Is there any chance of getting a penalty for cookies with no notification for a private person with small site?

Question

I am planning a small demo application using DRF and when using the DRF web interface csrftoken cookies are saved by default. After reading tons of material about GDPR and cookies I completely disable cookies and csrf security, these cookies are known to be necessary for security reasons. The site with this app worked about 2 days and used cookies without notifications, but now cookies are completely disabled. Is there any chance of getting a penalty for this 2 days? I don't know how it works and I read information about penalties for big companies, but what about small sites and private persons?

Answer 1

It seems like you are overreacting: yes, private persons also have to comply with GDPR + ePrivacy. But fines must be proportional, and not all cookies require consent in the first place.

The cookie consent requirement comes from the ePrivacy directive, which requires that you can only access information (such as cookies) on an end user's device in one of the following circumstances:

• the end user has given their consent, where the definition of consent is taken from the GDPR;
• the storage/access is technically necessary to perform a transmission (e.g. buffering or caching); or
• the access is strictly necessary to provide a service explicitly requested by the end user.

These rules apply regardless of whether the information involves personal data. However, you are suggesting to use cookies for a CSRF token. Typically, ensuring security of a service is strictly necessary to provide that service on the internet. In fact, GDPR requires you to implement security measures if they are appropraite. Therefore, purely functional cookies and cookies that are only used for such security purposes do not generally require any consent. The use of cookies should still be disclosed in a privacy notice though.

GDPR and ePrivacy have no exception for small businesses or natural persons. They too must comply if their activities falls within the scope of these laws. However, there might be exceptions if these services are not publicly accessible. In particular, the GDPR exempts processing for a “purely personal or household activity”.

There have been fines for individuals. One of the smallest GDPR fines I could find is a EUR 48 fine for an Estonian police officer who accessed information in a police database for personal purposes. In another case, a car owner was fined EUR 300 for using a dashcam illegally. I'm not aware of small fines due to improper cookie consent, because cookies are not an enforcement priority for most data protection agencies.

While fines must be large enough to act as a deterrent, they also have to be proportional to the issue at hand. Two days with an insufficient cookie notice for cookies that probably don't even need consent and probably impacted no one is an extremely minor issue, and unlikely to even result in an investigation. Furthermore, supervisory authorities don't usually start an investigation unless they receive a complain from an affected data subject.