Hungarian DPA imposes first fine for website cookie management

Until recently, news reports regarding cookies have only discussed the gigantic fines imposed by foreign data protection authorities (DPAs) on tech giants (Google, Amazon, Meta). For economic reasons, operators of simple websites are continuing to use their illegal practices without risk until the last possible moment.

This moment has arrived for Hungarian data controllers, as the National Authority for Data Protection and Freedom of Information (NAIH) has recently published its first, and so far only, official decision on cookie management. Although NAIH imposed a relatively small fine of only HUF 10,000,000 (approximately €25,000), the reasons given for the decision state that the low fine is justified by the fact that this is the first time the Hungarian authority has opened an investigation into cookie management.

It is no use putting forward the defence that “everyone does it”. NAIH has stressed that the widespread nature of the infringement does not make it legal. In this context, NAIH also pointed out that operating under the IAB Europe framework does not necessarily guarantee compliance.

The authority has ruled that the information stored in cookies is personal data, since they assign unique identifiers to a person in order to identify a specific user.

Some aspects of the use of cookies rejected by the NAIH:

It is unlawful to make it more difficult to “reject all” than to “accept all”. The “accept all” option was available at the first level (one click), whereas the “reject all” option was only available at the second level (two clicks). The “object” option, i.e. to refuse permission to place cookies for reasons of legitimate interest, was only available at the third level (after at least three clicks). We note that a similar decision was taken by the CNIL, the French Data Protection Authority in December 2022, when it fined Microsoft €60 million for its cookie management practices on the bing.com website for reasons that included that acceptance was possible with one click, but rejection required two clicks.

The information was too complicated and difficult to read. The website displayed too much information about cookies in an unreasonably small area of the screen and in a way that was readable only a few lines at a time. Overall, the information provided did not comply with the General Data Protection Regulation. Specifying the name of the data controller as “we and our partners” was not sufficiently clear, even in case of 754 partners.

Misuse of legitimate interest. The website used the term “legitimate interest” in a misleading way. It is unfair to state the same processing purposes for cookies based on consent and cookies based on legitimate interest. In the case of cookies necessary for the technical functioning of websites, the use of consent as a legal basis is excluded, but the controller did not provide an appropriate interest balancing test.

Data transfers to third countries. In several cases, the data collected by the cookies were transferred to third countries via the 754 designated partners, but the risks of transferring data to third countries were not managed and data subjects were not informed of this.

It is worth noting that civil organisations can also actively contribute to the mass proceedings by authorities against websites and apps. For example, the NOYB, led by Austrian activist Maximilian Schrems, filed nearly 300 complaints with national data protection authorities in the summer of 2022 against websites using OneTrust cookie banners.

It is therefore clear that it is now the last moment for website operators to review their websites’ cookie management practices and cookie banner settings before the NAIH does it for them.