In Europe, they decided that consent to the setting of cookies should be explicit and forbade pre-setting the appropriate checkboxes on banners. There is an opinion that the decision will complicate web surfing and will have far-reaching consequences in the legal field. We understand the situation.
A photo - — unsplash
What the court decided
In early October, the Court of Justice of the European Union that sites cannot use pre-filled checkboxes that allow cookies to be set in users' browsers. Otherwise, companies violate the requirements and the GDPR, which oblige to obtain explicit consent for the processing of PD.
Additionally, the owners of Internet resources were obliged to list the names of third-party companies that have access to personal data of visitors, and indicate the "lifetime" of cookies. The court also noted that the actions performed by the user on the site (for example, downloading a file) cannot be regarded as consent to the processing of PD.
The case on which the decision was made was opened in Germany back in 2013. Then the Federation of German Consumer Organizations sued the lottery company Planet49. The site of the latter had checkboxes allowing the setting of advertising cookies. The German court ruled on the case for four years, but in 2017 decided to refer it to the Court of Justice of the European Union for detailed consideration.
It is worth noting here that the regulation does not affect cookies, the installation of which sites by law user permissions. We are talking about cookies for saving session data, the operation of social network plug-ins and downloading video content.
What will the ruling affect?
The decision will draw additional attention to the problem of personal data security on the Internet. For example, after the entry into force of the GDPR, European regulators recorded an increase in the number of complaints about violations of companies - disruption of the terms of storage of PD, their illegal processing or leaks. There is an opinion that the new ruling of the European Court of Justice will lead to a similar reaction. However, there is another side of the coin. Some users still try to hide the cookie banner as soon as possible so that it does not take up useful space on the page. The need to manually tick the necessary checkboxes will make it difficult for them to work on sites - at least it will take time.
In any case, site owners will have to change their approaches to processing cookies and, possibly, PD. Interestingly, the new ruling will also affect the website of the European Court itself. How one of the residents of Twitter, the organization's web resource does not meet the new privacy standards.
According to Lukasz Olejnik, an expert in information security at the University of Oxford, the need to specify the expiration date of cookies will impose additional obligations on sites. Webmasters will have to ensure that the max-age and expires attributes, which are responsible for the "lifetime" of tracking files, match the information on the banner.
A photo - — unsplash
The court's decision also sets an important precedent. On him European regulators in dealing with similar disputes.
In this case, as Luca Tosoni, a researcher at the Norwegian Research Center for Computers and Law, said the new regulation will influence discussions on the ePrivacy Regulation. He GDPR and will tighten the rules for working with cookies and personal data. Adopt a law in 2020 year.
Issues not addressed by the court
The Court of Justice of the European Union has not yet addressed issues related to the legality of cookie walls. These are banners that block access to content until the user allows the processing of personal data. Although at the beginning of the year the Dutch regulator , in which he called cookie walls illegal. They force users to agree to the terms of data collection, and this is contrary to the requirements of the GDPR.
But the decision of the regulator in the Netherlands can still be changed by the Court of Justice of the European Union. By the way, this question is in the near future - during the hearings on the case of the Romanian Internet provider Orange Romania.
Our cloud hardware in three data processing centers (DPC): Xelent/SDN (St. Petersburg), Dataspace (Moscow) and Ahost (Alma-Ata).
In particular, the Dataspace data center is Tier lll certified by the Uptime Institute.
Our latest habraposts:
Source: habr.com