Cookies and personal data - what are the obligations of entities that use cookies?

WSA ruling: information stored in cookies does not always constitute personal data

The decision of the President of the PDPO referred to the company's practice of inferring users’ consent to the processing of personal data from the fact that users had visited the website. This consent was to be given through a user's own browser settings. The company argued that it had informed the user about the use of cookies and provided information about the possibility of manually changing the settings. The company further believed that the sharing of cookie ID information with third parties did not fall within the scope of "personal data" as defined by the General Data Protection Regulation (the "GDPR").

In contrast, the President of the PDPO argued that personal data should be understood as any information that makes it possible to identify a specific person. Through the act of using specific websites, individuals might be assigned online identifiers (IP addresses, cookie identifiers) that are generated by their devices, applications, tools, protocols, or other identifiers. These activities can result in leaving traces that, when combined with unique identifiers and other information that servers obtain, could be used to profile and identify these individuals if it is proven that the information in question can be attributed to a specific person. The President of the PDPO also pointed out that identification might also occur indirectly, therefore, it might not be necessary for the information itself to identify the data subject, but that this identification might also occur through other additional information such as information about objects or devices that could be linked to the person.

The President of the PDPO found that an entity using cookies, without the user’s prior consent, and its processing and providing access to a user’s personal data, violates the provisions on personal data protection. Moreover, since the information recorded by cookies could constitute personal data, the entity that processes them should also fulfil all of the other obligations related to the processing of personal data, including that towards data subjects such as responding to their requests for access to said data, or providing access to a copy of said data.

The WSA explained in its judgement that not every piece of information (IP address, cookie identifier) makes it possible to identify a specific person (e.g. identification might not be possible if the user uses a dynamic IP address which is randomised within specified time periods or each time a user logs on to the network, or if more than one user uses the same device). The WSA also pointed out that before assessing the legality of the data obtained, the President of the PDPO should comprehensively indicate how he determined that the information constitutes personal data in any given case, including explaining the concept of identifiability and specifying why a particular piece of information is attributable to a natural person in a particular case.

The ruling is not final and might very well be appealed to the Supreme Administrative Court. Our Intellectual Property, Media and Technology team will be monitoring further developments in this case for you.

Consent standards for cookies

According to the Telecommunications Law, storing information or accessing information already stored on a device is allowed, provided that:

• the user will be informed directly and in a clear, simple, and comprehensible manner in advance concerning:

  • the purpose for storing and accessing this information,

  • the ability for him or her to specify the conditions for storing or accessing this information by means of the settings of the software installed on the device he or she is using, or the configuration of the service;

  • the user consents to this, including through the software settings installed on the device used, or the service configuration;

• the information stored or accessed does not result in configuration changes to the device or the software installed on that device.

In addition, under the Telecommunications Law, data protection legislation applies to obtaining user consent. Consequently, there are doubts as to whether consent expressed via browser settings is sufficient in view of the need to meet the requirements for consent under the GDPR. The WSA judgment discussed above has unfortunately not clarified these doubts.

One should also take note of the CJEU’s judgment in Case C-673/17 as cited in the decision of the President of the PDPO. This judgement sets out the standards for obtaining consent for the use of cookies under data protection legislation. It follows from the aforementioned judgment that the user’s consent is valid if it meets the following requirements:

• it was unambiguously expressed by the data subject;

• the person who gave their consent has engaged in active behaviour (an active action or statement) in order to give their consent (e.g. by ticking a box when browsing a website).

Therefore, the following acts will not be considered as consent granted in accordance with data protection legislation:

• the user’s silence;

• consent boxes ticked by default;

• the user's failure to take any action (the mere use of a website where the user can change his/her browser settings cannot constitute a presumption of his/her consent to the use of cookies)

Summary: What are the entities' obligations concerning cookies

Those using cookies should bear in mind the obligation to provide the user with prior, comprehensive information concerning cookies, as well as on their processing of personal data in case the information they process might directly or at least indirectly identify the user. Furthermore, those entities should enable users to give their informed consent by, for example, ticking a box.

Authored by Andrzej Dębiec, Ewa Kacperek, and Weronika Olszewska.