...

Signed: < 1000
Donated: < 1,000 EUR

Support the petition "Stop Cookie Walls":
   


100% of the donations will be spend on supporting this petition (legal, agitation, administration, etc.). Every 1 EUR in donations allows us to reach 500 individuals with the petition message and get more signatures.


Summary:

Cookie walls exist on myriad of sites throughout the web, making online browsing experience as frustrating as ever. Even for the simplest daily online tasks (like checking the weather or reading the news), a user must undergo the process of devil’s choice: “Accept All” or open the Pandora’s box of analyzing tons of cookie policies and terms. In reality, it is only the illusion of choice and free consent: you usually accept all of them or the functionality of the website becomes really narrow and aggravated.

Initiated:

2021 October 27

Addressee:

Chair of the Petitions Committee
European Parliament
B-1047 BRUSSELS

Author:

VSI Peticijos

STOP COOKIE WALLS

Cookie walls exist on myriad of sites throughout the web, making online browsing experience as frustrating as ever. Even for the simplest daily online tasks (like checking the weather or reading the news), a user must undergo the process of devil’s choice: “Accept All” or open the Pandora’s box of analyzing tons of cookie policies and terms. In reality, it is only the illusion of choice and free consent: you usually accept all of them or the functionality of the website becomes really narrow and aggravated.

It not only creates headache for the users: at the same time, website operators have no choice but to install such walls since they are forced to have user consents for all the cookies that they use according to current legislation.

In a nutshell, existing practice of cookie walls creates at least the following biggest problems:


  • Disproportionality: the effort users must put in analyzing what is behind their consent is usually disproportionate to what they get at the website.


  • Uncontrollability: instead of putting the efforts into reading the terms, users simply accept the uncontrollable amount of their data being transferred to website administrators or third parties.


  • Illusion of orientation to users’ rights and free choice: the current situation gives the opportunity to the website operators to push in all the cookies they wish because they understand the users will not read the terms anyway.

Current extent of web use requires for simpler rules on cookies. Therefore, we the undersigned appeal to the European Parliament to simplify the cookie rules and make them clear, transparent and user friendly by not requiring to consent to every non-privacy intrusive cookie and deal with cookie walls every time the internet is used.


PETITION TO THE EUROPEAN PARLIAMENT REGARDING THE REGULATION OF COOKIES IN THE EUROPEAN UNION


Background of relevant regulation


  • We the signatories, address this petition to the European Parliament to draw its attention to the complications that arise out of the regulations covering the use of cookies on websites.

  • The current regulation on the use of cookies is primarily established in the Directive on privacy and electronic communications[1] (the Directive). Recital 25 of the Directive establishes that cookies ‘should be allowed on condition that users are provided with clear and precise information in accordance with Directive 95/46/EC about the purposes of cookies or similar devices so as to ensure that users are made aware of information being placed on the terminal equipment they are using.’ It further adds that ‘[u]sers should have the opportunity to refuse to have a cookie <…> stored on their terminal equipment.’ Finally, the recital emphasises that ‘[t]he methods for giving information, offering a right to refuse or requesting consent should be made as user-friendly as possible.’

  • Article 5(3) of the Directive provides that ‘Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information <…>’.

  • It can be observed from the above that the Directive pursues to ensure that the use of cookies is not abused by establishing an obligation upon the service providers to present individuals with clear and precise information on how the cookies are used. More importantly, such provision of information should maintain a user-friendly status and not be burdensome for individuals using the website.

  • Additional guidelines on consent when collecting personal data can be found in the General Data Protection Regulation[2](the GDPR). It follows from Recital 11 that ‘‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.‘ Article 7(1) of the GDPR additionally establishes an obligation for the data controller that the data subject has indeed consented to the processing taking place. Note should be made to emphasise that in assessing whether a data subject has consented reference should be made to the definition of consent provided in Recital 11 of the GDPR cited above.

