.
a) Unregulated design choices can confuse users and influence user’s behaviour
Some of the cookies’ regulation requirements are fairly implemented across European counties. For example, the obligation to provide some type of notice when placing cookies on a user’s device is complied with by most of the websites by now64.
Nonetheless, the design and the complexity of the cookies consent notice can vary a great deal65. Some of them, for example, only inform that cookies are being used, without proving
users with any further information. Others allow visitors to choose individually to allow each third party that the website uses to process the data, split per category66. While some websites
use small bars hidden at the edges of the user’s screen, others present highly visible pop-ups overlaying the main content67.
The absence of a regulation on design leads to a wide range of different layouts, which can confuse users and make it more difficult for the population in general to get familiar with the cookies consent banner and its content.
The lack of clear and well-defined design regulation it harmful not only because it might cause confusion and lack of familiarity, but also because cookie banners and privacy consent notices
62 Utz., C., et al., 2019. 63 Soe, T., et al., 2020.
64 Bornschein, R., Schimidt, L. and Maier, E., 2020, p.139. 65 Utz., C., et al., 2019.
66 Santos, C., et al., 2020, p.2.
very often display a design aimed to steer the visitors to accept privacy unfriendly options or the full use of cookies. Some of the techniques include highlighting the accept button with a flashy colour, have pre-selected boxes accepting the use of the information and hiding the possibility to deny or set up the user’s preferences in a hard-to-find setting68.
The use of malicious tricks to persuade the user to act in a certain way, in this case, to accept the cookies tracking by a website is known as dark patterns69.
Gray at al.70 presented a classification of the dark patterns most commonly used by websites
as follows71:
Nagging. The redirection of a functionality that persists beyond one or more interactions, where the user's desired task is interrupted one or more times by other tasks not directly related to the one the user is focusing on. One example is when the user rejects the use of cookies and the website try again to push the user to change their mind, by showing an “are you sure?” banner72.
Obstruction. When a website makes a process more difficult than is has to be, aiming to dissuade the user of a certain action. The most common obstruction pattern in cookies is hiding the option to deny the consent in a separate page from the consent notice or behind some button with a vague text, as “find out more” 73.
Sneaking. Very similar to the concept of obstruction, sneaking would be an attempt from the website to hide or delay the sharing of an information that is relevant for the user, for example when the cookie consent banner does not give the user the impression that they can deny their consent. One commonly used method is the use of cookie banners that simply inform “by
continuing to use our site, we assume you accept our cookies policies” 74.
Interface interference. Defined as the manipulation of the user’s interface to benefit certain actions in detriment of others. This includes a wide range of initiatives, such as hiding the option to deny consent, using pre-ticked boxes and aesthetic manipulation, such as including
68 Utz., C., et al., 2019, p.4.
69 Gray at al. defines dark patterns as “instances where designers use their knowledge of human behavior (e.g.,
psychology) and the desires of end users to implement deceptive functionality that is not in the user’s best interest.”. (Grey at al., 2018, p.1.)
70 Grey at al., 2018, p.5.
71 This section presents the definitions provided by Gray et al., 2018 and the examples used by Soe, T., et al, 2020. 72 Soe, T., et al., 2020, p.6.
73 Soe, T., et al., 2020, p.6. 74 Soe, T., et al., 2020, p.6.
an “I accept” button with an attractive and flashy colour and the button for deny in the same colour as the rest of the text. 75
Forced Action. When the website requires the user to perform a certain action in order to be able to access a certain functionality. In the cookies’ reality, the most commonly observed behaviour is blocking the user’s access to the website until they click on the banner.76
Soe, T., et al. study showed that, in all the websites researched in 2019, at least one dark pattern was observed, being the obstruction and interface interference the most common ones. A second round of data collection and analysis was made in April 2020, on all the 300 webpages. On that round, 3 websites changed their consent design and presented no dark patterns and 16 have removed their consent notice77. In this second round of observations, the use of
obstruction was still present in 43% of the websites and interface interference occurred in 45,3 % of them78.
