Must a website get consent from a user before placing cookies in the user’s browser? The EU’s ePrivacy Directive says that yes, consent from the user is required prior to placement of most cookies (regardless of whether the cookies track personal data). But under the General Data Protection Regulation (GDPR), consent is only one of several “lawful bases” available to justify collection of personal data. If cookies are viewed as “personal data” under the GDPR – specifically, the placement of cookies in a user’s browser – must a website still get consent in order to place cookies, or instead can the site rely on one of those other “lawful bases” for dropping cookies?
First, are cookies “personal data” governed by the GDPR? Or to be more precise, do cookies that may identify individuals fall under the GDPR? This blog says yes: “when cookies can identify an individual, it is considered personal data. … While not all cookies are used in a way that could identify users, the majority (and the most useful ones to the website owners) are, and will therefore be subject to the GDPR.” This blog says no: “cookie usage and its related consent acquisition are not governed by the GDPR, they are instead governed by the ePrivacy Directive.” (emphasis added) Similarly with this blog.
Arguably, the debate doesn’t matter. Under the GDPR, websites need a “lawful basis” for processing of personal data. Consent is one such lawful basis, but there are others – legitimate interests, performance of a contract, etc. The GDPR does not expressly assign preferences among the different lawful bases. Similarly, except for processing of “sensitive” personal data, the GDPR does not single out any particular type of processing as requiring any one or another such basis. The GDPR does not – by itself – require that user consent be obtained prior to the placement of cookies.
On the other hand, assuming that cookies are subject to the GDPR, consent would apparently satisfy the GDPR’s lawful basis requirement for processing of cookies, as would any of the other enumerated bases. And therefore one could say that the GDPR requires X and the ePrivacy Directive requires Y, and compliance with the GDPR doesn’t excuse compliance with other applicable laws (READ: the ePrivacy Directive). As James Clark of DLA Piper put it, “Firstly, important concepts in e-privacy law – such as consent and transparency – must be interpreted in accordance with data protection law. Secondly, the use of cookies will in many cases involve the processing of personal data, which then implicates the GDPR.”
While the GDPR explicitly superseded the EU’s 1995 Data Protection Directive, it no such superseding with the ePrivacy Directive, which remains very much in effect. (See, for example, the March 2019 opinion of the European Data Protection Board (EDPB), discussing the interplay between the two laws.)
Second, to the extent cookies fall under both the GDPR and the ePrivacy Directive, what types of cookies are governed by the two laws?
GDPR: “Session” cookies ordinarily expire at the end of a user’s “session” on the website and do not track a user’s personal data, and therefore are not ordinarily subject to the GDPR. “Permanent” or “persistent” cookies, whether placed by the website operator or a third party operating on the website, do not expire or expire only after remaining in the user’s browser for a set period after the end of the user’s session. Permanent cookies vary in their functions and may – or may not – track a user’s personal data. Cookies placed by website operators may serve to store a user’s website preferences, which don’t necessarily include personal data. Those placed by third parties such as analytics services and advertising networks more likely track users’ personal data.
However, the website operator/third party distinction is less meaningful than this question, the same point made above: “If the data can – by itself or combined – identify a specific individual, then it is personal data” under the GDPR.
ePrivacy Directive: The ePrivacy Directive requires a user’s prior informed consent for the placement of a cookie on a user’s browser, with 2 narrow exceptions where consent is not required: If the cookie is (1) “used for the sole purpose of carrying out the transmission of a communication”, and (2) “strictly necessary in order for the provider of [the service] explicitly required by the user to provide that service.” As CookieBot puts it on its blog, “the ePrivacy Directive is even more far reaching [than the GDPR], and requires that you get consent for setting all but the strictly necessary cookies.” That is, regardless of whether the cookies track personal data.
Consent properly obtained for purposes of one law (ePrivacy Directive) may not necessarily satisfy the purposes of the other (GDPR). IAB Europe offers a summary of consent methods under the ePrivacy Directive including cookie banners (which may or may not require affirmative “acceptance”), cookie walls (which do require affirmative acceptance or at least remain front-and-center until accepted) and implied consent (which may be based on a user’s browser settings allowing for cookies, although still a higher threshold than implied consent of “well, you used the website and you were therefore bound by our privacy policy”).
Recital 32 of the GDPR describes “affirmative action signaling consent”, such as “ticking a box” on a website (affirmative opt-in), “choosing technical settings for information society services” (browser settings) and “another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data”. Likewise, Recital 32 frowns on “silence, pre-ticked boxes or inactivity” (such as “well, you used the website and you were therefore bound by our privacy policy”) and blanket, non-specific consents that do not disclose all intended uses.
It is not necessarily so that even a click-through cookie wall (presumably ok under the ePrivacy Directive) – unavoidable and perhaps therefore non-voluntary (?) – would satisfy Recital 32’s standard of “conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data”. As France’s DPA (the CNIL) stated in the summer of 2018:
For example, a mobile phone operator collects the consent of its customers for the use of their contact details by partners for commercial prospecting purposes. Consent is considered free provided that the customer’s refusal does not impact the provision of the mobile phone service.
In fact, the UK Information Commissioner’s Office (ICO), commenting on cookie walls in its recently published “Guidance on the use of cookies and similar technologies”, stated that “If your use of a cookie wall is intended to require, or influence, users to agree to their personal data being used by you or any third parties as a condition of accessing your service, then it is unlikely that user consent is considered valid.”
Further, the GDPR’s requirements for a higher-level “explicit” consent for “sensitive” personal data (data about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, health data, sexual orientation) precludes uses of implied consent methods for cookies that touch on this data.
This is consistent with the current regulatory trend. France’s CNIL recently reversed its own 2013 blessing of scrolling, swiping or browsing through a website as valid indications of consent, saying these are “no longer in line with the applicable rules”. Meanwhile, Phil Lee of Field Fisher pointed out that the UK’s ICO updated its own cookie consent tool just last month with, among other things, an analytics cookies button defaulted to ‘off’.
The overlap – and, in particular, the conflicts – between the ePrivacy Directive and the GDPR is generating this recent buzz of cookie-specific regulatory activity from the national DPAs. The ability to rely on one of the GDPR’s non-consent bases to satisfy the lawful processing requirement for cookies may be more of a theoretical construct, since consent is going to be required anyway by the ePrivacy Directive, and at least the UK’s ICO seems to believe that a “legitimate interests” basis will not suffice.
Add Comment