The use of advertising cookies on the occasion of the recent case of Meta Ireland

27 April 2023
Legal Associate:

The Irish Data Protection Authority (DPC) recently announced that it has imposed a total fine of 390 million euros to Meta Ireland for projecting targeted ads to Facebook and Instagram users [1] due to a lack of information regarding the specific processing of their personal data, adopting the position that the recording of their behavior for the purpose of displaying "relevant" advertisements cannot be a matter of mutual agreement.

While online advertising has become a key source of income for companies operating on the internet with digital ad spend (Digital advertising spending) in the EU estimated for 2022 at around 96.9 billion euros [2], the majority of users are unaware of how cookie-related technologies work [3].

Behavioral advertising (online behavioral advertising) is based on tracking the web pages that a user visits on the internet and the actions taken online (e.g. purchase of products and services) in order to monitor its preferences and interests and display only relevant advertisements.

More specifically, the tracking of a user's behavior e.g. on social media, on an informative website or in an e-shop, requires intervention in its terminal equipment, through the use of e.g. trackers, known as cookies.

What are cookies?

According to the Personal Data Protection Authority, cookies are small files with information that each website stores on a user's computer, so that every time they connect to that website, the latter retrieves the specific information and offers them services according to said information.

The cookies that are installed for the purpose of online advertising are only allowed if the user's consent has been given, following appropriate notification. Similarly, according to the Data Protection Authority, the use of third-party trackers, such as the Google Analytics service for the purpose of statistical analysis (web analytics), should also be allowed only after the given consent of the website user.

For example, a general reference in the general terms & conditions or in the general terms of use of the service, which is usually lengthy and includes various other topics, is not considered as sufficient.

Furthermore, consent can be given through the website (e.g. via pop-up windows), while prior acceptance of receiving cookies through default browser settings cannot be considered as consent.

For example, practices such as pre-filled boxes, simple navigation continuation or screen scrolling or -for example- phrases such as "OK, I have been informed" or "OK, I agree", in order to obtain the user's consent, have already been detected by the Authority and in the event of an audit will not be considered as acceptable.

Therefore, an online store or an advertising network that promotes its products through the website of an online store can install a cookie only if it has secured the consent of the subscriber or user, following providing them with prior adequate information.

As cookies are still considered a "headache" for website compliance, it is recommended that businesses that proceed with the purpose of promoting their services/products on website creation or even on the operation of e-shops, as well as advertising professionals who undertake the above services on behalf of their clients and provide monitoring services for the purpose of commercial promotion or advertising, to not ignore the relevant legislative framework, thereby exposing themselves to potential fines from the Data Protection Authority.



[3] Apart from cookies, there are other technologies used for similar purposes, such as –indicatively- pixels, which are used extensively on the Internet, as in Facebook Pixel or tracking pixels when sending newsletters. Thus, any reference to cookies is accompanied by the term "similar technologies", to which, in principle, the same rules as to cookies, apply.

As published on