It has been proved that the use of these dark patterns to get the consumer to accept the use of cookies have a direct relevant impact on the user behaviour. For example, in the study carried by C. Utz et al.79, 50.8% of the mobile phone users and 26.9% of the desktop users, clicked in
the “accept” button with a nudging design, while these numbers were of 39.2% and 21.1%, respectively, for users who saw the same banner with a non-nudging design. The same effect was observed in regarding to the pre-selected buttons. In consent notices with pre-selected versions, 30% of the mobile users and 10% of the mobile phone users, accepted the processing of their data by all listed third parties, while only 0.1% of the users allowed all third parties when given a clear, simple and not pre-selected opt-in choice.
It is questionable if the criteria of freely giving consent is matched in these cases, as the user is providing their consent based on disguise, influence and false perceptions, such as believing that no alternative is given except accepting the cookies tracking in order to be able to access the website. For this reason, these websites, if subject to an authority scrutiny, would hardly be considered as in compliance with the privacy regulations.
The use of pre-ticked boxes in consent banners, classified as interface interference, was already discussed on chapter 1 and it is considered irregular, as it does not satisfy the criteria of
75 Soe, T., et al., 2020, p.7. 76 Soe, T., et al., 2020, p.7. 77 Soe, T., et al., 2020, p.5. 78 Soe, T., et al., 2020, p.8. 79 Utz., C., et al., 2019, p.9.
unambiguous consent and, according to Utz., C., et al80, are unlikely to produce intentional or
meaningful consent. Nonetheless, results of study81 shows that this practice is still used by a
number of websites.
One of the reasons for the undesirable variety identified in websites is that fact that European Union currently does not have any regulation providing clear and detailed instructions on the design of websites and how to properly present the banner requesting for user’s consent to track cookies, which leads to too much flexibility in the website’s side and a lack of uniformity and clarity for users.
For all these reasons, Soe et al.82 categorically states that “any regulation of a computational system that aims to protect user rights should be accompanied by a regulation of user interface design”.
b) Too many privacy options give users the feeling that their choices are not meaningful
As presented in chapter 1 above, the current privacy regulatory framework allows for cookies tracking, provided that the user give a clear, unambiguous and well-informed consent. There are, nonetheless, other legal grounds for cookies tracking, such as legitimate interest or the strictly necessary cookies category.
However, the definition on the privacy regulation regarding other lawful reasons for data processing is quite vague and abstract. This situation apparently led for some websites to decide to simply ask for user’s consent, since it is theoretically easier and risk-free, even in situations where other lawful processing grounds could be used, such as legitimate interest83.
This led to the so-called consent fatigue, derived from the increase in cookie banners, irritating the navigation process, with users encountering consent requests that are sometimes not clear or not even read by them84.
80 Utz., C., et al., 2019, p.2.
81 On Nouwens, M., et al. study, 56,2% of the researched websites presented pre-ticked options. (Nouwens, M.,
et al., 2020)
82 Soe, T., et al., 2020, p.1.
83 Impression collected from my personal professional experience on the field. Requires further academic studies
to be confirmed.
The current practices regarding consent notices, providing too many options or information, tire users and leave them with the feeling that their choices are not meaningful. This impression leads to the habit of clicking any button that makes the banner go away, instead of actively engaging with it and making an informed choice85.
On the other hand, despite of the fatigue caused on website users by the overload of consent banners, since the enacting of the ePrivacy Directive and after with GDPR, there was a movement from regulators and auto privacy protection bodies encouraging websites to provide each day more information to users about all its tracking activities and information collected, as this is seen as a good transparency standard86.
Therefore, on one side we have the studies showing that users might be fatigued from an overload of information and consent requests, to the point of not paying attention anymore or clicking any button to make the request go away. On the other hand, we have a regulation that requests everyday more disclosure from websites owners, but eventually fail to achieve its objective, as users are failing to exercise their right to consciously chose if they want to share their information, as they are overload with information. Finally, there is also the position of website owners, that have to expend money in making their websites privacy compliant, but loses part of their marketing investments, as the excess of information and consent requests might hurt the conversion or user engagement, that are websites success metrics.
