{{item.videoDuration}}
{{item.title}}
{{item.text}}
{{item.videoDuration}}
{{item.title}}
{{item.text}}
What are cookies?
Polish law does not define “cookies”. Polish Telecommunications Law indicates only their function: to store information or to gain access to information already stored in the telecommunications terminal equipment of the subscriber or end user.
In practice, cookies are small text files stored in the memory of the browser. They are sent by visited websites to improve their speed and effectiveness and allow the owner of the website to obtain information about the user.
Types of cookies
Regarding the lifespan of cookies, we distinguish:
Session cookies: these are temporary information stored in the memory of your browser until you end your browser session or log out of the website;
Persistent cookies: persistent cookies are not deleted when you close your browser, and the length of time information is stored in them is determined individually in each cookie.
Cookies are also divided according to the purpose of their use:
Necessary cookies: the use of these cookies is necessary for the proper functioning of the website.
Analytical cookies: cookies that allow the website administrator to measure, for example, the number of visits and gather information about the sources of traffic and otherwise study how the website is used.
Functional cookies: these cookies are designed to remember user settings (e.g., language in which content is displayed, user location, font settings, or personalized website design).
- Advertising / marketing cookies: cookies used to adapt the advertising content displayed to user preferences.
We can also distinguish:
first party cookies - cookies of the website administrator;
third party cookies - cookies from third parties, i.e. other than the operator of the site the user is visiting
In this context, it is also worth mentioning zero party data i.e. data voluntarily submitted by the user (e.g. in an online form).
Legal aspects - use of cookies vs processing of personal data
The use of cookies is regulated by the Telecommunications Act. It is to be replaced by a new regulation (the so-called Electronic Communications Law), implementing an EU directive, but the wording of the latest draft of the Electronic Communications Law does not change the current rules on the use of cookies.
In addition, provisions on personal data protection apply to the use of files enabling the tracking of network users' activities. On the one hand, obtaining data on users will, in many cases, result in the processing of their personal data; on the other hand, the provisions of the Telecommunications Law directly refer to the GDPR standard in terms of consent requirements for the use of cookies.
When can cookies be used?
Cookies and similar technologies may be used where it is necessary for (i) the transmission of a communication or (ii) the provision of a communication or electronic service requested by the user.
In other cases, the use of cookies or similar technical solutions requires the fulfilment of certain requirements:
the subscriber or user must be informed in advance and directly, in an unambiguous, easy-to-understand manner, of the purpose for which the information is stored and accessed, as well as of the possibility of changing the privacy settings themselves through software settings or service configuration;
user has granted the consent to the storage of information or access to information already stored on the telecommunications terminal equipment;
storing or accessing the information as a result of the technology used will not result in changes of the terminal device configuration and in the software installed on that device.
The user's consent must meet the requirements indicated in data protection law, i.e. the consent must be freely given, specific, informed and unambiguous.
Requirement for active consent
It is not clear whether it is necessary for consent for the use of cookies to be an express and not an implied act of the user. This boils down to the question whether it may be assumed that the user accessing a website and being informed on the use of cookies have implicitly consented to the use of cookies if he/she continues to use the website. Similarly, does the fact that a user has adjusted the cookie settings to his/her preferences through settings of the web browser relieve the website administrator of the obligation to ask for his/her consent to the use of cookies in a separate banner / pop-up window. Case law and positions of data protection authorities point to an obligation to actively seek consent.
The President of the Personal Data Protection Office (UODO) found that informing users about the use of cookies, assuming that users will adjust their preferences in the browser settings, is insufficient and does not meet the requirements of a valid consent to the use of cookies (an entrepreneur only used a message informing about the use of cookies without giving the user a direct possibility to make any decision in this respect).
At the EU level, the Court of Justice has been examining the legality of a cookie notice where consent to the use of cookies is automatically ticked (the user can untick it). The Court stated that such a solution is not acceptable - an user action is necessary to grant consent. The user should be able to freely, specifically and knowingly express his/her will, for example by ticking a tick-box.
A similar position has been taken by the French data protection authority, CNIL. In its guidelines, the French authority indicated that consent must be given through the user’s active and informed action. The mere fact of browsing a website or using a mobile application is not considered an unequivocally active action that can be considered valid consent. Similarly, according to the CNIL, the use of banners where all consents are already ticked does not meet the conditions for a valid consent to the use of cookies.
Basis for processing personal data
The use of cookies may involve the processing of personal data. The website administrator processing such data should ensure a legal basis for the processing. With regard to cookies, the following is most usually considered such a basis:
user consent (e.g. to use personal data to create a user profile);
- the pursuit of a legitimate interest of the controller (e.g. to use personal data for marketing purposes);
- necessity for the performance of a contract or for pre-contractual activities - at the request of the user (e.g. to identify the user when this is necessary for the operation of the website).
The legal basis for data processing cannot be equated with consent under telecommunications law - thus, even if the basis for processing is the pursuit of the legitimate interests of the controller, the use of cookies that are not essential requires consent.
Creating a user profile on the basis of cookies - transparency requirement
Creating a user profile involves a process referred to as profiling. Under the GDPR, profiling consists of the automated processing of personal data (e.g. collected through cookies) for the purpose of assessing personal factors of an individual, such as analysing or forecasting aspects relating to work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or movement.
In the light of one of the recent decisions of the UODO, it is important for entrepreneurs creating marketing profiles on the basis of cookie data to be fully aware of the profiling processes and be able to transparently present information about them to users. In particular, entrepreneurs creating behavioural profiles should be able to determine on what basis the profiles are created (what data has been used for this purpose, what information has been combined with it) and what marketing categories have been assigned to a given profile. An entrepreneur using profiling should inform users about it and be prepared to exercise rights, in particular access to data.
The end of cookies?
Considering the practical importance of cookies in the field of marketing, one may wonder whether a cookie revolution awaits us. Indeed, the largest digital players have announced that they will abandon the use of third party cookies or give users much more control over their information flow.
These measures are intended to enhance user privacy. At the same time, it is argued that they may have the effect of limiting the ability of smaller entities to profile and obtain consumer information, which may have negative effects on competition.
However, even if the use of third party cookies is excluded, it does not seem to result in an end to behavioural profiling or other processing of personal data derived from cookies for marketing purposes. The use of other tracking technologies can be expected to increase, while at the same time seeking to enhance the protection of users' privacy.
{{filterContent.facetedTitle}}
{{contentList.loadingText}}
{{contentList.loadingText}}
Contact us
Follow us
