Hungarian Privacy Watchdog Fines Over Cookies and Declares IAB Europe TCF Illegal

Hungarian Privacy Watchdog Fines Over Cookies and Declares IAB Europe TCF Illegal

Hungary
Tools
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

The Hungarian Data Protection and Freedom of Information Authority (NAIH) recently fined a market-leading Hungarian media service provider HUF 10 million (approx. €25,000) for failing to comply with the data processing principles of lawfulness, fairness and transparency in its cookie management solution based on the Interactive Advertising Bureau (IAB) Europe's Transparency and Consent (TCF) Framework. This is the first time that the Hungarian authority has imposed a fine for cookie management issues and made it public.

The Hungarian authority made a number of important findings and determined that the use of cookies and the assignment of cookie identifiers to website visitors constitutes the processing of personal data. The website operator, as the data controller, is responsible for the modules it uses on its website, the third parties to which it transfers data and the legal basis on which it relies, and must clearly and transparently identify, describe and justify the specific processing purposes and legal grounds for the data processing.

The authority expects the design of the cookie banner to comply with the requirements of fairness and transparency. This requires disclosure of the categories of personal data processed, the relevant cookies, their purposes and functions. In this case, the authority found that an excessively long text on the banner in a small area of the screen and the process for the selection of over 700 data transfer partners also did not meet these requirements. The cookie notice disclosed essentially the same processing purposes for consent and legitimate interest, giving users the false impression that the controller could continue to process data based on its legitimate interest in the absence of consent.

The authority also stated that it must be as easy to withdraw consent as it is to give it. For example, if the button "Reject All" is only available on the second banner level in addition to the button "Accept All Cookies" on the first banner level, this requirement is not met.

The data controller argued that it had based its cookie management solution on IAB Europe's Transparency and Consent Framework, which, according to the data controller, is a market standard. However, the Hungarian authority did not accept these arguments. The Hungarian authority referred to the decision of the Belgian DPA, which had already found that IAB Europe's framework was illegal, and confirmed that the findings of that decision applied to this case as well.

This decision provides useful guidance for the design of cookie management solutions. However, the authority did not analyse the issues of dark patterns and international data transfers in the context of AdTech operations, so it is expected that practice may evolve on this point.

By Adam Liber and Tamas Bereczki, Partners, Provaris