Cookies, Consent, Contradictions and the Implementation Framework by Tojola Yusuf

Cookies are information that a visited website saves on the user’s device.^[1] The information could be your personal data like name, home address, phone number, email address, age, sites visited, user ID and more, depending on the personal data you may have entered on the website or which the website has obtained from you, or actions you have taken on the website.^[2] So, when a user leaves a website and revisits it, the website reads the information to remember the user’s device.

Why cookies?

Cookies have many uses, as will be seen below:^[3]

1. It helps the website to determine the actual number of visits it gets;
2. It enables the website to recognise users, thereby remembering users’ preferences. For instance, if a user chooses a web page to be displayed in Arabic when the user visits again, the web page will be translated to Arabic without the user’s prompt;
3. It helps to remember users IDs when they revisit. For instance, it enables the “keep me logged in” feature on websites;
4. It is used to customise users’ browsing experience; and
5. The information collected can be used to tailor advertising to users’ interests.

Besides using cookies for the reasons listed above, it is common practice that some websites deploy cookies that track other websites or pages that you visit.^[4] They follow users around the web and stack up multiple information about them. For example, these tracking cookies keep information about users’ purchases, visits, location, browsing habits and similar information across the web. The magnitude of information that these cookies can hold from monitoring behaviours online is of such magnitude that calls for adequate protection under the law. In addition, some websites buy and sell the data they obtain from cookies.^[5]  Usually, data brokers help data suppliers (who gather data through cookies) to sell data and, in turn, pay the suppliers commission or based on a fixed number of unique cookies created.^[6] A downside to this is that the supplier may not even know the eventual buyer of the cookies data. Therefore, there is the need for a data subject to be adequately protected by the relevant laws concerning cookies.

Cookies under the Nigerian law

The Nigeria Data Protection Regulation (NDPR) Implementation Framework prescribes consent as the lawful basis to install cookies on a user’s device. It describes what constitutes consent to cookies and sets out guidelines for deploying cookies on users’ devices as follows,

“The use of cookies on a website or other digital platforms requires consent. The consent must be freely given, informed and specific. Consent for cookies does not necessarily need the ticking of a box or similar methods; the continued surfing of a website upon a clear notice indicates consent. (emphasis mine)

In deploying cookies, website owners are required to:

1. make cookies information clear and easy to understand;
2. Notify users of the presence and purpose of the cookies;

iii. identify the entity responsible for the use of the cookies; and

1. provide information on how to withdraw consent from the use of the cookies.”^[7]

Therefore, websites are mandated to provide information about their use of cookies either through a specific cookies notice or embed it within the privacy notice. The information will include the type of cookies and their purpose. In addition, there is an obligation to specify the party responsible for the cookie – cookies can be the first party when it is owned by the website or a third party if it is owned by another entity. Finally, there is an obligation to provide information about how to withdraw consent. The website may also consider providing additional information to users about how to delete cookies from their device and the duration of the cookie.

Cookies, Consent and Contradictions

Consent is defined as any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which they, through a statement or a clear affirmative action, signifies agreement to the processing of personal data relating to them.^[8] Thus, consent must be unambiguous and given with clear affirmative action. However, where continuous browsing is deemed valid consent, it seemingly makes consent ambiguous for the users, as there are many unanswered questions. For instance, it leaves the users with questions such as:

• What constitutes continuous browsing? How long must the users surf the website to have been deemed to have continued to surf the website?
• Assuming the question above is answered, are the users informed of the time that the cookies will be saved on their devices?
• At what point of surfing are cookies saved on the users’ devices?
• What information does the controller needs to provide in the clear notice to help the users make informed decisions?

A valid consent should not leave these questions unanswered. Instead, users should have clarity on the specifics of the act that constitutes consent. Taking an affirmative action instead of continuous browsing takes away this ambiguity.

Likewise, in explaining consent to cookies, the European Data Protection Board Guideline on Consent also explains that,

“actions such as scrolling or swiping through a webpage or similar user activity will not under any circumstances satisfy the requirement of a clear and affirmative action”.^[9]

The reason adduced is that such action may not be easily distinguishable from the user’s other actions or interactions on the website. Thus, making the consent ambiguous.

