Obligation to Obtain Consent and Exceptions
According to the Guidelines, the use of any trackers not deemed technically necessary for the establishment of the connection with a website or for the provision of an internet service requested by the user, require the prior consent of website users. This explicitly includes the use of third-party web analytics trackers, such as the Google Analytics service. In any case, lawful notice should be given to the data subject on the use of trackers, regardless if necessary or not.
Form and Content of the Notice
The Guidelines recommend that the supply of relevant information and the request for consent be provided using appropriate mechanisms (e.g. pop-up windows or banners). It is lawful to give notice through multiple levels, as long as it is guaranteed that the user’s consent is requested after the user has been specifically informed, at least about the tracker categories used. The banner (either in the form of a pop-up window or otherwise) should provide specific information for the purpose that each tracker is used. In line with recent CJEU jurisprudence, the Guidelines explicitly state that general information on the use of trackers will not suffice. For each tracker or tracker category of the same purpose, notice should be given about the duration of processing, the identity of the controller, the recipients or categories of recipients.
How to Obtain Consent
In respect of the mode of obtaining consent, the Greek DPA Guidelines set the following high standards for the protection of the fundamental rights of data subjects:
- The user must be able to accept or decline the use of trackers (those for which consent is required) with the same number of actions (‘clicks’) and from the same level, either all or each category separately.
- The user must be able to withdraw his / her consent in the same manner and with the same feasibility with which s/he has given it.
- Failure to consent to the use of trackers should not result in the restriction of access to the website’s content (“cookie wall” prohibition).
- To ensure that the user is not affected by website designs favouring the option to consent vis-à-vis the option to decline, buttons of the same size, tone and color ought to be used, so as to provide the same level of reception to the attention of the user.
- Finally, the time period for the storage of the user’s choice must be the same in case of either consent or decline.
In this light, the Guidelines explicitly refer to the following practices as unlawful:
- The user cannot continue browsing without cookie pop-up windows in case of lack of any selection on his / her behalf.
- The option to decline the use of trackers is only given at a second level, i.e. following the selection of a hyperlink to “more information” or “settings”.
- The size and colour of the “accept” or “consent” button strongly urges the user to choose it, e.g. is very large and / or in bold and / or is pre-ticked.
- Following his / her consent or decline, the user is not given any opportunity to change his / her preferences or user preferences may only be changed through his / her web browser settings.
- In case trackers are rejected, the user is constantly requested to register a new choice through the perseverance of pop-up windows, whereas, in case trackers are accepted, this choice is maintained for a longer period of time than the choice of rejection.
Overall, the new Greek DPA Guidelines move a step further in several open issues compared to corresponding guidelines of supervisory authorities in other member states of the European Union, thus signifying a growing trend towards stricter rules concerning online trackers. Given that regulatory discrepancies in this matter seem to increase between member-states, the European Data Protection Board may be the most appropriate institution to address the issue at EU level, even before the adoption of the E-Privacy Regulation.