One concrete example of this issue is the one regarding the recommendation for websites to split the cookies into categories, to make it easier for users to understand and approve or reject such type of tracking87. C. Utz et al.’s study showed that interaction rates by users were higher
with notices that provided at most two options, compared to those that let users select data collection for different purposes or third parties individually88. These results show that,
contradictorily to what seems to be the position of the regulators, cookie banners that do not provide sufficient information and do not allow visitors to individually chose their privacy options seem to be preferred by users.
85 Utz., C., et al., 2019, p.2.
86 E.g. Working Party. Guidelines on transparency under Regulation 2016/679. See further: ICO. Principle
(a):Lawfulness, fairness and transparency.
87 E.g. European Data Protection Supervisor. Guidelines on the protection of personal data processed through
web services provided by EU institutions. 2016. p.15.
The same study by Utz et al. also showed that the more choices offered in a notice, the higher the chances for users to decline the use of cookies89.
These results highlight the importance of finding the right balance between providing enough detail to make users aware of their rights and the website’s data collection practices, while not overwhelming them with too many options and information.
c) Lack of knowledge or complex information leads consumers to choose for cookie blockers extensions and for data being processed without any consent
As seen above, the lack of design uniformity, combined with the fact that consent notices often cover parts of the website’s main content, led to many website users to become fatigued with consent mechanisms, pop-ups and privacy notices90. As a result, many tools to block pop-ups
have emerged and became popular, for example the “I don’t care about cookies” browser extension91. This means that often the data collection takes place without the user’s consent,
since most of the websites have as a default setting to collect the data, unless the user expressly opt-out92, a practice that is questionable from the privacy regulations point of view, since
lacking legal grounds for the data processing according to the current data privacy regulatory framework.
d) Cookies and privacy information lack transparency and accessibility
Another issue regarding privacy notices and cookie banners is that they usually lack transparency. Article 5(1) of the GDPR93, includes transparency as one of the requisites for the
processing of personal data to be considered lawful. Recital 39 of this same rule bring some more detailing on how a processing of personal data can be considered transparent94:
89 Utz., C., et al., 2019, p.2 90 Utz., C., et al., 2019, p.1.
91 The “I don’t care about cookies” browser extension attempts to reduce the level of interaction of users, by
blocking or hiding cookie related pop-ups or, when the use of cookies is necessary to access the site, by automatically accepting the cookie policy for the user. For more information: https://www.i-dont-care-about-cookies.eu/.
92 Utz., C., et al., 2019, p.1. 93 Art. 5(1) GDPR. 94 Recital 39 GDPR.
The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing.
Despite of these provisions, users control over the information collected is still very scarce, either regarding the type of information collected or where it gets transferred to. Without knowledge of who is processing their data, it gets difficult for users to exercise any control over it. As Borgesius highlighted95:
Firms rarely explain clearly what they do with people’s data. Privacy policies often use ambiguous language, and don’t help to make the complicated data flows behind behavioural targeting transparent. It’s rare for people to have consented in a meaningful way to behavioural targeting. (…) People don’t know enough about the complex data flows behind behavioural targeting to understand what they are being asked to consent to.
A proof of this is, for example, the study of Christine Utz et al96, where almost a quarter of
participants of the survey thought they had to accept cookies, otherwise their access to the website would be blocked. This result demonstrates the lack of knowledge of the users, as a result of the lack of transparency from the websites.
A transparent and privacy-compliant cookies banner or privacy notice should inform that the access to the website won’t be blocked in case users exercise their privacy rights, or which specific website functionality may not work in case some category of cookies is declined. The results of a survey presented in the same study from C. Utz et al. showed that users clearly expressed a desire for a transparent mechanism for data collection97.
Another example of lack of transparency is the cases where the website simple inform that “this website uses cookies”, without any further detailing or information on what does this mean for the consumer, as discussed on item “a” above.
95 Borgesius, F., 2014, p.116. 96 Utz., C., et al., 2019, p.18. 97 Utz., C., et al., 2019, p.2.
e) Lack of regulation on cookies categorization allows websites to be flexible and consider different types of cookies as “essential”
As showed above, many websites don’t give the user the possibility to reject the use of cookies (for example, with banners that simple inform “this website use cookies”) or do so in an aggregated manner, giving the user the impression that if they click on “reject cookies” they won’t be able to access the website. Nonetheless, even the ones that try to be more advanced in the privacy settings and ask for the user’s consent for processing of their data by separating cookies into categories, that can be deactivated or not, the fact that there is no regulation on how to categorize these cookies, allow these websites to be creative and include cookies in any categories they see fit.