Furthermore, the Implementation Framework provides that

“consent for cookies does not necessarily need the ticking of a box or similar methods; the continued surfing of a website upon a clear notice indicates consent.“

This provision contradicts the requirement of voluntariness, specificity, and information as the continued surfing of a website is silent, without more, on the part of the website user.^[10] The lack of adequate information in the consent procedure for cookies is a departure from the principle of transparency and the consumers right to be informed. If the data subjects are not adequately informed, the data subject cannot be said to have exercised real choice.

Similarly, in stating the principles governing consent, the Implementation Framework provides that implied consent (silence, pre-ticked boxes or inactivity) do not constitute consent.^[11]  Thus, the continuous surfing of a website is implied consent and contradicts the requirement of clear affirmative action as required by the Implementation Framework.

Moreover, the Implementation Framework in Article 2 states that the Framework clarifies the provisions of the NDPR, and the two laws should be read conjunctively. The provision that deems continuous surfing as consent does not clarify the NDPR but contradicts it- this is a deviation from the Implementation Framework’s position as a guide to compliance with the NDPR.

Besides, the NDPR provides that when the processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to the processing of their personal data^[12]. To demonstrate the data subject’s consent, the controller must be able to show proof that consent was freely given, informed, specific, and unambiguous.

The absence of clarity, real choice and adequate information in the consent procedure will make the demonstration of consent in this situation difficult or impracticable.

The continuous browsing of a website is too passive to aid the demonstration of consent when the need arises. Instead, more affirmative action where the data subjects tick a box or allow or reject cookies through their browser settings will ensure easy demonstration of consent.

Recommendation

Personal data collected through cookies could be exposed to several risks. The existence of ambiguity and contradictions in the consent procedure does not help the data subjects. Hence, it is pertinent to remedy the provision in issue.

Therefore, it is recommended that the Implementation Framework be amended to remove the provision that recognises the continuous surfing of websites upon a clear notice as consent. Removing this provision will rid the Implementation Framework of contradictions while also allowing for clarity and accountability in the consent procedure for cookies.

In the alternative, further information and guidance should be included in the provision to set out what constitutes continuous browsing and how the same may be demonstrated by the controller or processor.^[13]

^[1] ‘Internet Cookies’ (Federal Trade Commission, 29 July 2013) <https://www.ftc.gov/site-information/privacy-policy/internet-cookies> accessed 28 August 2021.

^[2] ‘What Information Is Stored in a Cookie?’ (CookiePro) <https://www.cookiepro.com/knowledge/what-information-is-stored-in-a-cookie/> accessed 8 November 2021.

^[3]  ‘Internet Cookies’ (Federal Trade Commission, 29 July 2013) <https://www.ftc.gov/site-information/privacy-policy/internet-cookies> accessed 28 August 2021.

^[4] ‘A Guide to Tracking Cookies’ (CookieYes, 2 September 2021) <https://www.cookieyes.com/tracking-cookies/> accessed 4 November 2021.

^[5] Marshall B, ‘How Internet Cookies Work’ (HowStuffWorks, 26 April 2000) <https://computer.howstuffworks.com/cookie.htm> accessed 28 August 2021.

^[6] ‘The Truth About Online Privacy: How Your Data Is Collected, Shared, and Sold – Clearcode Blog’ (Clearcode | Custom AdTech and MarTech Development, 7 September 2015) <https://clearcode.cc/blog/online-privacy-user-data/> accessed 5 November 2021.

^[7] Article 5.6 NDPR Implementation Framework

^[8] Article 1.3(iii) NDPR

^[9] Guideline on Consent issued by the European Data Protection Board (EDPB)  in May 2020 Guidelines 05/2020 on Consent under Regulation 2016/679, paragraphs 84 to 86, page 19

^[10] Guideline on Consent issued by the European Data Protection Board (EDPB)  in May 2020 Guidelines 05/2020 on Consent under Regulation 2016/679, paragraph 79, page 18

^[11] Article 5.2(b) NDPR Implementation Framework

^[12] Article 2.3(2)(a) NDPR

^[13] Article 5.6(i-iv) NDPR Implementation Framework

This piece was contributed by Tojola Yusuf (CIPP/E)