At some point in your life, you’ve probably had the experience of meeting someone who you feel you ought to like but, no matter how hard you try, you just can’t seem to gel with them - awkward silences creep into conversations and you find that, while you may share similar values, the ways you each go about approaching things are just different. Ultimately, despite both your best efforts, there’s just no chemistry.
That’s what I imagine Europe’s GDPR and e-Privacy Directive would be like as playmates, if only they were people. They share common values - the protection of individuals’ fundamental rights to privacy and to data protection - and yet, try as they might, they just don’t play together all that nicely.
Unambiguous consent for cookies?
Nowhere is this more apparent than when it comes to the issue of cookie consent. The e-Privacy Directive is a lex specialis (meaning a law that deals with a specific subject matter - in this case, the preservation of privacy over electronic communications channels). It sits alongside the current Data Protection Directive / soon-to-be-in-effect GDPR (I’ll just say GDPR from hereon), setting out special rules deal with things like the privacy of communications content and metadata, e-marketing, and - of course - cookie requirements. The GDPR applies for any wider data protection issues concerning personal data which aren’t addressed by the e-Privacy Directive.
So far, so good, but the treatment of cookies under these two laws raises a real conundrum. In 2009, the e-Privacy Directive was updated to require “consent” for all non-essential cookies. This led to a flurry of activity all across online Europe, as websites everywhere hurriedly erected cookie consent banners. It also led to heated debate between regulators, industry, lawyers, and civil advocacy groups as to whether consent could be “implied” through the mere display of a cookie banner and continued browsing of a website, with cookies being dropped at the same time the cookie banner was displayed. Whatever the rights and wrongs of that debate, implied consent quickly became the norm.
What practical effect does that have? While it’s not entirely certain, it seems that the use of implied cookie consent mechanisms is, at least in principle, still possible - even if not what regulators would really like to see. Unambiguous consent requires a “clear affirmative action” on the part of the website visitor - and, so, if a website makes sufficiently clear that continued navigation amounts to consent, and a visitor continues to navigate a website (the affirmative action) after having been given this information and the opportunity to decline cookies, then there is at least a decent argument that an unambiguous consent was given.
I say “decent argument” because the ability to maintain that an implied consent is unambiguous depends upon at least a couple of critical factors: first, the prominence of the cookie banner itself - a banner which is buried out of sight, or which uses font sizes or colouring that make it near impossible to read will not serve to sufficiently inform the visitor that their continued use of the website will amount to consent, and so no unambiguous consent can be obtained; second, the timing of the cookie drop - if cookies are dropped at the same time as the banner, as is very often the case today, then it’s more-or-less impossible to maintain any argument that the visitor “unambiguously” consented to those cookies, given that they only learned about them after the cookies had already been served. To have a decent argument for unambiguous implied consent, the user at least needs to be informed about, and have the opportunity to decline, cookies before they get served.
The “consent + legitimate interests” debate
There is a more challenging and technical problem, however, and this is the interplay of the need to get cookie “consent” under the e-Privacy Directive and the requirement to have a lawful basis for processing personal data under Article 6 of the GDPR.
This might seem like a somewhat academic debate, but it has some important regulatory and practical implications. For one thing, if your lawful basis for processing personal data under GDPR is consent, then - at least, according to regulatory guidance - there are greater obligations to identify by name (rather than by category) the third parties with whom data may be shared. For another, you also need to keep verifiable consent records (not a requirement for legitimate interests). Next, the Right to be Forgotten becomes more powerful where consent is the lawful basis under the GDPR (the individual simply has to withdraw consent). And data portability rights are also triggered with consent, whilst they don’t apply when processing is based upon legitimate interests.
This inevitably will lead some businesses to prefer a “consent (e-Privacy) + legitimate interests (GDPR)” approach, and again there are grounds for considering this a reasonable thing to do. The e-Privacy Directive, while it complements the GDPR, is a separate piece of legislation, and its consent requirements serve a subtly different purpose to the requirement to have lawful processing grounds under the GDPR (consent under e-Privacy is for access to or storage of information on an end user’s terminal equipment, while a lawful basis under GDPR is needed for processing of personal data).