Documentation

Legal Sources on Whether Mentioning Third-Party Cookie Names Are Required and on Opt-Out Requirements

In short:

  • Mentioning third-party party cookie names one by one is not mandatory.
  • Pointing users to opt-out mechanisms such as browser settings or the opt-out mechanism provided by each third-party is a valid – and even suggested – approach.

The document includes excerpts from the privacy authorities in the UK, Belgium, Italy and Spain, which support the points stated above, in the spirit of avoiding unreasonable unnecessary burdens being placed on individual businesses.

Postulates:

  •  It’s not necessary to mention the name of cookies in the Cookie Policy one by one for third-party cookies, the requirement is on the third party to provide the names and information

The requirement for opt out is also on the third party to provide Legislations looked at:

  • Italy
  • UK
  • Belgium
  • Spain

Summary

As supported by the authorities, the right approach to follow for any cookie related pro-cesses and consent gathering solution implemented on a website is the following:

  • Cookies are bundled, categorised and outlined by purpose in a cookie policy
  • Information about opt-out is provided by pointing to the browser options, third party tools (such as Your Online Choices) and the links to the third party providers, who are ultimately responsible for the opt-out for their own tracking tools

This is the process iubenda chooses to adopt on purpose. We think that any other process would be and will be prohibitive on any website owner, as third party cookie names could change at any time and without notice, putting on the website owner the burden of watch-ing constantly over each single third party, looking for cookie changes that are outside of the owner’s control.

When it comes to the four singled out countries, there is no evidence that cookies must be named one by one or that there is an explicit requirement that the obligation of the opt-out is exclusively on the website provider. On the contrary, the exact implementation seems to be largely left to the website provider and the authorities point to some best practices and examples which are outlined within the body of this document for detailed reference.

The approach iubenda takes is to provide solutions that follow the authority guidelines without adding any unnecessary complexity, nor by exposing the owner to procedures (like listing third party cookie names) that are not only not required, but also prone to fail-ure. This is why our privacy and cookie policy have all of their focus on highlighting the pur-poses of the processing (required), identifying the third parties involved (required), where  they process data (required), their privacy and cookie policies (required), their opt out links (when provided).

 

Legal references

Italy

References

Takeaway

Is it necessary to mention the name of any third-party cookies or is the duty on the third party?

The Italian Data Protection Authority (the Garante Privacy) expressly stated the following in the relevant resolution – please see “Simplified Arrangements to Provide Information and Obtain Consent Regarding Cookies” adopted on the 8th of May 2014 (“DPA Provi-sion”):

“(…) account should be taken of the entity installing cookies on the user’s terminal, which may be the manager of the website visited by the user – which can be referred to as the “publisher” for the sake of convenience – or the manager of another web-site that installs the cookies by way of the former – which is a so-called “third party”…. There are several reasons why it would appear impossible to require a publisher to provide information on and obtain consent for the installation of cookies on his own website also with regard to those installed by “third parties”

In the first place, a publisher would be required to always be equipped with the tools and the legal and business skills to take upon himself the obligations of third parties – thus, the publisher would be required to check, from time to time, that what is declared by the third parties corresponds to the purposes they are actu-ally aiming at via their cookies. This is a daunting task because a publisher often has no direct contacts with all the third parties installing cookies via his website, nor does he/she know the logic underlying the respective processing. Further-more, it is not seldom the case that licensees step in between a publisher and the said third parties, which makes it ultimately highly difficult for the publisher to keep track of the activities of all the stakeholders.

Secondly, third parties’ cookies might be modified by the third parties with time, and it would prove rather dysfunctional to require publishers to keep track also of these subsequent changes. Furthermore, one should also consider that publishers – a category including natural persons and SMEs – are often the “weaker” party in this context. Con-versely, third parties are usually large companies of substantial economic import that work as a rule with several publishers, so that one publisher may often have to do with a considerable number of third parties.

