The GDPR, Cookie Consent and Customer Centric Privacy

The EU General Data Protection Regulation (GDPR) has now been officially published, and will be enforced across the EU from 25 May 2018. The new law heralds a big change for online services in particular, and explicitly brings the use of cookies and similar technologies under its remit.

In recognition of the changes, the European Commission has launched a public consultation as part of a process for a revision of the ePrivacy Directive from which the EU cookie laws are derived.  The aim of this revision is to make sure these two instruments are harmonised for maximum consistency in the areas where they overlap.

So in this article I will attempt to provide an overview of what the GDPR may mean for cookie consent as we have come to know it, and the opportunities this presents for forward thinking businesses to embrace a customer first online experience with respect to privacy.

GDPR Relationship with ePrivacy Directive

Without going into too much detail, the GDPR is an over-arching piece of legislation dealing with all aspects of the processing of personal information. The ePrivacy Directive has a tighter focus on communications and internet services, which in the jargon ‘particularises’ the data protection rules. Meaning it relies on the general rules of the GDPR and overlays these with more specific requirements within its own remit.

One of the issues being looked at for the reform of ePrivacy is to turn this also into a Regulation that is directly applicable rather than relying on changes to individual Member State laws.  If that happens, and it seems there is a strong appetite for it, then this will remove much of the differences in interpretation of the cookie rules in different countries.  Overall this will make life easier for website owners, and especially for multinationals, although in some countries this will inevitably mean the rules become stricter than they are now.

GDPR on Cookies

Cookies are mentioned once in the GDPR, in Recital 30:

Natural persons may be associated with online identifiers…such as internet protocol addresses, cookie identifiers or other identifiers…. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

What this essentially tells us it that cookies, where they are used to uniquely identify the device, or in combination with other data, the individual associated with or using the device, should be treated as personal data. This position is also reinforced by Recital 26, which states that where data can reasonably be used, either alone or in conjunction with other data to single out an individual or otherwise identify them indirectly, then it is personal data.

Use of pseudonymous identifiers (like strings of numbers or letters),which is what cookies typically contain to give them uniqueness, still makes them personal data.

So under the GDPR, any cookie or other identifier, uniquely attributed to a device and therefore capable of identifying an individual, or treating them as unique even without identifying them, is personal data.

This will certainly cover almost all advertising/targeting cookies; lots of web analytics cookies; and quite a few functional services like survey and chat tools that record user ids in cookies.

GDPR on Consent

Under existing rules, cookies that are not strictly necessary require consent, and the definition of consent and the requirements associated with it, changes under the GDPR.  To really understand what this means for cookies, have a look at Recital 32 (emphasis is mine):

Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

This suggests that consent for cookies will need to become much more clearly opt-in, or at the very least soft opt-in, so that landing on a site for the first time cookies have to be blocked until the user takes some action that they are clear will result in cookies being set.

A site that sets cookies for different purposes will also need to obtain consent for each separate purpose, however this might be a challenge considering that the process should not be too disruptive.  Balancing this may be tricky, but there is another condition on consent, which might help that we can find in Article 7(3):

The data subject shall have the right to withdraw his or her consent at any time. …. It shall be as easy to withdraw as to give consent.

Taken together, it would seem reasonable that consent will be valid, and avoid being unnecessarily disruptive, if the user can be presented with an initial notice and simple choice, yet will always be able to modify their choice in a more granular way, based on the different types of cookie processing taking place, if they choose to.

In short, the Optanon model of a dismissible notice, coupled with an always available control panel with granular controls, would seem perfectly suited to a GDPR influenced model for cookie consent.

Going Beyond Consent?

The only legal means for setting non-exempted cookies in the ePrivacy Directive is consent.  However, having established that cookies involve personal data, and knowing there is a desire to harmonise the two instruments, it seems likely that the next set of cookie rules will allow other means for setting cookies.

So we could see cookies being set based on performance of a contract, or the legal obligations of the site owner.  This could reasonably be used for things like fraud detection and security, particularly around ecommerce processing.  However, the most likely best candidate is probably the ‘legitimate interests of the controller’, which would potentially allow the website to set cookies without consent. This is not quite a get out jail free card, and couldn’t apply in the public sector, but it could be a viable option for certain types of cookie processing – especially things like first party web analytics.

There are however a couple of things to be aware of with legitimate interests.  Article 6(4) sets out several conditions for using legitimate interests, and the site owner as data controller would need to make sure they have considered and documented their justification based on these conditions.  4(b) in particular, which requires giving consideration of the relationship between controller and data subject, is likely to make legitimate interests difficult to use when third party cookies are involved, especially if this to do with profiling, as is the case in most types of targeted online advertising and marketing.

Legitimate interests also comes with it the right to object to the processing by the individual (Article 21).  So even if this could be used to set some types of cookies without consent – it would still require the ability of the user to opt-out of such usage. 

Customer Centric Privacy

Whatever the details, knowing that there is a desire to harmonise ePrivacy and the GDPR, and that the latter places much emphasis on the individual having greater control, it seems inevitable that the future of cookie consent is clearer and more granular choice for visitors.

Such an approach will make things more complex for those site owners who have not yet embraced what we might call the spirit of the current cookie laws. However doing so will not only be aligned with the ideas of Privacy (or Data Protection) by Design that are clearly gaining prominence, they could also actually lead to better user experience.  It will become a lot less like interrupting the user journey, and a lot more like offering a range of visitor choices through readily accessible control interfaces, which can also cover much more than just cookie based options.

There is an opportunity here for a new kind of negotiation between services and users.  It is a technological reality that to enable some kinds of services and functionality to be delivered, information has to be collected.  So it does not seem unreasonable for cookie choices to also become service choices, in the form of “you must accept these cookies to see this content, or use that tool”.

Taking this approach then cookie consent can actually become a transparent choice for each person to make, trading information for access. This is not only privacy friendly for those who want it, it is also customer-centric – something that many businesses aspire to, but few truly deliver in the online experience.