  • The European Data Protection Board (the EDPB) has issued its Guidelines 05/2020 on consent under Regulation 2016/679[3] (the Guidelines) which add further guidance on consenting to the use of cookies. According to the Guidelines, ‘[i]n order for consent to be freely given, access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment of a user (so called cookie walls).’ As such, if there is no possibility to access the website’s content without pressing the ‘Accept cookies’ button, such acceptance cannot equal a freely given consent, thus rendering it invalid.

  • The legal conditions of the usage of cookies has become even more complicated after the Court of Justice of the European Union (the CJEU or the Court) delivered its judgment dated 1 October 2019 in Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V. v Planet49 GmbH case (the Planet49 case), where the standard of transparency and consent for the use of cookies and similar tracking technologies was analysed. This decision fundamentally changed the concept of consent and other conditions for usage of cookies and other similar technologies on the websites. In essence, the Court stated that:

    • Pre-ticked checkboxes cannot be used. This statement was supported by referring to the above-mentioned regulation of the Directive which directly requires consent for the storage of, or access to, information stored in the user's terminal equipment. Even though the Directive does not provide description or form of the consent which must be given in particular case, the Court took a literal interpretation of the term 'given his or her consent,' and found that the user must give a clear and affirmative action 'indication' of his/her wishes. The Court concluded that such action must be active and not passive. Thus, pre-selected checkbox cannot be seen as user’s valid consent for using cookies or similar technologies on the web, based on the Court’s position.

    • Consent cannot be bundled. The CJEU argued that for consent to be valid under the GDPR, the consent must be specific. This means that consent must relate specifically to the processing of the data and cannot be inferred from an indication of the data subject’s wishes for other purposes. In practice this Court’s ruling means that organizations should check if their consent requests are separated on a per purpose basis. If a web requests a user to tick a box in order to access, for example, self-service web, one cannot also request the user to agree to additional activities or purposes at the same time, such as the processing of personal data or for direct marketing communications, etc. Based on the Court’s decision, any such additional purposes will require a separate checkbox, which will need to be ticked by the user to constitute a valid consent.

    • Cookie data does not have to be personal. The CJEU also confirmed that the consent requirement for cookies in the Directive apply regardless of whether personal data is processed. Hence, according to the CJEU, consent as understood under the GDPR is required for the usage of cookies or other similar tracking technologies, regardless of whether the information stored or accessed is personal or not.

    • Obligation to inform. The Court highlighted that website operators must inform users about the duration of the cookie lifespan (if that is not possible – the criteria used to determine such period) and whether third parties will have access to these technologies, i. e., whether cookie in question is third party cookie.

  • All the above led to the practice of online web operators of installing the so-called cookie walls whereby all required information is provided, tons off ticks are required and the user is basically left lost without knowing what he or she actually consents to. The issue of cookie walls has also been brought up on a national level. The French Data Protection Authority (the CNIL) issued guidelines[4] on cookies in October 2020. While, unlike the EDPB Guidelines, CNIL does not profusely render cookie walls illegal, it nevertheless emphasises that they are deeply concerning in terms of whether a free choice can be given in such a way. According to CNIL, the use of cookie walls should be evaluated on a case by case basis.

  • However, the practice of the cookie walls is more than prevalent in the digital age. Data controllers are abusing the practice of providing cookie banners with no option to browse the website without consent. Such practice poses adverse effects on data subjects which are further discussed below.

  • Data controllers are also among the ones who suffer from cookie walls. Due to ambiguous and strict regulations on cookies (or even lack thereof), data controllers are pressured to collect consents for the use of cookies on their websites, provide an informative description for the choices data subjects are to make, with a risk of minimising the functionality of their websites, which in turn might negatively affect their services.

  • Below are provided examples of how current legislation diminishes the rights of both data subjects and data controllers.

Implication of existing regulation


  • As discussed, cookie walls bring various negative aspects. Below we provide our arguments related to four of them, namely (i) disproportionality, (ii) uncontrollability, (iii) illusion of free choice, and (iv) stagnated innovations.

