How does the cookie crumble under GDPR?

How does the cookie crumble under GDPR?For most internet users, cookie pop-ups or banners on websites are an annoying and all too frequent distraction.

The phrase: “We use cookies to improve the quality of our website and to better understand how you use it……” is one most of us probably now know by heart!

For website owners, cookies are a valuable tool mainly used to retrieve the personal data and track the browsing patterns of visitors.  But the fact that cookies can be used to identify an individual via their device means they also fall under the ‘personal data’ focus of the GDPR introduced earlier this year

The regulation recognises cookie and device IDs and IP addresses as personal data and only allows them to be processed provided they fall under one of the permitted reasons – either a legitimate interest or a freely given, specific, informed and unambiguous consent. But most online service providers tracking users for advertising purposes have still not changed their internal data processing practices or updated their cookie notifications and policies to reflect this.

There are many misconceptions around the area of data privacy and cookies, mainly related to varying interpretations of the E-Privacy Directive in different EU countries. In France, some clarity was provided by the French Council of State (the highest court for administrative cases) in a case between website publisher Editions Croque Futur ( and the French data protection authority (the CNIL). In that case the court decided that the publisher had infringed French data protection laws because it illegally processed users’ personal data retrieved from cookies.

The case highlighted how cookies used for advertising purposes to support a website publisher’s business model cannot be used under the ‘legitimate interest’ requirement and therefore require users’ consent.

Moreover, the third parties which were allowed to enable cookies on the website were recognised as data controllers. The website publisher had to take reasonable measures to ensure the data processing of third parties was carried out in a compliant manner and in particular, that they did not enable non-compliant cookies.

Most importantly, the Council of State said that in this instance the website publisher was expected to ask for users’ consent and could not just rely on internet browser settings to control the cookies. Users had to be given the option to express their consent based on clear information describing different categories of cookies, allowing them to object to their use and explaining the consequences on their browsing experience if they did object.

Negotiations over the new E-Privacy Regulation are currently taking place in the Council of the EU which has put forward a new proposal for amendments on provisions relevant to cookies and other online trackers. The ruling of the French Council of State appears to have been taken into consideration as the proposed provisions allow cookies to be enabled if a user consents, or when it is necessary to ensure the security of a website or to detect technical faults.

In order to gain the consent of a user, a website must clearly state how cookies collect personal data, what the purposes are, who the data controller is, and how to stop or minimise the data collection.

Some other relevant information defined in Article 13 of GDPR, including information about the recipients of data, should also be provided. The Council suggests deleting the option to express consent within the internet browser settings as highlighted by the French Council of State decision.

However, perhaps surprisingly, Article 8 (1) (d) of the new proposal allows the use of cookies without consent when the data controller seeks to measure the audience or uses a data processor for this purpose.

If this is eventually adopted into the new regulation, it could be used as a legal basis for online advertisers to use cookies without obtaining consent.Whether this is integrated or not, the fact remains that clarity around opt-in requirements are essential for organisations to make informed decisions and build meaningful relationships with their stakeholders. Being proactive is essential and having the right advice can make all the difference.

We have a suite of information around the GDPR and what it might mean for your business and if you would like to find out more, you can do so by using the link below or contacting us on +44 20 7090 1091.

GDPR Insights



Share this...

Share on email
Share on twitter
Share on linkedin
Share on facebook

Find out


Every day our teams of experts are analysing information like this, providing high-level need to know reports for our clients so they can continue to stay ahead and lead their industries.

Get an unfair advantage – subscribe to our mailing list by filling out the form opposite. You can find out how we look after your data in our Data Policy.

About the Authors