/
/
Internet marketing
/
Is a cookie policy mandatory?

Is a cookie policy mandatory?

Is a cookie policy mandatory?

Cookie policy - an obligation for website owners

The RODO requires companies to provide information about the purpose and method of processing personal data, and the data subject must give consent. In principle, consent to the use of cookies is also subject to the RODO regulations. In the case of some cookies, especially those necessary for the operation of the website, simply informing the user may be sufficient. However, in the case of cookies for advertising, analytics or personalization purposes, RODO requires explicit consent from the user. This means that simply informing the user of the use of cookies is not enough, but it is necessary for the user to actively consent to their use.

table of contents:

What are cookies and why do we need cookies?


Cookies are small text files, consisting of strings of letters and numbers, that are stored on your device when you browse websites. They are used to store information that the website may use on subsequent visits. There are two main types of cookies: session cookies, which are temporary and remain on your device until you end your browsing session, and permanent cookies, which remain on your device for the period specified in the cookie settings or until you manually delete them.

Cookies have a variety of uses, including:

  • Memorize login credentials and passwords for easy access to various services.
  • Auto-complete forms with data entered earlier.
  • Analysis of user activity on the site, such as how much time a user spends on each subpage.
  • Remembering individual user settings and preferences.
  • Creating statistics on the most visited pages.

Most web browsers accept cookies by default, but users can change their settings at any time to restrict or block cookies. However, blocking cookies may affect the functionality of some sites, causing, for example, the need to manually enter logins, passwords or other preferences each time you visit a site.

Cookie policy vs. personal data and RODO


The RODO (General Data Protection Regulation) requires companies to inform users about the purpose and method of processing their personal data, requiring their consent. Cookies, which are small text files stored on a user's device, often contain key information such as the name of the website, the storage period and a unique number. There are two main types of cookies: session cookies, which are saved only for the duration of the browser session, and permanent cookies, which remain on the device until they expire or are deleted by the user.

Cookies can serve a variety of purposes, including remembering passwords and settings, making it easier to fill out forms, analyzing user activity on the site, or collecting statistics. Although browsers usually accept cookies by default, users have the option to block them or change their settings. However, blocking cookies may affect the functionality of the site, such as the need to re-enter data.

In the context of the RODO, cookies may be treated as personal data in cases where they allow identification of a specific person, such as through an IP address. If the IP address or other information contained in cookies can be linked to other data that identifies a person, then they are treated as personal data, requiring protection under the RODO. IP addresses may be considered personal data, especially in the case of permanent addresses that identify the user. The RODO imposes an obligation to inform users of the processing of such data and to obtain their consent, unless there are exceptions that allow processing without consent. In the case of cookies that do not identify a specific person, consent may not be required, but it is still important to inform users about their use.

Consent to cookies before RODO came into force

Consent for cookies is mainly regulated by the Telecommunications Law and the EU Communications Directive (e-privacy). These laws have been in force in Poland for several years. According to these laws, website administrators must obtain consent for the use and storage of cookies on users' devices.

Consent is understood as an express and informed expression of will. In practice, this means that consent is the result of a conscious action. It is not necessary to collect statements or check boxes (small square boxes). It is enough if the user makes a conscious affirmative gesture, for example, by typing his or her e-mail address in the appropriate box or continuing to browse the site after reading the information on cookies.

In short, consent to cookies can be given through browser settings or by changing the browser configuration. The assumption is that if a user continues to use the site after reading the information about cookies, he has made an informed gesture and given his consent to cookies (known as consent through an informed gesture). Otherwise, he would have left the site or changed his browser settings (disabling or blocking cookies).

When is cookie consent not required?

According to the Communications Directive and the Polish Telecommunications Law, there are exceptions where consent for cookies is not mandatory. According to the regulations, consent is not necessary if the cookie is:

  1. Used only to transmit a message over an electronic communications network.
  2. Particularly necessary for the provision of an information society service expressly requested by a subscriber or user.

Accordingly, consent for cookies is not required if the cookies serve one of the above purposes. Examples of such uses include processing e-commerce orders or remembering a user's preferred language.

In a nutshell, the Data Protection Working Group 29 says that communication and consent to cookies is not necessary if at least one of the following conditions is met:

  1. Cookies are not used for additional purposes, but only to provide the service.
  2. Cookies include "user-input cookies" (for tracking user input), "session-id cookies," "multimedia player session cookies," and "user interface customization cookies" (e.g., "language preference cookies" to remember the selected language).
  3. The cookie is necessary to offer a specific function, and the user explicitly requests this function as part of an information society service.

In addition, some experts believe that if cookies are used only for analysis and advertising, the processing of personal data may be justified by the legitimate purpose of the controller, which does not require consent.

Consent to cookies after the introduction of the RODO law

Consent to cookies after the introduction of RODO raises differences of opinion. Some experts maintain that such consent is essential and should take the form of clear and informed expressions of intent, for example by checking a box or clicking a confirmation button, i.e. performing a specific action.

On the other hand, other experts stress that RODO does not introduce new requirements for cookie consent. They argue this with Article 95 of the regulation, which states that RODO does not impose additional obligations in areas already regulated by the Communications Directive, and thus also on the issue of cookies. It follows that if the Communications Directive does not require the collection of statements with consent to cookies, then RODO does not require it either. Merely providing transparent information about the cookies used is sufficient.

Another argument is Article 11 of the RODO, which notes that if the purposes of the controller's processing of personal data do not require the identification of a specific person, it is not necessary to obtain consent for such processing.

In addition, experts point out that there is no direct correlation between the topic of RODO and the use of cookies. RODO focuses on the protection of personal data, i.e. information that identifies a specific person, while cookies are mainly used to analyze statistical data without identifying individual persons. Hence the conclusion that RODO does not cover cookies.

How to inform the user of the site about cookies (cookies) ?

IAB Poland, an organization of employers in the Internet industry, has developed guidelines for informing users about the use of cookies on websites. It is recommended that the message be placed on all pages of the site, not just the main one. The message should be presented in the form of a fixed window, bar or bar, which informs about the use of cookies in a short form - in a few sentences.

An example of the text of such a message is: "We use cookies on our site to provide the highest quality of customized services. Using the site without changing your cookie settings means that cookies are stored on your terminal device. You can change your cookie settings at any time. For more information, see our "Cookies Policy"/"Privacy Policy".

In addition, it is advisable to include a link to the "Privacy Policy" or a special "Cookies Policy", where the user will be provided with more detailed information and the opportunity to make choices regarding consent to different categories of cookies. The "Cookies Policy" should include information about:

  • entities that use cookies,
  • purposes of storing cookies,
  • user's ability to configure browser settings to manage cookies.

See also:

Cookies in Poland versus regulatory rules in the European Union

Observing European trends, there is a growing importance of obtaining consent from users to use cookies, which should not be automatically loaded.

In many European countries, violations of cookie management laws are met with sanctions. In contrast, most Polish websites automatically load cookies.

In Poland, such a situation arises from the current regulation contained in the Telecommunications Law. According to this regulation, consent for cookies can be obtained through the user's browser settings. In practice, this means that when a user visits a website and his or her browser does not block cookies, it is assumed that he or she has consented to them, which is accepted by Polish law.

It is worth noting, however, that the President of the Office of Personal Data Protection has not issued an official position on cookies, and no penalties related to their use have been imposed. Nevertheless, European regulations in this regard differ, and looking at the general direction of changes, it can be assumed that eventual adaptation to these regulations will only become a matter of time in Poland.