  • Firstly, the effort data subjects put in analysing what is behind their consent is usually disproportionate to what they receive in turn at the website. Following the Court’s rulings and the applicable laws, data controllers are obliged to provide a vast of information, ranging from what type of cookies are used to the duration for which the data collected from cookies is kept.

  • Since the functionality of the website can be affected if only necessary cookies are used (which do not need a consent), data subjects have to make disproportionate effort when familiarising themselves with cookie notices to simply gain full user experience on the website and enjoy the services that data controllers are offering. Thus, the current legislation burdens users when they are seeking services and needs to be amended.

  • Secondly, instead of putting the efforts into reading the cookies policy, data subjects usually accept the uncontrollable amount of their data being transferred to website administrators or third parties without further investigation. Data controllers do not hesitate to make the policies and description of each of the cookie rather complicated, also, usually the rejection of all the cookies worsen the user experience.

  • Therefore, in most of the cases, data subjects accept all the cookies to save their time. In practice, data subjects are hesitant to read the notice in full and evaluate what to accept. More importantly, data controllers are obliged to do so by the law and Court precedence, thus having no choice to ease the user experience. Together with the cookies that are useful and reasonable from technical perspectives, data subjects are also accepting other cookies which manner of operation is not fully known or could not be plainly understood by the data subject.

  • Thirdly, when accepting the cookies, an illusion that data subjects’ rights and free choice are upheld is created. Data controllers, as per current regulation, must provide information on how the cookies are used in their websites to collect their data. However, since data controllers understand that not many users read the cookie notices, they are in a way abusing the system. By providing a complicated cookie policy, data controllers create an illusion that users have a free choice. As a result, data subjects fall under the trap and accept the cookies without considering the effects of such acceptance and subsequent use of their data.

  • Fourthly, such obscure legislation on the regulation of cookies diminishesinnovation. Data controllers collect data from cookies for many reasons, whether analytics or marketing. Such data proves to be highly beneficial in analysing the market, targeting the right customers, and upgrading the quality of the products or services. Using cookies also allows the data controllers to provide a full user experience.

  • In addition, collecting cookies is essential to the success of a business which in turn supports the freedom to provide services, established in the Treaty on the Functioning of the European Union. Thus, without an easy way to collect cookies, data controllers can innovate neither their products nor the way they present them. As such, data controllers are also experiencing damaging effects from the current laws. It goes back by damaging the interests of the data subjects and users themselves – they may not enjoy the benefits these innovations bring (or could bring if the right amount of data could be collected legitimately by the data controllers).

Requests to the European Parliament


  • Having considered the above, it is evident that the current legislation covering the use of cookies implies a number of negative aspects on both data subjects and data controllers. As such, the Applicant asks the European Parliament to:

    • Reconsider the current regulation of cookies in the European Union and create an easy-to-follow approach;

    • Equally reflect on the rights of data subjects as well as of the businesses in order to promote innovation and find the right balance.

Sincerely,

We the signed < 1000 people


[1] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector

[2] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC

[3] https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf

[4] https://www.cnil.fr/fr/cookies-et-autres-traceurs-la-cnil-publie-des-lignes-directrices-modificatives-et-sa-recommandation


Support the petition "Stop Cookie Walls":
   


100% of the donations will be spend on supporting this petition (legal, agitation, administration, etc.). Every 1 EUR in donations allows us to reach 500 individuals with the petition message and get more signatures.

tab 2
tab 3

Petition Timeline

  • 2021 Oct 27
    Petition initiated
  • 2021 Oct 27
    2022 Mar 1
    Signatures collected

    < 1000 signed to date

  • 2022 Mar 1
    Submitting to addressee

    Chair of the Petitions Committee, European Parliament, B-1047 BRUSSELS

  • 2022 Mar 31
    Expecting the response