Broadly speaking, there are three categories of cookies. First, there are functional cookies, which support the core functionality of a website and are intended to optimize the user experience by making the website work more efficiently. Then there are analytical cookies, which are used to analyze the use of a specific website. The placement of these two types of cookies does not require visitor consent if the cookies are used to obtain more information about the website itself and do not process personal data. Finally, there are tracking cookies. Tracking cookies are mechanisms for collecting user data through web browsers. When these cookies are placed, a user's Internet behavior is tracked across different websites and over time. This way, tracking cookies can create profiles of people (profiling) and suggest advertisements tailored to individual users. These can be third-party cookies placed by a party other than the website provider itself or first-party cookies placed by the provider itself. Often tracking cookies process personal data.
If personal data is processed by cookies, appropriate laws and regulations must be met. The main requirements are having a legal basis for data processing, informing visitors in a timely and accurate manner, and securing the data properly. In case of tracking cookies, unambiguous consent is required as a legal basis for the processing of personal data. Unambiguous consent, in this case, means that website visitors must be asked for permission before tracking cookies are placed. In doing so, the visitor must have a clear choice to give or withhold consent.
On Jan. 4, 2024, Criteo, an online advertising company, was fined by the Amsterdam Court of Appeal for placing tracking cookies without consent. Previously, an individual (the plaintiff) claimed that Criteo had placed tracking cookies without consent and processed his personal data. Criteo argued that they enter into agreements with partner websites, which state that the partner websites must ensure that consent is given before Criteo's cookies are placed and that Criteo itself is therefore not responsible. Criteo then argued that they had taken all possible measures against partner websites that had not obtained consent, but that they could not stop them from placing tracking cookies. The court ruled that it is not impossible for Criteo to only place tracking cookies that have the required consent. In addition, the Amsterdam Court of Appeal recalled that the case involves two entities, Criteo B.V. and Criteo S.A. (together Criteo), the latter of which was previously the subject of a decision by the French Data Protection Authority (CNIL) and fined 40 million euros for violating the GDPR, specifically for failing to verify whether the individuals whose data it processed had given consent.
What it means for organizations
The ruling underscores the fact that organizations themselves bear responsibility for the lawful placement of tracking cookies and that non-compliance with laws and regulations is subject to fines. In addition, it becomes clear that organizations not only risk fines from the regulator, but also claims from individuals (and resulting reputational damage). Finally, there is a chance that enforcement on cookies by the AP will increase due to the additional budget allocated to them. It is therefore of extra importance for organizations to be cookie compliant.