An explanation of which is which and why; in relation to cookie (etc) consent.
TL;DR:
There are 2 different flavours of consent involved.
One comes from ePrivacy law and whether it’s required depends on what the cookie (etc) is for. This one must be tackled first.
The other comes from DP law and whether it is needed depends on why and how personal data is being processed. This one comes after ePrivacy law is satisfied.
What’s ePrivacy law?
ePrivacy law (EU Directive and Member State implementations in domestic law) regulates confidentiality, privacy & security of electronic comms over public infrastructure (the internet & phone lines)
Is that different to data protection?
Yes. Data protection law (the GDPR in Europe) regulates processing of personal data.
So what does ePrivacy law say?
ePrivacy law (one bit of it anyway) says ‘don’t put data on/read data off client devices unless it’s either strictly necessary to do so to make the communication possible OR you’ve told the end user what you’re doing and they’ve given their consent’. Ergo, this applies to cookies, LSOs and pixel trackers.
And how is that different to what the GDPR says?
The GDPR says ‘process PERSONAL DATA lawfully, fairly and transparently; here’s how:’
(NB; ‘personal data’ is a much wider field than ‘PII’ - beware of confusing the two!)
To process personal data lawfully, one of six lawful bases must apply. Consent is one of these, but in many cases, will not be appropriate or valid.
So what does that have to do with cookies?
Well. If setting/reading a cookie doesn’t result in any personal data being acquired, generated, transmitted, shared, inferred etc then the GDPR does not apply. Don’t worry about it.
But that comes second - ePrivacy law has to be considered beforehand. So the first question must be “Is the cookie ‘strictly necessary’?” If the answer is ‘yes’ then ePrivacy law says ‘no consent needed’.
(That’s ePrivacy-flavoured consent, not GDPR-flavoured consent, by the way. Two different uses from two different laws but with the same word. That’s where much of the confusion lies.)
Now, if a cookie doesn’t need ePrivacy consent but does result in processing of personal data…..
….then the GDPR comes into play. The lawful basis for processing under GDPR depends on the nature, scope and purpose of the processing activities. Consent, legal duty, contract, public task/sector, vital interests, legitimate interests are the options. Consent is NOT the ‘easy option’, it’s a very high standard to meet. It must be informed, freely-given, specific, unambiguous, evidenced and revocable.
So why do so many people think that cookie popups are a GDPR thing when in fact they’re an ePrivacy thing?
OK, so the reason that cookie popups really started burgeoning when the GDPR came along, was because the GDPR enhanced the definition of valid consent and ePrivacy law uses the data protection law definition for its own version.
So instead of just saying “we haz cookies mm’kay?”, sites had to get a proper answer to the question “will you accept our not-necessary cookies?”. Because ePrivacy law requires them to get agreement before monkeying around with people’s devices and data.
Recap:
Cookie (etc) consent is an ePrivacy law requirement.
The GDPR raised the standard for ‘valid consent’ in general.
ePrivacy law applies to cookies (LSOs, etc) whether or not personal data will be processed.
If personal data will also be processed, a lawful basis under GDPR must be satisfied too.
That lawful basis may or may not be (GDPR) consent, depending on what’s happening to the personal data and why.
Got it?
Thanks for reading! If you like what you see, please consider throwing me some of your hard-earned cash so I can keep the content goodies coming!