Cookies and the Law: Comparing Cookie Law Regulation Across Jurisdictions

Author: Anna Lau, Litigation Partner

Introduction: What Are “Cookies” on the Internet?

INTRODUCTION – WHAT ARE “COOKIES” ON THE INTERNET?

The word cookie carries different meaning to different people. In the bygone era, cookies refer to a delicious treat. In today’s digital age, however, most online netizens will understand cookies as being digital files that are generated whenever an end‑user access a network. They are created in order to enable a website operator to track visitors' activities. Historically, web services claim to retain cookies for the purpose of improving user experience (also known as direct marketing).

As cookies will inevitably retain user‑specific data, many different jurisdictions have woken up to the fact that legislation and regulation on the use of cookies are necessary in order to prevent abuse.

Cookie law is therefore commonly referred to legislation that requires websites or domain operators to obtain consent from visitors before storing or retrieving any information on a computer, smartphone or tablet.

If you care about cookies and cookie law regulation, stay tuned for our Legal Update Express series summarising the latest legal developments.

Global Overview of Cookie Law Regulation

Despite the fact that the dawn of the Internet has arrived for many decades by this point, regulation of the Internet and online personal data is still considered a relatively new norm. The following is a quick overview of cookie law regulation and protection levels across the globe.

1. Cookie Law Regulation in Hong Kong SAR

Regulating bodies and laws

Administrative Board Appeals

Personal Data (Privacy) Ordinance (PDPO)

Protection level

Low

At present, there are no specific laws regulating cookies. Hong Kong’s existing data privacy legislation, the PDPO, was based on the 1980 OECD Guidelines and is widely criticised as antiquated.

Based on the decisions in AAB No. 16/2007 and AAB No. 25/2012, cookies may be regarded as anonymous browsing histories and not personal data under the PDPO.

Despite criticism, the PDPO provides Data Protection Principles, recommending that websites:

• Inform users of cookie usage, purpose and method of collection

• State whether access is allowed without cookies and any loss of functionality

Regarding behavioural information, website owners are advised to:

• Set cookie expiry dates

• Encrypt cookie contents

• Avoid overriding browser cookie controls

The PDPO currently enables the Privacy Commissioner to recommend, not mandate compliance. Legislative reform is anticipated.

2. Cookie Law Regulation in People’s Republic of China (PRC)

   
   

Regulating bodies and laws

General Chinese laws on data protection and Internet regulation and Personal Information Protection Law (“PIPL”) (Note: PIPL is not yet in force but expected to in the near future)

Protection level

Low/Medium

At present, there are no specific requirements regarding cookies within existing laws or regulations. The PIPL (Based on drafting stage) does however provides that a data subject’s consent is necessary to process any personal data. However, it remains unclear how authorities will specifically deal with cookies.

On 6 May 2015, the Intermediate People’s Court of Nanjing City, Jiangsu Province, in a civil judgment held that Baidu’s use of cookies to personalize advertisements directed at consumers on partner third party websites does not infringe consumer rights of privacy. As such, it was deemed that information collected was not ‘personal information’ under Chinese law.

1. Personal data is defined as any information recorded that can be used to independently identify or be combined with other information to identify a natural person’s information;

2. Sensitive personal data is defined as personal data which, if disclosed or abused, will lead to adverse impact to the data subject; and

3. To the extent here cookies constitute processing of personal information, website operators should notify data subjects as part of a privacy policy and adequate consent should be obtained from data subjects for such use.

The passage of PIPL (though not yet in force) is seen as a step forward in modernizing Cookies related laws and regulation in the age of rapid developments of Big Data, Machine Learning and Artificial Intelligence.

3. Cookie Law Regulation in United States of America (“USA” or “US”)

   
   

Regulating bodies and laws

Federal law: Children’s Online Privacy Protection Act (“COPPA”); State law: e.g., California Consumer Privacy Act (“CPPA”).

Protection level

Low

COPPA currently regulates the activity of websites and online services aimed at children under 13 years old. Whilst there is no specific legislation specifically targeting the operations of cookies in the US on the Federal level, there are some states which has passed local laws that regulate cookie usage where it relates to their residents. To illustrate this, like the CPPA:

1. Grants consumers the right to request disclosure of the categories and specific pieces of personal information that a business has collected on them;

2. Grants consumers the right to request deletion, as well as the right to opt-out of having their data sold to third parties;

3. Users are informed of what cookies are in operation on a website, what kind of personal information they collect and for what purposes; and

4. Requires users of what third parties they share their personal information with.

Similar to the situations in Hong Kong and PRC, the lack of an updated set of data privacy protection laws meant that the protection level, when compared with globally, is relatively on the lower end.

4. Cookie Law Regulation in United Kingdom (“UK”)

Regulating bodies and laws

Data Protection Act 2018; UK-General Data Protection Regulation (“UK-GDPR”).

Protection level

High

Data Protection Act 2018 was amended in order for the data protection legislation to be compatible and be able to be read in conjunction with UK-GDPR (with the UK-GDPR being cited as one of the most advanced data protection legislation globally capable of responding to the realities of the present day).

UK-GDPR: Almost word for word identical to the EU’s GDPR and main features includes mandatory requirements for websites to obtain explicit consent from users before processing their personal data via cookies and third-party trackers.

As a result of such mandatory requirements, websites have to enable users to change their consent just as easily as they gave it; and it gives a set of rights to UK users, chief among them the right to delete and the right to have corrected already collected personal data.

5. Cookie Law Regulation in European Union (“EU”)

   
   

Regulating bodies and laws

General Data Protection Regulation (“GDPR”); Guidelines by the European Data Protection Board (“EDPB”).