For all of the above reasons, this DPA is of the opinion that publishers may not be required to include, on the home page of their websites, also the notices relating to the cookies installed by third parties via the publishers’ websites. From all the above, we can conclude that third-party cookies do not need to be named one by one by the website owner (the “publisher” in the DPA Provision), because since the pub-lisher is in no position to single them out, it shall not be able to name them one by one in its privacy notice.

Should opt out for third-party tools be provided by such third parties?

The DPA provision does not expressly answer this question but the answer can be implic-itly inferred from the following lines which refer to the extended cookie notice:

“The notice must also contain an updated link to the information notices and consent forms of the third parties the publisher has agreed to let install cookies via his own website. If the publisher is not directly in touch with third parties, he will have to include the links to the websites of the intermediaries or brokers be-tween him and those third parties. … In order to keep publishers’ responsibilities separate from those vested in third parties as regards the information provided and the consent obtained via the publishers’ websites for the said third parties’ cookies, it is considered necessary for the publishers to acquire the aforementioned links from the third parties (including licensees, if any) at the time of entering into the re-spective agreements.”

 

If, as stated above, the publisher has no control whatsoever on the cookies installed by the third parties it stands to reason that it cannot possibly offer its users the means to opt out. Therefore, a link should be provided to the third-party privacy notices and opt-out from such cookies should be provided by the same third parties involved.

Finally, the Italian DPA emphasises that the user must be informed that they have the pos-sibility to communicate their choices by way of browser settings. If the technology under-lying the website is compatible with the user’s browser version, the publisher may make available a direct link to the settings configuration section in the browser.

Belgium

References

 

Takeaway

The Belgian data protection authority (the Commission de la protection de la vie privée) has published a recommendation about cookies (Projet de recommandation concernant l’utilisation des cookies, attached). From the document we can take away the following:

Is it necessary to mention the name of any third-party cookies or is the duty on the third party?

The information to be provided to Users with regards to cookies are the purposes of each type or category of cookies, personal data collected, retention time, opt-out tools, transfer of personal data to third party (see p. 37).

“L’information relative aux cookies sera de préférence fournie par types de cookies ou finalités de ces cookies (m.n. 156). (…) Elle porte aumoins sur les points suivants:

–    les finalités des accès et/ou des inscriptions pour chaque type de cookie ou ca-tégorie de finalités de ces cookies;

–   les catégories d’informations stockées;

–   les durées de conservation des informations;

–   les modalités pour l’effacement des informations;

–   les éventuelles communications à des tiers et les informations qui leur sont com-muniquées. (m.n. 157)”

There is no mention to be found that cookies must be named one by one.

Should opt out for third-party tools be provided by such third parties?

The document merely states that website owners must inform Users about the way to withdraw their consent to accepting cookies (see p. 40).

“176. L’utilisateur doit pouvoir à tout moment et de manière aisée retirer le consente-ment qu’il a précédemment donné. Cette possibilité lui sera donnée dans le cadre de l’information relative à la politique d’utilisation des cookies”

Finally, the document gives some examples of cookie policy best practices, which ex-pressly include the referral to browser settings or to third-party tools (in their example they mention, for instance, Google Analytics) in order to opt-out from receiving cookies (see p. 54).

“Cookies statistiques (…) Pour certaines analyses, nous utilisons Google Analytics qui peut être désactivé de différentes façons selon les navigateurs utilisés (modules et extensions tierces, blocage du site www.google-analytics.com/*, …)

Cookies tiers (…)

Ces cookies peuvent être bloqués ou effacés par les options de votre navigateur.”

 

Spain

References

Takeaway

The national authority for data protection (the Agencia Española de Protección de Datos) has issued a number of documents regarding cookies, notably a “Cookie Guide” and a legal opinion (Informe jurídico 196/2014, “Informe”) about the question, whether cookies must be mentioned one-by-one.

Is it necessary to mention the name of any third-party cookies or is the duty on the third party?