As seen in item 1.2.3, Article 5(3) of the ePrivacy Directive provides that the websites do not need to ask for users consent to track strictly necessary cookies. Nonetheless, due to the lack of a regulatory definition on what type of cookies can be considered as strictly necessary, websites can be overly flexible about which type of cookies will be collected under this legal category.
Due to this unwanted freedom, some weird cases were registered by studies. For example, a website of a major U.S. TV network categorized cookies for Google Analytics and Google Ad Serving, which are clearly marketing tools, as “necessary” 98. Another example is an online
marketing website that simply declared that all are cookies necessary, displaying all the other categories besides strictly necessary as a “no option” for selection99.
f) Impacts on the non-compliance with some GDPR requirements are not clear or lack enforcement
Despite the provisions on the GDPR regarding fines, enforcement of rules and the creation of local supervisory authorities to inspect the respect to the privacy regulation, some of the rules remain unsupervised.
98 Degeling, M. et al., 2019, p.12. 99 Degeling, M. et al., 2019, p.12.
In an historical analysis of the penalties imposed by supervisory authorities in the whole European Union gathered by a website called “GDPR Enforcement Tracker”100, it is possible
to see a pattern of which types of violations are more commonly subject to supervision. The leading base for fines is the “insufficient legal basis for data processing”, that encompasses situations where companies process personal data without proper consent or legal justification, such as consumers being charged for payments without never having signed any agreement with the charging company101. Violations of this nature amount to 182 fines, that sum a total
of € 146,810,398. Fines related to the “insufficient fulfilment of data subject rights” are 46 until now and relates mostly to the failure of companies to attend requests of data erasure, access to data and insistent contacts (emails, calls, etc.) after the subject expressed objection for the data processing. All these are easily traceable and proven violations.
When looking at the fines regarding the “insufficient fulfilment of information obligations” (23 until now, in a total amount of € 582,505), it’s possible to notice that in general they relate to issues such as the absence of a privacy policy or cookie banner on the website, installation of surveillance cameras without proper notification to the data subjects or, in the most abstract cases, companies collecting personal data without providing accurate information about data collection in its data protection declaration.
Nonetheless, fines relating specifically to the misuse of cookies, in disregard to the cookies’ regulation, are only four, all of them applied by the Spanish Data Protection Authority. The first fine of this nature registered, amounted a total of 10,000, was applied because the company Ikea Ibérica installed cookies on an end users’ terminal device without prior consent of the data subject102.
The second fine, applied in October 2019, was imposed in Vueling Airlines for not giving users the ability to refuse the use of cookies and prevent the use of their website without accepting their cookies. The cost was 30,000 euros103.
Of the two fines applied in 2020, one in the amount of 3,000 euros applied over Salad Market S.L., referred to the lack of sufficient data processing information in relation to video surveillance on business premises, but also included penalty for insufficient information
100 GDPR Enforcement Tracker. Available at: www.enforcementtracker.com 101 GDPR Enforcement Tracker. Ibid.
102 GDPR Enforcement Tracker. Details page for ET-ID 121. Available at:
https://www.enforcementtracker.com/ETID-121
103 GDPR Enforcement Tracker. Details page for ET-ID 86. Available at:
regarding when cookies were used on their website104. The last and most recent one, also in the
amount of 3,000 euros over Grow Beats SL, was imposed because the company published a cookie policy on its website containing no information about the purpose of the use of cookies, as well as no information about the properties of the installed cookies and the time period for which they remain active in the user's terminal equipment105.
As the numbers show, all the applied fines related mostly to documentation or content of minimum information required. They usually regard to the disrespect of “black and white” rules, meaning requirements for companies to have or not have certain elements in their websites. Nonetheless, the research found no fine regarding misleading designs, pre-checked boxes, nudging or any of the techniques discussed above that can impact the user’s consent or understanding of the processing activity by the website.