Protection level

High

According to the GDPR (circa May 2018), online identifiers such as cookie identifiers may be used to create profiles of those individuals and identify them. Such data are defined and qualify as personal data (See Recital 30). Under this set of legislation:

1. Websites need to obtain user consent before activating cookies that process personal data.

2. Users must be able to consent to some cookies rather than others.

3. Website must document all obtained consents.

4. Consent must be renewed annually.

Under the EDPB:

1. Consent must be a freely given, specific, informed and unambiguous indication of users’ wishes.

2. Pre-ticked checkboxes on cookie banners are not allowed, i.e. cookies must be deselected by default when users land on your website.

3. Scrolling and continued browsing on your website (implied consent) does not constitute valid consent.

4. Cookie walls (i.e. making user consent conditional for access to your domain) does not constitute valid consent.

The GDPR has often been cited by regulators (not industry operators) as the shining example of modern data protection laws. With a significant number of mandatory requirements as well as the power to take enforcement action, it is seen as one of the most comprehensive regulation sets in the data privacy protection space.

6. Cookie Law Regulation in South Korea

Regulating bodies and laws

Personal Information Protection Act (“PIPA”).

Protection level

Medium

Under South Korean laws, cookies are regulated by the PIPA as personal information, which if combined with other information may enable the identification of a specific individual person. Websites using cookies (or web beacons) must allow for the opt-out consent of the user and the privacy policy must publicize the matters concerning installation, operation and opt-out process for automated means of collecting personal information.

The PIPA is seen as a more moderate approach at regulating data privacy, attempting to strike a balance between operation efficacy and sufficient protection for the general public.

7. Cookie Law Regulation in Japan

   
   

Regulating bodies and laws

Personal Information Protection Act (Note: Amendment is expected to be enacted in the near future)

Protection level

High

Japan is unique in that whilst the existing law will not require consent for the use of cookies in all instances, however, their regulation is primarily focused on where the receiving company identifies individuals. Where personal data is collected, it will bring them under the arms of regulation.

Companies will be required to obtain users’ consent when "cookies" are used, and when these cookies are given to third parties to create individual profiles. Companies are also required to provide explanations as to how such profiles are created.

The Personal Information Protection Commission plans to introduce legal provisions giving web users the right to ask companies not to use their personal information for unwanted purposes.

Cookies will be handled in the same way as other personal information when it is turned over to a third party for the purpose of identifying an individual. The company will be required to inform the person that their information is being gathered and obtain the person's permission.

In this regards, the 2020 Amendment proposes to introduce notion of Related Personal Information or information which is related to a living individual but cannot, by that information alone, identify the individual. Cookies will therefore be deemed Related Personal Information and cannot be provided to a third party if that third party may be able to use the cookies to identify an individual, except where the provider has the individual’s consent.

8. Cookie Law Regulation in Australia

Regulating bodies and laws

Privacy Act of 1988 (“PA 1988”); Australian Privacy Principles (“APPs”).

Protection level

Medium

Similar to Hong Kong, the Australian data protection law came into existence before the widespread proliferation of cookies across the Internet. As such, there are no specific laws targeting cookies.

Under the PA 1988 and APPs, the law requires websites to have a privacy policy that informs users of all cookies/trackers that collect, process, or share personal information.

The Australian legislation distinguishes between personal information (basic identity info) and sensitive information (racial origin, political opinions, religion, sexual orientation, etc.), with personal information resulting in APPs state that website is only allowed to collect and process info if necessary or directly related to website’s functions and activities (does not require cookies banner). Sensitive information on the other hand will mean that websites must ask users for express consent before collection (thus requires cookies banner).

Where an Australian website collects personal info on users for one purpose, it cannot use/disclose such information for other purposes unless users consent to such disclosure. Consent is therefore the key.

Conclusion

Essentially, when it comes to cookies regulations/laws, there is no benefit for website users under existing Hong Kong law, especially when compared to the data protection frameworks of EU, UK, and Japan.

Most notably, website operators are only ‘recommended’ to pursue certain courses of conduct as opposed to strict regulations. As a result, website users’ data can be used for advertising purposes without the user’s consent (which is effectively prohibited in newer personal data protection laws (e.g. GDPR) with various forms of personal information and sensitive information collected and transferred in the process.

It is therefore reasonable why AAB decisions are considered largely outdated and may result in insufficient protection for website users, though it is predicted that decisions are likely to change if a case regarding cookies is heard before the Board. Many within the academic circle, therefore, take the views towards Hong Kong cookie law being largely critical to continued internet safety and urge reform of current laws.

We hope you enjoyed the latest of our Legal Update Express series. To stay tuned for more content hit the subscribe link provided. Until next time.

How Ravenscroft & Schmierer Can Help?

Navigating cookie law regulation requires understanding local and international data protection frameworks. Ravenscroft & Schmierer advises organisations and individuals on cookie compliance, privacy obligations, regulatory exposure and cross‑border data risks.

If you require assistance assessing your position or obligations, contact us to discuss your circumstances and available options.

FAQ: Cookie Law Regulation

This article is co-authored by Joshua Chu from ONC Lawyers

Disclaimer: Whilst every effort has been made to ensure the accuracy of this article it is general in nature and does not constitute legal advice of any kind. You should seek your own personal legal advice before taking legal action. We accept no liability whatsoever for loss arising out of the use or misuse of this article.

For specific advice about your situation, please contact:

Anna Lau

Litigation Partner

+852 2388 3899

alau@rs-lawyers.com.hk