The answers to the question boils down to the following:

Cookies do not need to be mentioned one by one, it’s sufficient to inform about the types of cookies implemented, their purposes and the procedure to opt-out (see p. 4 of the Informe).

“Comenzaremos indicando que en opinión de esta Agencia la normativa estudiada pretende que el usuario sea suficientemente informado sobre la utilización de dis-positivos de almacenamiento y recuperación de datos en su equipo terminal, siendo esencial que dicha información verse sobre las finalidades de dichos dispositivos. Ahora bien, la normativa no exige que la información detalle el nombre de los dis-positivos, puesto que lo esencial es informar sobre los extremos indicados más ar-riba, y singularmente sobre el uso de cookies, quién las utiliza y para qué. Por tanto, no es necesario mostrar la segunda capa de información en una tabla o de otro modo en que se especifiquen los nombres de todas y cada una de las cookies.”

Should opt out for third-party tools be provided by such third parties?

In order to inform the User about how to opt-out from receiving cookies, the Controller may provide its own tools, instructions about how to set preferences on the User’s browser or “common opt-out tools” (see p. 18 of the Cookie Guide).

“Información sobre la forma de desactivar o eliminar las cookies enunciadas a través de las funcionalidades facilitadas por el editor, las herramientas proporciona-das por el navegador o el terminal o través de las plataformas comunes que pu-dieran existir, para esta finalidad, así como la forma de revocación del consenti-miento ya prestado”

There is no explicit mention of the fact that tools provided by third parties themselves are sufficient, but we deduce this from the fact that the three different solutions mentioned (own tools, browser settings, common tools) are considered all equivalent and equally valid.

Moreover, the document further states that Controllers must merely “provide information about how to withdraw consent to accepting cookies” (p. 23) and that the Spanish data pro-tection law does not determine, who is responsible for providing information about third-party-cookies (Controller or third-party), so that both entities must cooperate to these ends (p. 24) and be deemed responsible (p. 25).

There is no mention that the opt-out tools must be provided by the Controller.

By the way: the “Informe jurídico 0011/2014” only deals with the fact that cookies must be opted into, and not out of. The only thing it says about opt-out tools is that Controllers must provide a simple and free way to opt-out from receiving cookies (which essentially repeats the point made above: these tools don’t necessarily need to be provided by the Con-troller).

UK

References

Takeaway

Is it necessary to mention the name of any third-party cookies or is the duty on the third party?

From the ICO website (PECR stands for Privacy in Electronic Communications Regulations):

“PECR do not set out exactly what information you must provide or how to provide it – this is up to you. The only requirement is that it must be “clear and comprehen-sive” information about your purposes.”

The ICO also published a Cookie Guide (Guidance on the rules on use of cookies and simi-lar technologies). This document states that:

“It could be an option to provide long lists of all cookies implemented, but for most users a broader explanation of the way cookies operate and of the categories of cookies used will be helpful (see p. 18). Long tables or detailed lists of all the cookies operating on the site may be the type of information that some users will want to consider. For most users it may be helpful to provide a broader explanation of the way cookies operate and the categories of cookies that you use on your website. A description of the types of things analyti-cal cookies are used for on the site will be more likely to satisfy the requirements than simply listing all the cookies you use with basic references to their function.”

In any case, there is no requirement to mention cookies one by one. In fact, the document also provides a best-practice example in which cookies are only described per categories (same spot as above).

“Example: The cookies we use are ‘analytical’ cookies. They allow us to recognise and count the number of visitors and to see how visitors move around the site when they’re us-ing it. This helps us to improve the way our website works, for example by making sure users are finding what they need easily. Read more about the individual analyt-ical cookies we use and how to recognise them [link]”

Should opt out for third-party tools be provided by such third parties?

Regarding withdrawal, the document (or website) do not elaborate much, or in detail.

The document only states that website owners must provide information to Users about how to withdraw consent. It does not state anything about which tools are deemed acceptable to these ends, but it mentions repeatedly browser settings as an acceptable mean to withdraw consent.


Still have questions?

Visit our support forum Email us