Access to websites or apps having to click on a cookies banner or any other type of “yes button” has become extremely common. We have all already faced the situation, at least once, where you have no other option but to agree to cookies in to access online content. 

Rules on cookies are often misunderstood: the Luxembourg Data Protection Authority (the “CNPD”) has just issued new guidelines!

Is your website compliant? 

Check the below guidelines and don’t hesitate to contact us, should you need any further assistance, we will be very pleased to assist you. 

Do you use:

• “Essential cookies” like the ones used for saving display or language settings or saving a shopping cart, and/or
• “Non-essential cookies”: such as cookies used for tracking purposes (e.g. to follow users as they browse, from one device to another) or for targeted advertising (displaying personalised ads based on the user’s profile)?

The guidelines issued by the CNPD targets:

• Cookies, defined as “a small text file in alphanumeric format that is deposited on the Internet user’s terminal (Internet browser, computer, mobile device, etc.) by the server of the online service used (the website visited) or by a third-party server”, and 

• Similar technologies to cookies that rely on depositing or reading information on users’ terminals are also concerned by the CNPD guidelines (such as fingerprinting, web beacons, shared objects, etc.)

1.Legal framework

The use of cookies on a website is regulated by Directive 2002/58/CE (“2002 Directive”), implemented into Luxembourg law with the amended law of 30 May 2005 on the protection of privacy in the electronic communications sector (the “2005 Law”).

The 2005 Law contains a general prohibition to listen to, intercept or store communications and related traffic data.

However, the 2005 Law also specifies important exceptions to this prohibition, in particular for the storage and access to cookies and similar technologies on a user’s terminal where:

• The technical storage or access to said technologies is for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary for a service provider to supply an information society service explicitly requested by the user (so-called “essential cookies”.); or

• The user agrees to such storage or access, after having received clear and complete information inter alia on the purposes of the processing (so-called “non-essential cookies”)

With regard to the second exception, the CNPD recalls the principles set out by the European Court of Justice in its Planet49 judgment and in particular that the consent and information in relation to cookies should be interpreted in light of the provisions of Regulation (EU) 2016/679 of 27 April 2016 (the “GDPR”). For example, consent relating to cookies must be given by a clear affirmative act, which is not the case for pre-ticked boxes on a website.

2. Interpretation of the CNPD on non-essential cookies

a. Required information regarding the use of cookies and similar technologies

Non-essential cookies may only be used if the user has been clearly and completely informed on their storage and access, according to the applicable legislation.

The CNPD guidelines set out precise details on how such information must be provided.

As the use of such cookies involves personal data processing, such information should also be compliant with the requirements of articles 12 and 13 of the GDPR.

Therefore, the CNPD recommends proceeding on two levels:

A first simplified level of information given via a cookie banner. At this stage, the website may simply inform the user about:

• The fact that cookies are used;
• Their purpose;
• The person responsible for the cookies (the website publisher or a third-party);
• The option to accept or reject them;
• The option to withdraw consent at any time; and
• The consequences of rejecting cookies (if applicable).

A second exhaustive level of information accessible by link in the cookie banner. It should include, in particular:

• A precise and exhaustive list of those responsible for processing cookies (reading and writing operations);
• The categories of data collected via cookies;
• The recipients having access to the cookies or to the data collected via the cookies;
• The duration of operation of the cookies used and the duration of retention of the data collected via them;
• Any transfers to third countries of data collected via cookies;
• The existence of any automated decision-making, including profiling, on the basis of information collected through the use of cookies; and
• Reference to the applicable data protection policy of the website on issues such as the data subjects’ rights, common to every data processing activity and as required by articles 12 and 13 of the GDPR.

b. Conditions on consent

Non-essential cookies may only be used with the consent of the user. 

With the Planet49 decision of the CJUE, consent should be interpreted in accordance with the requirements of the GDPR, namely:

• Consent must be informed, as per the complete and clear information to be provided to users described above;
• Consent must be given prior to the deposit of / access to the cookies;
• Consent must be freely given, meaning that access to the website should not be conditional on consent to non-essential cookies (“cookies wall”). The controller should also refrain from using any misleading design (so called “dark patterns”);
• Consent must be unambiguous. A clear affirmative act by the user must be sought.  Consent cannot therefore be given by means of pre-ticked boxes or as a result of the user continuing to browse the website without clear acceptance of cookies;
• Consent must be specific. The user should be able to choose which cookies it wants to accept, without prejudice to having a “accept all” or “reject all” button;
• The user should be able to withdraw consent at any time. Consent should be as easily given as withdrawn. In this respect, the CNPD recommends including a cookie management interface that may be accessed via a clear link at the bottom of each page of the website, a floating icon, or any other quick and comprehensive means to allow the user to change its cookie settings and withdraw its consent.

According to the CNPD, consent shall be valid for a duration of 12 months, after which new consent must be sought. 

3. Interpretation of the CNPD on essential cookies 

The use of essential cookies is in principle not subject to any special conditions under current legislation. 

However, the CNPD recommends, at the very least, informing users about what a cookie is and the purpose of its use. Such information may be provided by a cookie banner. 

Where the cookie is only essential for a specific functionality of an app or a website, the CNPD recommends only storing or accessing the relevant cookie where the user specifically requests to benefit from the functionality. 

It is to be noted that the use of essential cookies may also be subject to the provisions of the GDPR if such use involves processing of personal data. In this case, all the conditions of the GDPR shall apply, such as the obligation to provide information on personal data processing resulting from the use of the cookies, according to articles 12 and 13 of the GDPR.

4. Cookies Management

The CNPD specifies that the controller should always be able to demonstrate that it obtained a valid consent from the user. The controller should therefore keep information about the session in which consent was given. Regarding the validity of the consent, proof thereof may be obtained through means such as:

• Keeping proof of the rendering of the consent interface displayed on the user’s terminal when consent is requested, with a time stamp, for each version of the site or application;
• Conservation of the different versions of the computer code used for the collection of consent; and
• Carrying out audits of the mechanisms for collecting consent by third parties mandated for this purpose.

The use of consent management platforms offered by third parties is permitted, but it should be noted that such third parties, where they process personal data on behalf of the controller, would be considered as processor and should have a valid data processing agreement according to article 28 of the GDPR.