Minimising Data Privacy Legal Risks on Cookies

When the global economy was hit by the COVID-19 pandemic, many companies were already going through digital transformation while those which had delayed or not considered the trend, were left with no choice but to embark on a Digital journey due to the ‘new normal’. The market sphere has changed a lot with new modifications on how we live as a society; social distancing, home offices, teleconferencing on Zoom, MS Teams, Skype, online classes, etc. have become the ‘new normal’. ACI Worldwide conducted a study which revealed 74% increase in online sales from the retail sector and a staggering 97 % increase of revenue in online gaming, according to of hundreds of millions of transactions from global online retailers. According to researchers in data privacy, consumer tracking raises a merchant’s profits only if the tracking is also used to provide consumers with enhanced personalized services. Google is the largest web tracker, monitoring thousands of websites. Efficiency for online ads is achieved by implementing online technologies which are a combination of cookies (including web beacons).

What are Cookies?

Cookies and web beacons (Web bugs) are small programs placed on computers when websites are visited and report back to servers of the beacon owners, the domains and webs visited, ads clicked and other online behavior.

Types of cookies and their level of invasiveness on privacy

Types of cookies and their level of invasiveness on privacy

Minimising privacy legal risks related to cookies

  1. Know what the law says:

“The storing of information, or the gaining of access to information already stored, in the terminal equipment of the user is only allowed on condition that the user concerned has given his or her consent” “This shall not prevent any technical storage or access as strictly necessary in order for the provider of an information society service explicitly requested by the user to provide the service.” – ePrivacy Directive, Article 5.3 (updated by Directive 2009/136/EC).

A valid consent is given by a clear affirmative action establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data. This is given prior to processing data, it should be documented, withdrawable and must have a limited time validity (usually 13 months and personal data collected through their use should not be retained for more than 25 months). Recital 25 of the ePrivacy directive excludes some cookies from the consent obligation, where they are used, for example: to analyse the effectiveness of website design and advertising, to verify the identity of users engaged in on-line transactions, or to facilitate the provision of information society services.

Some conditions which may apply:

  • The website publisher must be controller of the processing involving the cookies
  • Prior information must be provided before cookies are placed
  • The data subject keeps a right to oppose to such cookies (opt-out)
  • The statistics produced must be anonymous (IP can be used for geo-localisation, but not retained)
  • Geo-localisation must be limited to an indication of the city the data subject is
  • The use of such cookies cannot target specific individuals, be consolidated with data from other processing activities and track data subjects across several websites/applications.
  1. Institutional routines to watch out for:

Classification of cookies – Classify cookies according to intended purposes. Do not give one consent request for all the cookies.

Pre-checked consent options – Only essential cookies may be pre-checked but the rest must not be.

Digital solution – To help manage compliance and monitoring cookies including those from 3rd parties.


Acquisti, A. and Varian, H. 2005. Conditioning Prices on Purchase History. Journal of Marketing Science. 24, 3 (2005)

Laudon, K.C. and Laudon, J.P. 2017. Management information systems: managing the digital firm. Pearson Education Limited

Bourdain, L.A. and Barthier, W. 2020. COOKIES , CONSENT & MANAGEMENT.

Leave a Reply

Your email address will not be published. Required fields are marked *