For many years, the enforcement of cookie rules in Poland lagged developments in the rest of the EU. This has changed following enforcement action by the President of the Personal Data Protection Office (“Authority”), demonstrating a significant change in approach. We consider how this tracks wider enforcement across the EU.

The landscape for cookies

The laws on the use of cookies were, for many years, not an issue that attracted much regulatory attention in the EU. This may be partly because of the complexity of the underlying technology and limited evidence of wider societal concerns. As a result, a number of practices grew up (such as treating users who ignored cookie banners as consenting to their use) that were not obviously compliant with the law.

The position has changed significantly in the past few years. Not only has the use of cookies become the focus for many privacy activists, as evidenced by the complaints lodged by NOYB (here), but also through regulatory enforcement. For example, the EUR 135 million fines issued by the CNIL against Google and Amazon for failure to obtain user consent before setting advertising cookies (here) and the Belgian regulator’s enforcement action against IAB Europe (the standards setting body for much of the adtech industry) as alleged joint controller in respect of cookies set using the TCF framework.

Against this backdrop, the Authority has, until recently, done little in relation to cookies.

Enforcement at last

The Authority has now taken enforcement action following a complaint from a data subject. In an as yet unpublished decision, the Authority issued a reprimand to the controller for:

• providing third parties with the complainant’s personal data regarding his IP address and cookies ID without a valid legal basis (breach of Article 6(1) GDPR);
• non-fulfilment of the information obligation with regard to recipients of personal data (breach of Article 15(1)(c) GDPR); and
• failure to provide a copy of personal data (breach of Article 15(3) GDPR) in the case at hand.

No administrative fine was issued, and the decision is not final. It is also likely to be appealed by the controller before the administrative court in Poland.

IP address and cookies ID – Personal data?

The starting point is the Authority’s analysis of whether the IP address and cookies ID constitute personal data.

It concluded that if the IP address is assigned to a specific device for a longer period or on a permanent basis, and the device is assigned to a specific user, such information makes a specific natural person identifiable and, therefore, constitutes personal data. This is the first decision of the Authority since the GDPR came into effect, in which it confirmed that both the cookies ID as well as the IP address qualify as personal data within the meaning of the GDPR.

Consent not valid following Planet49

The Authority also assessed the method of obtaining consent for the use of cookies from website users.

The controller stated that it relied on the user’s consent expressed by default browser settings. In the opinion of the Authority, consent granted in this way should be regarded as being granted in a passive and tacit manner, and thus invalid in the light of the applicable provisions of the GDPR (providing for the requirement for voluntary consent, awareness, unambiguity and specificity).

According to the Authority, such consent does not meet the requirements set out in the CJEU’s judgment issued in Planet49 (C-673/17), in which the CJEU stated that an “indication” of the data subject’s wishes clearly points to active, rather than passive, behaviour. In particular, according to the CJEU, “Article 7(a) of Directive 95/46 provides that the data subject’s consent may make such processing lawful provided that the data subject has given his or her consent ‘unambiguously’. Only active behaviour on the part of the data subject with a view to giving his or her consent may fulfil that requirement”.

The Authority applied the CJEU’s interpretation that the consent of the website user for the installation of cookies on his or her device should be given in an active and unambiguous way, and the lack of user’s active action results in its invalidity.

Lack of transparency

As regards the information obligations, the Authority referred to the CJEU’s conclusion that only “clear and comprehensive information implies that a user is in a position to be able to determine easily the consequences of any consent he or she might give and ensure that the consent given is well informed. It must be clearly comprehensible and sufficiently detailed so as to enable the user to comprehend the functioning of the cookies employed.”

The Authority stated that, as a consequence, the person whose data will be processed must be provided with the right information before the installation of cookies occurs.

How does this fit into the Polish laws on cookies?

These conclusions are interesting given the specific Polish regulations on the use of cookies in the Polish Telecommunications Law Act (Arts. 173 and 174) (“TLA”). According to Article 173(2) TLA, the consent for the use of cookies can be expressed by adjusting the settings of the software installed in the equipment used by the subscriber or end user, or by adjusting the configuration of the service (e.g. browser settings). On the other hand, since 2019, Article 174 TLA sets forth that the consent must meet the GDPR consent requirements. Consent is not required for strictly necessary cookies, but is for other cookie types (e.g. advertising, analytical or functional cookies).

Given this ambiguity, there has been some doubt as to whether relying on browser settings, which seems to be a common practice in Poland, is sufficient or whether a clear and separate consent should be obtained for the use of cookies. It is sometimes argued that a user who does not change the browser settings and uses the website gives his or her implied consent for cookies.

However, the recent decision by the Authority and wider market practice in Poland is now firmly pointing in the direction of collection of active consents, in particular in the case of multinational businesses which aim at achieving a unitary, EU-wide approach in terms of cookies.

Implications of the Authority’s decision

The decision is a game-changer for many Polish businesses. International corporations that are present in a number of EU countries are more likely to have already implemented cookie management tools on their websites, following regulatory and enforcement actions in other EU jurisdictions. However, we note that many actors, including those operating in data-driven sectors, do still rely on browser settings when collecting cookies in Poland. Due to the lack of clear regulatory guidance in Poland, this was not regarded as a major risk from a business perspective, but this may change now. Cookie enforcement in Europe is on the rise and Poland is not getting left behind.