How does the cookie crumble under GDPR?For most internet users, cookie pop-ups or banners on websites are an annoying and all too frequent distraction.

The phrase: “We use cookies to improve the quality of our website and to better understand how you use it……” is one most of us probably now know by heart!

For website owners, cookies are a valuable tool mainly used to retrieve the personal data and track the browsing patterns of visitors.  But the fact that cookies can be used to identify an individual via their device means they also fall under the ‘personal data’ focus of the GDPR introduced earlier this year

The regulation recognises cookie and device IDs and IP addresses as personal data and only allows them to be processed provided they fall under one of the permitted reasons – either a legitimate interest or a freely given, specific, informed and unambiguous consent. But most online service providers tracking users for advertising purposes have still not changed their internal data processing practices or updated their cookie notifications and policies to reflect this.

There are many misconceptions around the area of data privacy and cookies, mainly related to varying interpretations of the E-Privacy Directive in different EU countries. In France, some clarity was provided by the French Council of State (the highest court for administrative cases) in a case between website publisher Editions Croque Futur ( and the French data protection authority (the CNIL). In that case the court decided that the publisher had infringed French data protection laws because it illegally processed users’ personal data retrieved from cookies.

The case highlighted how cookies used for advertising purposes to support a website publisher’s business model cannot be used under the ‘legitimate interest’ requirement and therefore require users’ consent.

Moreover, the third parties which were allowed to enable cookies on the website were recognised as data controllers. The website publisher had to take reasonable measures to ensure the data processing of third parties was carried out in a compliant manner and in particular, that they did not enable non-compliant cookies.

Most importantly, the Council of State said that in this instance the website publisher was expected to ask for users’ consent and could not just rely on internet browser settings to control the cookies. Users had to be given the option to express their consent based on clear information describing different categories of cookies, allowing them to object to their use and explaining the consequences on their browsing experience if they did object.

Negotiations over the new E-Privacy Regulation are currently taking place in the Council of the EU which has put forward a new proposal for amendments on provisions relevant to cookies and other online trackers. The ruling of the French Council of State appears to have been taken into consideration as the proposed provisions allow cookies to be enabled if a user consents, or when it is necessary to ensure the security of a website or to detect technical faults.

In order to gain the consent of a user, a website must clearly state how cookies collect personal data, what the purposes are, who the data controller is, and how to stop or minimise the data collection.

Some other relevant information defined in Article 13 of GDPR, including information about the recipients of data, should also be provided. The Council suggests deleting the option to express consent within the internet browser settings as highlighted by the French Council of State decision.

However, perhaps surprisingly, Article 8 (1) (d) of the new proposal allows the use of cookies without consent when the data controller seeks to measure the audience or uses a data processor for this purpose.

If this is eventually adopted into the new regulation, it could be used as a legal basis for online advertisers to use cookies without obtaining consent.Whether this is integrated or not, the fact remains that clarity around opt-in requirements are essential for organisations to make informed decisions and build meaningful relationships with their stakeholders. Being proactive is essential and having the right advice can make all the difference.

We have a suite of information around the GDPR and what it might mean for your business and if you would like to find out more, you can do so by using the link below or contacting us on +44 20 7090 1091.

GDPR Insights



Article Author.

Raminta Šulskutė

Data Protection Consultant
Raminta has over 8 years' of legal experience. She has worked within private, public and not-for-profit organisations on data protection,... Read More From Raminta Šulskutė

Our Latest Insights.

Our work means different things to different clients and we wanted to share some details of the projects we have managed to give you an insight into our capabilities and the impact we have delivered as a business.


View All Insights

Say Hi.

Did you like what you read? Did you want to find out more about the subject? Or did you simply want to get in touch with us? Either way if you would like to get in touch with us you can do so using the form on the right.

Gemserv will use your details to get in touch with you and to send you information about our products and services that you have requested, in accordance with our privacy policy. You can, of course, opt out of these communications at any time!

Get In Touch

Want to find out more?

Follow the links below find out more about the services we provide, our insight into the industries we serve or the opportunities available with us.
Sectors Capabilities Our Insights Careers