The General Data Protection Regulation (GDPR) has been around for more than two years now, and it would not be an overstatement to say that it has shaken up the whole marketing industry. In this post, we will address the use of various tracking technologies in a GDPR-compliant manner – to offer interest-based advertising and stay accountable at the same time.
Cookies and compliance with privacy legislation
It is also worth noting that we discuss here compliance with the EU privacy rules on cookies, which will not necessarily apply in the same way to the California Consumer Privacy Act (CCPA) and the Lei Geral de Proteção de Dados (LGPD). Using web analytics in the US, for example, is more relaxed and does not require prior consent. You should understand well which laws govern your activities.
Before moving to a question of lawfulness, it is crucial to differentiate cookies by categories based on the purposes they serve.
- Strictly necessary cookies are essential for a website to work correctly. The most common example is online shopping, where a site remembers items placed in a cart.
- Functional cookies help to facilitate the use of a website and enhance the user’s experience. For example, they remember language preferences and enable some extra functionalities.
- Analytical cookies collect information about how visitors use sites and about the visitors themselves. We can divide them into two subcategories:
- Statistical – analyze the traffic and offer an aggregated overview of users’ interaction with a website, and
- Marketing – they track users’ online activity to understand their needs better and provide more relevant advertisements.
GDPR and ePrivacy Directive
It may come by surprise, but the GDPR is not the only and, more importantly, not the first law to consider before using cookies. The GDPR sets forth the fundamentals of personal data protection: principles of processing, data subject’s rights, controller and processor’s duties, etc. In contrast, the ePrivacy Directive (aka a Cookie Law) guarantees respect for private life and protects personal data in electronic communications in particular.
In practice, it means that the ePrivacy Directive prevails over the GDPR in situations where electronic communications are involved. However, unlike the GDPR, the ePrivacy Directive does not have a direct effect, i.e., each EU country has its national law implementing the Directive’s provisions. While it might lead to some deviations between different jurisdictions, the core rules will remain the same.
Cookie consent foundations
Under the ePrivacy Directive, there is a general requirement to ask for user’s consent before using any cookies. Importantly, it does not matter whether any personal information is processed or not for it to apply. It is because placing cookies on a user’s device is considered as interference with that user’s private space and thus requires prior permission.
Notably, it is the GDPR that defines consent. Accordingly, it must be any freely given, specific, informed and unambiguous indication of wishes by which a data subject, by a statement or by clear affirmative action, signifies agreement to the processing of personal data. This wording contains quite a lot of meaning to grasp, and it could be a subject for a separate blog post to explain what a GDPR-compliant consent entails.
Leadoo has prepared a detailed, up-to-date guideline on asking for cookie consent to help its customers comply. As a preview, consider that a widespread practice of assuming or implying user’s permission from a mere act of browsing a website is no longer legal in Europe.
Cookie consent exception
From the categories mentioned above, only essential cookies fall under the ePrivacy Directive consent exception. The document refers to them as strictly necessary to provide an information society service explicitly requested by the subscriber or user. Noticeably, it is a very narrow exception. Most of the cookies that facilitate the use of a website, but are not strictly necessary and not explicitly requested, still need user consent. There is no mercy for analytical cookies, either.
Hope for the future
The current situation is about to change soon as a new ePrivacy Regulation is coming to replace the Directive. Similarly to the GDPR, it will be directly and uniformly applicable in all EU countries. Among the offered novelties are two additional cookie consent exceptions of our interest:
- when it is necessary for audience measuring, it will potentially cover analytical cookies for statistical purposes, and
- when required for legitimate interests of a service provider, except when users’ privacy rights override such interests. This category may potentially include some functionality and other cookies that do not interfere considerably with the user’s privacy. However, cookies used for profiling are explicitly excluded from this exception, while some other cookies used to deliver advertisements may be allowed without asking for consent.
Consequently, it is mandatory to ask for the visitors’ consent to use any cookies other than strictly necessary. If you would like to receive detailed guidelines on how to do it correctly, contact your customer success person at Leadoo or download our comprehensive guide below! ⤵️