Poland

Can you place cookies without consent?

No. According to the Telecommunications Law (Art. 173) (the “Telecoms Law”), which implements cookie regulations into Polish law, cookie consent is necessary.

Cookie consent can be expressed by adjusting the settings of the software installed in the telecommunications terminal equipment used by the subscriber or end user, or by adjusting service configuration settings (e.g., browser settings). Since 2019, the Telecoms Law has required cookie consent to conform to GDPR consent requirements (Art. 174 Telecoms Law).

Are cookie rules (whether specific or within general data protection laws) followed in practice?

Yes, although the market approach is twofold. There are still entities which rely on implied consent provided by user browser settings (such consent is obtained by further use of the site without changing default browser settings).

The President of Polish Personal Data Protection Office (the “Polish DPA”) decided that such consent is not valid. Market practice is shifting towards active consent collection, i.e., consent obtained by means of consent management tools.

Are there any exemptions if consent is required?

Yes. The Telecoms Law allows for the use of “strictly necessary cookies” without consent, provided that such use is necessary for the purposes of:

  • performing message transmission via the public telecommunications network; or
  • providing a telecommunications service or a service provided via electronic means (information society service), as requested by the subscriber or end user.

Can you place the following cookies automatically:

i. Analytics cookies, ii. Advertising cookies, iii. Social media cookies

No, only strictly necessary cookies can be placed automatically without consent. The Polish DPA stated in its decision that consent is not necessary when cookies are used to ensure the proper functioning of the website, e.g. displaying certain content or ensuring its security.

However, the Polish DPA is the regulator responsible for supervising personal data processing and not the regulator tasked with supervising the use of cookies (which is the responsibility of the President of the Electronic Communication Office).

Neither the Telecoms Law nor regulatory guidance provide for any additional exemptions, which means that use of other types of cookies requires consent.

Are you able to gain consent without a user ticking ‘accept’, i.e., imply consent from a user continuing to browse the site?

The Telecoms Law does not make this clear. On the one hand, cookie consent should meet the GDPR standard for consent; so implied consent is unlikely to be deemed sufficient. However, due to a provision allowing for the collection of cookie consent by way of adjusting service configuration settings (e.g., by browser settings), some have argued that implied consent via browser settings is also possible.

According to the Polish DPA caselaw1, consent provided passively via browser settings without action on the part of the user is invalid, as it does not meet the requirements contained in Art. 4 (11) of the GDPR. Subsequently, the Polish DPA ordered the deletion of the IP address and Cookie ID. The caselaw resulted from data subject complaints. No administrative fines were imposed. One of the decision’s was repealed2, but the Polish DPA upheld its reasoning in a subsequent decision.

Nevertheless, it is still quite common for website operators to assume that a user who does not change his or her browser settings and continues to use a website, consents to the use of cookies.

Can you set cookies without a cookie notice? 

No, the Telecoms Law requires that the user is informed expressly and in advance, in an unambiguous, simple, and comprehensible manner, about:

  • the purpose of the storing and accessing of such information; and
  • the possibility of adjusting the settings of the software installed in the telecommunications terminal equipment used by that subscriber or end user or by adjusting the configuration of the service (e.g., by way of browser settings).

The Polish DPA confirmed in a recent decision that the user needs to obtain a privacy notice before the user may consent to the use of cookies. Some entities (usually those who implement a consent management tool) add information about retention periods and the specific cookie being used.

Can you set cookies without a cookie banner/ management tool?

No, cookie banners/ management tools are necessary. Cookie banners are commonly used regardless of whether consent is obtained via browser settings or a management tool.

Are you able to use cookie walls? 

There are no guidelines or enforcement decisions on this. Cookie walls were used by the biggest publishers on the Polish market once the GDPR entered into force, this was not challenged by regulators. However, most large publishers operating in the market have since implemented the IAB Europe Transparency and Consent Framework v 2.0 and thus no longer use cookie walls.

Is the local regulator currently enforcing decisions against breaches of cookie rules?

Not proactively. There are two regulators responsible for the enforcement of cookie rules: (i) the Polish DPA in charge of data processing and (ii) the President of the Electronic Communication Office in charge of cookie rules. Neither are active in enforcement against breaches of cookie rules or related data processing.

However, the Polish DPA acts in response to complaints, for example:

  • following complaints from NOYB against a number of Polish companies, the Polish DPA undertook proceedings relating to the use of cookies and related data transfers, and
  • in response to two complaints from the Panoptykon Foundation, it acted against two major Polish publishers regarding the right of access to a user’s behavioural profile created using cookies. In one case, the publisher was ordered to provide the information to the user.

It is rumoured that a number of cookie cases are pending before the Polish DP.

Are there any current consultations relating to ad tech/cookies?

No.

Are there any anticipated changes to the rules and/ or have there been changes to the attitudes in the market (for example, case law or industry body decisions)?

Yes, however:

  • the anticipated changes in the rules are likely to differ little from the current rules; The Telecoms Law will be replaced by a new act – the Electronic Communications Law (a new draft of the Electronic Communication Law is to be published by the Government in Q1 2024). The proposed wording regarding the use of the cookies in the moat recent draft law is like that of the Telecoms Law, and
  • the Polish DPA's caselaw may accelerate change in market attitudes, which have been evolving in the direction of active consent for some time now.

 

1Decisions issued by the Polish DPA (i) on 7 October 2021, case no ZSPR.440.331.2019.PR.PAM and (ii) on 9 March 2023, case no DS.523.4364.2021.PR.PAM.
2JJudgement of the Administrative Court in Warsaw issued on 11 July 2022m case no. II SA/Wa 3993/21 repealing the decision issued by the Polish DPA on 7 October 2021, case no ZSPR.440.331.2019.PR.PAM.