I could also notice from the data that, even though this is a trend that is slowly changing, the fines are still mostly imposed on big companies, that have a wide reach in users across Member States. Even though it makes sense that the supervisory authority concentrates most of its efforts on companies with higher impact, this gives small companies a feeling of exemption, as if the eyes of the authorities are not turned on them and they can simply be more lenient or flexible in what regards to best practices on privacy.
104 GDPR Enforcement Tracker. Details page for ET-ID 298. Available at:
https://www.enforcementtracker.com/ETID-298
105 GDPR Enforcement Tracker. Details page for ET-ID 364. Available at:
CHAPTER 3
THE NEW E-PRIVACY REGULATION
As described on section 2, the new EPrivacy regulation was drafted in the context of the DSM Strategy of the European Union. It became clear, by the REFIT results, that there are flaws in the current cookies system regulation. The proposal for an ePrivacy Regulation was published aiming to solve these issues.
One important aspect of the project for an ePrivacy Regulation is that this is a different regulatory instrument than the current ePrivacy Directive. Directives, according to 288 of the TFEU106, needs to be implemented by each Member State at the national level to be enforceable
over its citizens. This mean that local discrepancies can be found across Member States when implementing directives, in order to make the directive rules to make sense at a local level. Regulations, by its turn107, can be directly applicable in its entirety, without the need for any
local implementation for the rule to be enforceable108. This also mean that there is no discretion
for Member States to change or adapt the regulation when implementing it, which helps the uniformization of the cookies’ framework across the European Union.
Before discussing if the issues raised on chapter 2 were solved, I will draw an overview of the relevant rules brought by the New ePrivacy Regulation, in order to allow the analysis of their impact on the mentioned issues.
3.1. Relevant provisions
The structure of the proposed regulation is as follows: i) Chapter I contains general provisions regarding the subject matter, the material and territorial scope and definitions; ii) Chapter II brings rules about the protection of communications of natural and legal persons as well as the information stored in their terminal equipment; iii) Chapter III discuss user’s rights to control electronic communications; iv) Chapters IV and V approaches supervision of the compliance
106 288 of TFEU. 107 288 of TFEU.
108 European Union. Regulations, Directives and other acts. Available at:
with the rules, enforcement, penalties and remedies; v) finally Chapters VI and VII, deals with delegated and implementing acts, as well as final general provisions.
It is important to state that the recitals of the New EPrivacy Regulation are way more comprehensive, clear and detailed than the regulation itself. For that reason, most of the discussions regarding the reforms brought by the proposed New EPrivacy Regulation revolve around the wording of the recitals.
Despite of all the attention paid to the recitals and the relevant detailing provided on the project, it is important to highlight that in the case law of the ECJ109, the Court ruled that a recital to a
Directive has no binding legal force and cannot be relied on either as a ground for derogating from the actual provisions of the act in question or for interpreting those provisions in a manner clearly contrary to their wording. If interpreted in contrariu sensu, it could be understood that, when the wording of the recitals is not clearly contrary to the provisions of the regulation itself, it can have a binding force or, at least, should be considered as part of the regulation.
3.1.1. Web browsers and other software enabling access to internet as gatekeepers
One of the main and most impactful changes brought by the New EPrivacy Regulation is the one of article 10, that attempts to place on web browsers and other software enabling access to internet the responsibility to obtain and enforce user’s general consent regarding the use of cookies on websites. According to the wording of the regulation, software permitting electronic communications and the retrieval and presentation of information on the internet, including web browsers and similar, “shall offer the option to prevent third parties from storing
information on the terminal equipment of an end-user or processing information already stored
on that equipment.”110. Such privacy settings must be informed and required from the user upon
installation of the software. Software already installed before the enacting of the new regulation, must provide such privacy setting and require users consent on the first update. More details regarding such rule are presented in recital no 22, that highlights the importance
of web browsers as gatekeepers of the privacy preferences, since they can play an active role
109 Case C-136/04, Deutsches Milch-Kontor GmbH v Hauptzollamt Hamburg-Jonas [2005], paragraph 32; Case
C-162/97 Gunnar Nilsson, Per Olov Hageigren, Solweig Arrborn [1998], paragraph 54; and Case C-308/97 Giuseppe Manfredi v Regione Puglia [1998], paragraph 30.
