Cookies, the GDPR, and the ePrivacy Directive
The General Data Protection Regulation (GDPR) of the European Union and the ePrivacy Directive of the EU require you to get explicit consent from your users before placing cookies on your website or app. There is no workaround.
But, there is a catch – not all consent is valid. The EU data protection laws require you to obtain consent in a specific way to make it lawful. And if it is not lawful, you may get a GDPR fine.
As an example, the advertising company Criteo was fined EUR 40 Million for failing to obtain consent before using cookies. That may happen to any company.
In this article, we’ll delve into how both laws regulate cookies and what you need to do to track your users without violating the laws.
What Are Cookies?
Recital 30 of the GDPR defines them with these words:
“Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”
In simple words, cookies are small text files that a website or app stores on a user’s device to identify the user and track them.
There are many types of cookies, but for data protection compliance, the most important differentiation for you is the one based on the processing purposes:
- Analytics Cookies – Includes the cookies used by tools such as Google Analytics, Hotjar, Amplitude, and similar ones, serving to collect data on the usage of the website or app.
- Preferences Cookies – The ones that remember whether you prefer light or dark mode, font size, etc.
- Marketing/Advertising Cookies – These cookies are mostly placed on your device by third-parties (not the website/app you visit). They are mainly used to track your browsing, build a profile based on your interests, and serve you with relevant ads on social media or other websites.
- Strictly necessary cookies – A website cannot function without those cookies, either it won’t work or won’t work properly. These cookies do not collect any personal data.
How Does the GDPR Regulate Cookies?
The GDPR does not regulate cookies directly. It focuses on how personal data is handled, regardless of the method used. As mentioned above, cookies are considered personal data, however, it is a method for data processing, but the GDPR regulates the processing itself, not the tools used for it.
Any data processing must rely on a specific legal basis. Of all the GDPR legal bases, the only one you can rely on for the use of cookies is the user’s explicit consent. There are no alternatives to obtaining consent.
While the GDPR addresses consent in Recital 32 and Art. 7, the EDPB Guidelines on consent have provided more detailed and specific guidance on the matter.
You must request and collect cookie consent in a specific way to be valid. It must be:
- Freely given, which means that you must not force the users into giving consent. Limiting access to the website until giving cookie consent, for example, is considered to be forced consent and therefore is not valid.
- Specific, which means that you need specific consent for each specific processing purpose. If you use analytics cookies and marketing cookies, you have to ask for two separate consent for each purpose.
- Informed, meaning that the user must be informed about your processing practices before giving consent. Providing enough information in plain language on the cookie banner or in your privacy policy would be sufficient in most cases.
- Unambiguous, requiring the user to take affirmative action to give consent. This means a few things:
- “By browsing this website you agree to the use of cookies” is illegal in Europe. This is implied consent, not explicit. Browsing the website is not an unambiguous action to give consent.
- The user gives consent only by clicking an ACCEPT COOKIES or a similar button. Not by browsing the website.
- Users should actively check each checkboxes for each specific use. These checkboxes or toggles must not be pre-selected.
Moreover, the GDPR requires the controller to allow users to withdraw their consent as easily as it has been given. If they gave consent by clicking an ACCEPT button, clicking a WITHDRAW CONSENT button shall suffice for withdrawing it.
The cookies strictly necessary for running the services are exempt from the consent requirement. If your website or app could run without a specific cookie, it is not strictly necessary and you must not use it without consent.
Even if you comply with the GDPR’s cookie consent rules flawlessly, however, you might still face non-compliance issues due to your vendors. If they use cookies on your online properties without taking the GDPR into account, it can lead to compliance problems. That’s why it is important to ensure that your vendors also follow GDPR’s cookie consent regulations.
How Does the ePrivacy Directive Regulate Cookies?
Article 5(3) of the ePrivacy Directive requires consent for using cookies. It states that storing cookies in users’ devices is only allowed if the user:
- Is informed about the use of cookies, including the processing purposes;
- Has given consent to the use of cookies, and
- Is given the opportunity to refuse the cookies.
The only exception is the cookies necessary for running the service.
This is fully aligned with the requirements set up in the GDPR and the EDPB Guidelines on consent. The only difference between the two laws is that the GDPR, unlike the ePrivacy Directive, requires specific consent for each specific processing purpose.
The ePrivacy Directive is considered by many to be outdated. The European Commission is in the process of passing the ePrivacy Regulation, aiming to make websites both more private and more user-friendly. However, it has not been passed yet.
Article 5(3) of the ePrivacy Directive covers more than just Cookies
The EDPB provides Guidelines on the applicability of Article 5(3) of the ePrivacy Directive to different technical solutions, such as URL and pixel tracking, local processing, tracking based on IP only, intermittent and mediated IoT reporting, and unique Identifier.
Article 5(3) of the ePrivacy Directive is most commonly known for establishing the cookie notice and cookie consent requirements in the EU. However, Article 5(3) of the ePrivacy Directive covers more than just cookies.
The EDPB stated that “information includes both non-personal and personal data, regardless of the method of storing and accessing these data.” According to this, Article 5(3) applies regardless of whether cookies or similar technologies are used to store or access information on someone’s terminal equipment.
In addition, the EDPB clarifies that Article 5(3) does not only apply to cookies, but also to tracking pixels, tracking links, other device fingerprinting techniques, certain types of local processing that transfer information outside of the user’s device, IoT reporting, and certain instances of IP tracking.
Planet49: CJEU Rules on Cookie Consent
Planet49 is a German online gaming company that was involved in a significant legal case regarding data protection and cookie consent. In the “Planet49” case, the CJEU ruled that a pre-selected checkbox on a website (which the user must actively deselect to refuse consent) does not constitute valid consent under data protection law.
A few other important points from the ruling include:
- The GDPR standard of consent applies to cookies under the e-Privacy Directive.
- The cookie consent rule (Article 5(3)) applies to any information installed or accessed by an individual’s device, regardless of whether the cookies constitute personal data.
- A website must provide information about the duration of cookies, and whether third parties will be able to access them.
It showed the importance of complying with data protection regulations and the requirements for valid consent, particularly when it comes to online tracking and cookies.
How to Use Cookies Without Violating the GDPR and the ePrivacy Directive?
In order to use cookies without violating the GDPR and the ePrivacy Directive, you need to do the following:
- Don’t use cookies (other than strictly necessary cookies) until the user provides consent
- Serve users with a cookie banner asking them for consent
- Cookie banners should be double–layered: first layer with general information and another layer for specific consent to each cookie type.
- The cookie banner shall provide information about the use of cookies, or a link to the privacy policy or cookie policy where you explain it in detail
- Request consent for each specific processing purpose without pre-checked boxes or active toggles
- Provide users with equally prominent buttons for accepting and rejecting cookies
- Don’t show only “accept all” cookies on your cookie banner. Specify all the options, including “decline all”.
- Store the consent to prove compliance
- Ensure that users can withdraw consent as easily as it has been given
- Ensure that your vendors do not use cookies on your website or app without your knowledge and users’ consent.
Noa Kahalon
Noa is a certified CIPM, CIPP/E, and a Fellow of Information Privacy (FIP) from the IAPP. Her background consists of marketing, project management, operations, and law. She is the co-founder and COO of hoggo, an AI-driven Digital Governance platform that allows legal and compliance teams connect, monitor, and automate digital governance across all business workflows.