Although changes to the Telecommunications Law regarding user consent to the use of cookies on their device were introduced in 2019, many website administrators still use unlawful messages. Furthermore, social organizations (e.g., NOYB) and website users are increasingly filing complaints with supervisory authorities. Below, we present selected, most important aspects regarding cookies.

What are cookies?

Cookies are computer data, specifically text files, stored on the end device of a website user. Cookies are most often used to optimize the use of websites (technical cookies). They are also used, among other things, to collect statistical data that allows us to identify how users use websites, enabling subsequent improvement of the website's structure and content* (analytical cookies), or to display advertisements tailored to the visitor's profile (marketing cookies).

Telecommunications law – obligations

Obligations related to cookies are regulated primarily by the Telecommunications Law (hereinafter referred to as the Telecommunications Law). Pursuant to Article 173, paragraph 1 of the Telecommunications Law, in order to use them, the following obligations must be met:

  1. the end user must be informed directly in advance in a clear, easy and understandable manner about:
    a. the purpose of storing and accessing cookies,
    b. the possibility of defining the conditions for storing or accessing the file using the settings of the software installed on the telecommunications terminal device used by him or her or the configuration of the service;
  2. the end user, after receiving the information referred to in point 1, consents to this;
  3. the stored information or accessing it does not cause any configuration changes in the user's telecommunications terminal device and the software installed on that device.

These conditions do not need to be met if a website uses only technical cookies. They are also called essential cookies because they are used to properly deliver the service provided electronically to the user. In practice, they are used, among other things, to ensure the proper operation and display of the website, security (e.g., detecting unsuccessful login attempts), establishing communication with the user's device, and network management, i.e., balancing server load.

Cookie consent

Pursuant to Article 174 of the Personal Data Protection Act, personal data protection regulations, primarily the GDPR, apply to the conditions for obtaining consent. This means that consent must be given voluntarily, knowingly, unambiguously, and specifically. Several essential elements for the validity of consent are distinguished, including:

  • The need to separate each purpose for which consent is provided. In the case of cookies, this means allowing the user to choose which types of cookies they accept (advertising, analytical, etc.).
  • Default unchecking of any checkboxes that must be checked by the user in order to provide consent.
  • The possibility of expressing consent cannot be made difficult by having to go through several steps (pressing several buttons) or hidden on the website.
  • Withdrawing consent is as easy as giving it. A recommended solution is to display a small floating button/icon that allows you to return to your privacy settings.

For the clarification of doubts, the European Data Protection Board in its Guidelines 05/2020 indicated that silence or inaction on the part of the user, as well as simply continuing to use the service, cannot be considered an active indication of choice.

Although Article 173(2) of the GDPR indicates that the user may express consent through browser settings, in light of the provisions of Directive 2002/58/EC (which was implemented by telecommunications law), rulings of the Court of Justice of the EU (including judgment C-673/17 – Planet49), and decisions of European supervisory authorities (including the CNIL decision of 31 December 2021, reference number SAN-2021-024), the aforementioned provision should be interpreted as meaning that this cannot be the only way to express consent. The user should also have the choice and opportunity to express consent or not directly on the website.

The moment of installation of cookies

The aforementioned Article 173, paragraph 1, points 1-2 indicate that the information obligations related to cookies and the ability to express consent must be fulfilled before they are installed. This means that it is not appropriate to automatically install cookies on a user's end device after they visit a given website.

Summary

It is important to ensure that the design of the notification upon first access to the website meets the specified requirements to avoid potential liability in the event of an audit by supervisory authorities. Furthermore, the technical solution used, such as the CMP (Consent Management Platform) or CMT (Cookie Management Tool), should enable proof of user consent, if necessary.

* https://pomoc.home.pl/baza-wiedzy/czym-wlasciwie-sa-pliki-cookies-ciasteczka-w-przegladarce

This article is for informational purposes only and does not constitute legal advice.

Legal status as of August 10, 2022

author:


|

series editor:
Mateusz Grosicki

Mateusz Grosicki

Attorney, partner
+48 506 367 109 | m.grosicki@kglegal.pl

    Have any questions? Contact us – we'll respond as quickly as possible.

    Post Views: 38