to help users control the flow of information, from one point to another. They, in the position of mediators between users and websites, could help the users to protect their information. In the New ePrivacy Regulation, web browsers and software enabling access to internet gain a paramount importance, since they are placed as a one stop-shop for the user to set all his general their privacy preferences, that should automatically apply and be enforceable over all the websites visited using such tools. For that, the regulation provides, in recital 24, that web browsers must inform the users, at the moment of installation, about the possibility to choose privacy settings and how to change that in a later moment, as well as include information about the risks associated to allowing third party cookies to be stored in the computer.
In recital n 23, the European Union bring some relevant detailing about the privacy options that must be provided to the end-users of software or web browsers:
“Currently, the default settings for cookies are set in most current browsers to ‘accept all cookies’. Therefore providers of software enabling the retrieval and presentation of information on the internet should have an obligation to configure the software so that it offers the option to prevent third parties from storing information on the terminal equipment; this is often presented as ‘reject third party cookies’. End-users should be offered a set of privacy setting options, ranging from higher (for example, ‘never accept cookies’) to lower (for example, ‘always accept cookies’) and intermediate (for example, ‘reject third party cookies’ or ‘only accept first party cookies’). Such privacy settings should be presented in a an easily visible and intelligible manner.”
Even though not expressly mentioned, these changes seem to indicate that, in the European’s Commission’s view, the famous cookie banners, asking for consent of the user to collect and process their data, would no longer be necessary111. That for sure would be a very user-friendly
framework and that could solve most of the design and nudging issues highlighted in section 4 above. But would it work?
The idea of having browsers as a possible mean for users to set their privacy preferences is under discussion since the directive that amended the ePrivacy Directive in 2009112, that
brought, in its recital 66, the following wording:
“(…) Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application.”
111 The new EU ePrivacy Regulation: what you need to know. Available at:
https://www.i-scoop.eu/gdpr/eu-
eprivacy-regulation/#:~:text=The%20ePrivacy%20Regulation%20AIMS%20to,cookie%20consent%20pop%2Dups%20a nymore. Access on: 25/11/2020.
After this inclusion on the directive, a strong debate regarding the suitability of web browsers to play such role in the protection of privacy rights of users started. The Working Party113, for
example, on many occasions questioned if this set up is sufficient to configurate a valid consent, by means of the GDPR provisions:
“Where the website operator can be confident that the user has been fully informed and actively configured their browser or other application then, in the right circumstances, such a configuration, would signify an active behaviour and therefore be respected by the website operator. (…) The process by which users could signify their consent for cookies would be through a positive action or other active behaviour, provided they have been fully informed of what that action represents.(…) If the user enters the website where he/she has been shown information on the use of cookies, and does not initiate an active behaviour, such as described above, but rather just stays on the entry page without any further active behaviour, it is difficult to argue that consent has been given unambiguously.”
F. Borgegius114 seems to agree with the Working Party position. For this author, a default
browser setting cannot configurate specific and informed indication of the user’s wishes. In addition, it would be unlikely that users that do not set their preferences on the browser setting actually want to accept all kinds of cookies. In this case, there is no expression of will to be discussed. Also, if browsers accept many cookies, including future ones, the users’ consent could not be regarded as informed and specific.
This author summarized his opinion on recital 66 as follows115: “If browsers were developed with a function to express consent in line with the Data Protection Directive, such browsers could be used to consent to the use of cookies. However, for the moment most browsers aren’t suitable to give informed consent for cookies”.
Despite of all the discussions related to the recital 66 of the amendment of the ePrivacy Directive in 2009116, the rule putting web browsers in the position of privacy gatekeepers came
back, this time not only as a recital but, as seen above, as one of the articles of the new ePrivacy Regulation.
Similar to what happened regarding the recital 66, this proposed change brought many discussions and questions from actors of the privacy and technological sphere.
113 Working Party. Working Document 02/2013 providing guidance on obtaining consent for cookies, p.4. 114 Borgesius, F., 2014, p.230.
115 Borgesius, F., 2014, p.231.
