On 17 February 2017, the Hungarian Data Protection and Freedom of Information Authority (Hungarian DPA) released cookie guidance relating to website and online shop operations. The guidance explains the basic requirements regarding the use of cookies, as well as applicable notice and user consent requirements.

The guidance says that before implementing cookies or similar technologies placing information on the users’ end device, the website operator must (i) map the cookies that it wishes to use on its site and (ii) determine whether notice or consent is required for the use of each. The guidance confirms that the website operator is liable for the use of third party cookies which transmit information - such as user behavior data- to third parties. Accordingly, the website operator must have the user’s consent to allow the use of cookies collecting and transmitting user information to third parties. The guidance says that special attention must be given to the use of social plug-in modules monitoring user behavior or tracking other user activities. The website operator must be aware of the scope of the data collected by third party cookies, including the data categories collected and the relevant processing purposes, such as analytics, advertising or market research. The operator also must be transparent about data collection practices relative to use of its website.

Cookies Notice

The website operator must provide a transparent notice to users regarding the use of cookies. The notice must cover all cookies used, regardless of whether consent is required for the cookies’ use.

Said notice must indicate:

  • the name of each relevant cookie, enabling identification of the website operator’s and each third party’s cookies;
  • the data types for each relevant cookie and their expiry date; and
  • the explanation in plain language of each cookies’ function.

The DPA recommends that website operators should provide general information about cookies and practical information about how the user may find and control cookie settings in his/her browser.

The website operator must provide a cookie notice to users when they first visit the site. Said notice must be repeated if there is a change in the notice. A multilayered notice - i.e. a condensed notice in a pop-up window with a link providing access to the full cookie information - is generally acceptable.

The guidance says that the website operator must implement a mechanism for the deactivation of the notice (pop-up / layer) with active user behavior acknowledging the receipt of the information. This requirement also applies to cookies covered by the cookie consent exemption.

The operator must provide easy access to the relevant cookie notice also following the deactivation of the pop-up or layer. If the use of the cookie requires consent and said requirement relates to a particular functionality, then the operator may provide the relevant cookie notice when the user uses said functionality.

Also, the website operator must provide to users information enabling them to make an informed choice regarding the use of cookies and transmission of data to third persons.

Consent to Use of Cookies

The guidance says that the use of user-input cookies, authentication cookies, user centric security cookies, multimedia player session cookies, load balancing session cookies and user interface customization cookies does not require any consent.

However, if the cookie consent exemption does not apply - such as in connection with the use of third party cookies or tracking cookies - then the website operator must secure the user’s voluntary consent to the use of such cookies and must obtain separate consent relative to the use of each relevant cookie for the use of which consent is required. In such cases, the DPA will not accept the website operator’s bundling of consent, covering several cookies at the same time, because the DPA considers that consent bundling does not enable voluntary consent. Instead, the DPA suggests that the website operator should implement a consent mechanism providing separate checkboxes for each relevant cookie. The DPA guidance also underlines that the operator must obtain prior consent before placing each relevant cookie on the user’s end device. This means that the user may not have access to the relevant functionality before he/she has granted consent to the cookie used on that functionality.

The guidance says that the website operator must use inactive social media plug-ins and implement steps that restrict data transfers to social networks, unless the user explicitly consents to the transmission of the information to the social network, e.g. by sharing an article on a social media plug-in. This means that the user must activate the relevant plug-in after having received from the operator a notice about the scope of data collections and transfers, including whether behavioral information is collected and transmitted to third persons.

Explore More Insight